Microsoft on Thursday said it’s once again disabling the ms-appinstaller protocol handler by default following its abuse by multiple threat actors to distribute malware.
“The observed threat actor activity abuses the current implementation of the ms-appinstaller protocol handler as an access vector for malware that may lead to ransomware distribution,” the Microsoft Threat Intelligence team said.
At least four different financially motivated hacking groups have been observed taking advantage of the App Installer service since mid-November 2023, using it as an entry point for follow-on human-operated ransomware activity –
- Storm-0569, an initial access broker which propagates BATLOADER through search engine optimization (SEO) poisoning with sites spoofing Zoom, Tableau, TeamViewer, and AnyDesk, and uses the malware to deliver Cobalt Strike and handoff the access to Storm-0506 for Black Basta ransomware deployment.
- Storm-1113, an initial access broker that uses bogus MSIX installers masquerading as Zoom to distribute EugenLoader (aka FakeBat), which acts as a conduit for a variety of stealer malware and remote access trojans.
- Sangria Tempest (aka Carbon Spider and FIN7), which uses Storm-1113’s EugenLoader to drop Carbanak that, in turn, delivers an implant called Gracewire. Alternatively, the group has relied on Google ads to lure users into downloading malicious MSIX application packages from rogue landing pages to distribute POWERTRASH, which is then used to load NetSupport RAT and Gracewire.
- Storm-1674, an initial access broker that sends fake landing pages masquerading as Microsoft OneDrive and SharePoint through Teams messages using the TeamsPhisher tool, urging recipients to open PDF files that, when clicked, prompts them to update their Adobe Acrobat Reader to download a malicious MSIX installer that contains SectopRAT or DarkGate payloads.
This is not the first time Microsoft has disabled the MSIX ms-appinstaller protocol handler in Windows. In February 2022, the tech giant took the same step to prevent threat actors from weaponizing it to deliver Emotet, TrickBot, and Bazaloader.
Source: https://thehackernews.com/