{"id":3627,"date":"2024-01-05T12:35:59","date_gmt":"2024-01-05T12:35:59","guid":{"rendered":"https:\/\/signmycode.com\/blog\/?p=3627"},"modified":"2024-09-18T07:32:37","modified_gmt":"2024-09-18T07:32:37","slug":"microsoft-turns-off-a-significant-windows-app-install-mechanism-known-for-spreading-malware","status":"publish","type":"post","link":"https:\/\/signmycode.com\/blog\/microsoft-turns-off-a-significant-windows-app-install-mechanism-known-for-spreading-malware","title":{"rendered":"Microsoft Turns Off a Significant Windows App Install Mechanism Known for Spreading Malware"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\" id=\"h-microsoft-disabled-a-feature-msix-app-installer-protocol\">Microsoft Disabled a Feature &#8220;MSIX App Installer Protocol&#8221;<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">This mechanism is intended to simplify installing Windows apps&nbsp;after cybercriminals started using it to spread malware loaders that resulted in ransomware and backdoor outbreaks.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The feature in question is called the ms-appinstaller consistent resource identifier plan, and its initial purpose was to simplify deploying Windows programs to devices.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/12\/28\/financially-motivated-threat-actors-misusing-app-installer\/\">Microsoft&#8217;s security team revealed<\/a> in a blog post in mid-November 2023, that innovative criminal hackers have been utilizing the tool to distribute loader malware.<\/p>\n\n\n\n<p class=\"has-normal-font-size wp-block-paragraph\"><strong><em>According to them, attackers have been spreading signed, malicious MSIX application packages created to exploit the vulnerability by employing phishing emails for Microsoft Teams and fraudulent adverts for widely recognized applications.<\/em><\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Microsoft launched several technologies to make installing\u00a0new software on Windows computers easier. App Installer, an application setup tool integrated into the operating system, is one of those technologies. It facilitates users&#8217; downloads of applications <em><strong>in the prevalent MSIX file format.<\/strong><\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Developers can install packed Microsoft Store apps in MSIX format from the web using the App Installer; this method, which avoids the Store, was once referred to as &#8220;side-loading.&#8221;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">However, considering this incident, it&#8217;s questionable if Microsoft can ever assure users that packages of software downloaded from elsewhere in its Store are secure. As Microsoft explains, the attackers who hacked&nbsp;the App Installer protocol managed to mimic legitimate software installations while making them look exactly like the actual thing.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&#8220;In response to this activity, Microsoft has disabled the ms-appinstaller protocol handler by default,&#8221; <a href=\"https:\/\/www.bleepingcomputer.com\/news\/microsoft\/microsoft-disables-msix-protocol-handler-abused-in-malware-attacks\/\">according to the researchers<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-categories-of-activities\">Categories of Activities:<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">According to Microsoft&#8217;s security professionals, the loader malware is installed on an endpoint by every attack against the&nbsp;ms-app installer&nbsp;that has been found to aid&nbsp;further infections. It has been analyzing&nbsp;the following categories of activity:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The attacks started in the middle of November 2023. Microsoft identified that four financially driven threat actors\u2014Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674\u2014were responsible for carrying them out.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-activity-1\">Activity 1: <\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Search engine advertisements were utilized&nbsp;by Storm-1113 and Sangria Tempest, two cybercrime criminal groups, to disseminate their malware. After clicking on the advertisements, users were asked to download malicious MSIX files that pretended to be legitimate applications.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-activity-2\">Activity 2: <\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Microsoft suspects Sangria Tempest possibly utilized\u00a0Storm-1113&#8217;s infrastructure to facilitate its hacking activities. Sangria Tempest exploited the malicious advertising to conduct extortion and ransomware attacks.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-activity-3\">Activity 3: <\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Storm-0569, another criminal actor, distributed malware through fraudulent websites. Those websites were intended to appear in search results for genuine business applications on Google and Bing.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-activity-4\">Activity 4: <\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Microsoft argues that the malware used by the hackers was disguising itself as programs\u00a0from commercial operations software companies, including Salesforce Inc., Zoom Communications, Inc., and Tableau.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-activity-5\">Activity 5: <\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The organization&nbsp;identified that the fourth threat actor was using Microsoft Teams communications to spread malware. The links in the emails&nbsp;led to websites that imitated the landing pages of popular apps like SharePoint, OneDrive, and more. The websites tried to deceive customers into installing dangerous MSIX applications.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>It is no longer possible for Windows administrators to directly install Windows programs\u00a0from a server onto an endpoint since Microsoft removed the ms-app installer\u00a0protocol handler. Admins must instead download a software package to the endpoint and launch its installation after that.<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Despite Microsoft&#8217;s first announcement on Thursday that it had turned off the protocol handler by default, the move most likely happened earlier this month, according to complaints from frustrated users who stated it caused &#8220;a massive effect on enterprise use.&#8221;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Microsoft Disabled a Feature &#8220;MSIX App Installer Protocol&#8221; This mechanism is intended to simplify installing Windows apps&nbsp;after cybercriminals started using it to spread malware loaders that resulted in ransomware and backdoor outbreaks. The feature in question is called the ms-appinstaller consistent resource identifier plan, and its initial purpose was to simplify deploying Windows programs to&hellip; <a class=\"more-link\" href=\"https:\/\/signmycode.com\/blog\/microsoft-turns-off-a-significant-windows-app-install-mechanism-known-for-spreading-malware\">Read More <span class=\"screen-reader-text\">Microsoft Turns Off a Significant Windows App Install Mechanism Known for Spreading Malware<\/span><\/a> <\/p>\n","protected":false},"author":1,"featured_media":3640,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[457,641],"tags":[655,654,656],"class_list":["post-3627","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-developers-guide","category-windows-security","tag-microsoft-blocks-msix-protocol","tag-msix-ms-appinstaller-protocol-handler","tag-windows-msix-app-installer","entry"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v24.6 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Microsoft Disables MSIX App Installer Protocol Known for Spreading Malware<\/title>\n<meta name=\"description\" content=\"Microsoft disables a susceptible Windows component Windows app installation again after multiple financially motivated threat groups abused.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/signmycode.com\/blog\/microsoft-turns-off-a-significant-windows-app-install-mechanism-known-for-spreading-malware\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Microsoft Turns Off a Significant Windows App Install Mechanism Known for Spreading Malware\" \/>\n<meta property=\"og:description\" content=\"Microsoft disables a susceptible Windows component Windows app installation again after multiple financially motivated threat groups abused.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/signmycode.com\/blog\/microsoft-turns-off-a-significant-windows-app-install-mechanism-known-for-spreading-malware\" \/>\n<meta property=\"og:site_name\" content=\"SignMyCode - Blog\" \/>\n<meta property=\"article:published_time\" content=\"2024-01-05T12:35:59+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-09-18T07:32:37+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/signmycode.com\/blog\/wp-content\/uploads\/2024\/01\/microsoft-disables-msix-app-installer-protocol-jpg.webp\" \/>\n\t<meta property=\"og:image:width\" content=\"912\" \/>\n\t<meta property=\"og:image:height\" content=\"453\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Janki Mehta\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Janki Mehta\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/microsoft-turns-off-a-significant-windows-app-install-mechanism-known-for-spreading-malware\",\"url\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/microsoft-turns-off-a-significant-windows-app-install-mechanism-known-for-spreading-malware\",\"name\":\"Microsoft Disables MSIX App Installer Protocol Known for Spreading Malware\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/microsoft-turns-off-a-significant-windows-app-install-mechanism-known-for-spreading-malware#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/microsoft-turns-off-a-significant-windows-app-install-mechanism-known-for-spreading-malware#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/01\\\/microsoft-disables-msix-app-installer-protocol-jpg.webp\",\"datePublished\":\"2024-01-05T12:35:59+00:00\",\"dateModified\":\"2024-09-18T07:32:37+00:00\",\"description\":\"Microsoft disables a susceptible Windows component Windows app installation again after multiple financially motivated threat groups abused.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/microsoft-turns-off-a-significant-windows-app-install-mechanism-known-for-spreading-malware#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/signmycode.com\\\/blog\\\/microsoft-turns-off-a-significant-windows-app-install-mechanism-known-for-spreading-malware\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/microsoft-turns-off-a-significant-windows-app-install-mechanism-known-for-spreading-malware#primaryimage\",\"url\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/01\\\/microsoft-disables-msix-app-installer-protocol-jpg.webp\",\"contentUrl\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/01\\\/microsoft-disables-msix-app-installer-protocol-jpg.webp\",\"width\":912,\"height\":453,\"caption\":\"Disabled MSIX ms-appinstaller Protocol handler\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/microsoft-turns-off-a-significant-windows-app-install-mechanism-known-for-spreading-malware#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Microsoft Turns Off a Significant Windows App Install Mechanism Known for Spreading Malware\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/\",\"name\":\"SignMyCode - Blog\",\"description\":\"Code Signing News, Updates\",\"publisher\":{\"@id\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/#organization\",\"name\":\"SignMyCode.com\",\"url\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/10\\\/logo1.png\",\"contentUrl\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/10\\\/logo1.png\",\"width\":135,\"height\":86,\"caption\":\"SignMyCode.com\"},\"image\":{\"@id\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"}}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Microsoft Disables MSIX App Installer Protocol Known for Spreading Malware","description":"Microsoft disables a susceptible Windows component Windows app installation again after multiple financially motivated threat groups abused.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/signmycode.com\/blog\/microsoft-turns-off-a-significant-windows-app-install-mechanism-known-for-spreading-malware","og_locale":"en_US","og_type":"article","og_title":"Microsoft Turns Off a Significant Windows App Install Mechanism Known for Spreading Malware","og_description":"Microsoft disables a susceptible Windows component Windows app installation again after multiple financially motivated threat groups abused.","og_url":"https:\/\/signmycode.com\/blog\/microsoft-turns-off-a-significant-windows-app-install-mechanism-known-for-spreading-malware","og_site_name":"SignMyCode - Blog","article_published_time":"2024-01-05T12:35:59+00:00","article_modified_time":"2024-09-18T07:32:37+00:00","og_image":[{"width":912,"height":453,"url":"https:\/\/signmycode.com\/blog\/wp-content\/uploads\/2024\/01\/microsoft-disables-msix-app-installer-protocol-jpg.webp","type":"image\/jpeg"}],"author":"Janki Mehta","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Janki Mehta","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/signmycode.com\/blog\/microsoft-turns-off-a-significant-windows-app-install-mechanism-known-for-spreading-malware","url":"https:\/\/signmycode.com\/blog\/microsoft-turns-off-a-significant-windows-app-install-mechanism-known-for-spreading-malware","name":"Microsoft Disables MSIX App Installer Protocol Known for Spreading Malware","isPartOf":{"@id":"https:\/\/signmycode.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/signmycode.com\/blog\/microsoft-turns-off-a-significant-windows-app-install-mechanism-known-for-spreading-malware#primaryimage"},"image":{"@id":"https:\/\/signmycode.com\/blog\/microsoft-turns-off-a-significant-windows-app-install-mechanism-known-for-spreading-malware#primaryimage"},"thumbnailUrl":"https:\/\/signmycode.com\/blog\/wp-content\/uploads\/2024\/01\/microsoft-disables-msix-app-installer-protocol-jpg.webp","datePublished":"2024-01-05T12:35:59+00:00","dateModified":"2024-09-18T07:32:37+00:00","description":"Microsoft disables a susceptible Windows component Windows app installation again after multiple financially motivated threat groups abused.","breadcrumb":{"@id":"https:\/\/signmycode.com\/blog\/microsoft-turns-off-a-significant-windows-app-install-mechanism-known-for-spreading-malware#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/signmycode.com\/blog\/microsoft-turns-off-a-significant-windows-app-install-mechanism-known-for-spreading-malware"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/signmycode.com\/blog\/microsoft-turns-off-a-significant-windows-app-install-mechanism-known-for-spreading-malware#primaryimage","url":"https:\/\/signmycode.com\/blog\/wp-content\/uploads\/2024\/01\/microsoft-disables-msix-app-installer-protocol-jpg.webp","contentUrl":"https:\/\/signmycode.com\/blog\/wp-content\/uploads\/2024\/01\/microsoft-disables-msix-app-installer-protocol-jpg.webp","width":912,"height":453,"caption":"Disabled MSIX ms-appinstaller Protocol handler"},{"@type":"BreadcrumbList","@id":"https:\/\/signmycode.com\/blog\/microsoft-turns-off-a-significant-windows-app-install-mechanism-known-for-spreading-malware#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/signmycode.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Microsoft Turns Off a Significant Windows App Install Mechanism Known for Spreading Malware"}]},{"@type":"WebSite","@id":"https:\/\/signmycode.com\/blog\/#website","url":"https:\/\/signmycode.com\/blog\/","name":"SignMyCode - Blog","description":"Code Signing News, Updates","publisher":{"@id":"https:\/\/signmycode.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/signmycode.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/signmycode.com\/blog\/#organization","name":"SignMyCode.com","url":"https:\/\/signmycode.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/signmycode.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/signmycode.com\/blog\/wp-content\/uploads\/2021\/10\/logo1.png","contentUrl":"https:\/\/signmycode.com\/blog\/wp-content\/uploads\/2021\/10\/logo1.png","width":135,"height":86,"caption":"SignMyCode.com"},"image":{"@id":"https:\/\/signmycode.com\/blog\/#\/schema\/logo\/image\/"}}]}},"_links":{"self":[{"href":"https:\/\/signmycode.com\/blog\/wp-json\/wp\/v2\/posts\/3627","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/signmycode.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/signmycode.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/signmycode.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/signmycode.com\/blog\/wp-json\/wp\/v2\/comments?post=3627"}],"version-history":[{"count":9,"href":"https:\/\/signmycode.com\/blog\/wp-json\/wp\/v2\/posts\/3627\/revisions"}],"predecessor-version":[{"id":4681,"href":"https:\/\/signmycode.com\/blog\/wp-json\/wp\/v2\/posts\/3627\/revisions\/4681"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/signmycode.com\/blog\/wp-json\/wp\/v2\/media\/3640"}],"wp:attachment":[{"href":"https:\/\/signmycode.com\/blog\/wp-json\/wp\/v2\/media?parent=3627"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/signmycode.com\/blog\/wp-json\/wp\/v2\/categories?post=3627"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/signmycode.com\/blog\/wp-json\/wp\/v2\/tags?post=3627"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}