Microsoft disables App Installer after observing financially motivated threat actor activity

Microsoft has once again disabled its ms-appinstaller-protocol handler in light of recent threat actors using it to distribute malware.

According to a blog from Microsoft Threat Intelligence, the company has been observing threat actors since mid-November 2023.

Microsoft has witnessed financially motivated actors like Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674 using the ms-appinstaller URI scheme or app installer to distribute malware.

The company states that to ensure “customers are protected from observed attacker activity, Microsoft has investigated the use of App Installer in these attacks” and, in response, has disabled App Installer by default.

The supposed threat actor activity involves abusing the current implementation of the ms-appinstaller protocol handler and using this as an access point for malware that could lead to ransomware distribution.

Microsoft has also observed multiple cybercriminals selling malware kits as a service that exploits the MSIX file format and ms-appinstaller protocol handler.

These attacks involve the distribution of malicious MSIX application packages using websites that are entered through malevolent advertisements for legitimate software on popular search engines and Microsoft Teams.

Threat actors have chosen to misuse the ms-application protocol handler vector as it can “bypass mechanisms designed to help keep users safe from malware.”

Microsoft Threat Intelligence noticed various cyber gangs using App Installer as a passageway for ransomware activity in mid-November of this year.

According to the report, “the observed activity includes spoofing legitimate applications, luring users into installing malicious MSIX packages posing as legitimate applications, and evading detections on the initial installation files."

The blog outlines the various ways that Storm-0569, Storm-1113, Sangria Tempest, and Storm 1674 have been observed as utilizing the service to lure victims to download spoof applications and malicious MSIX application packages.