© 2024 CyberNews- Latest tech news,
product reviews, and analyses.

Microsoft disables App Installer after observing financially motivated threat actor activity


Microsoft has once again disabled its ms-appinstaller-protocol handler in light of recent threat actors using it to distribute malware.

According to a blog from Microsoft Threat Intelligence, the company has been observing threat actors since mid-November 2023.

Microsoft has witnessed financially motivated actors like Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674 using the ms-appinstaller URI scheme or app installer to distribute malware.

The company states that to ensure “customers are protected from observed attacker activity, Microsoft has investigated the use of App Installer in these attacks” and, in response, has disabled App Installer by default.

The supposed threat actor activity involves abusing the current implementation of the ms-appinstaller protocol handler and using this as an access point for malware that could lead to ransomware distribution.

Microsoft has also observed multiple cybercriminals selling malware kits as a service that exploits the MSIX file format and ms-appinstaller protocol handler.

These attacks involve the distribution of malicious MSIX application packages using websites that are entered through malevolent advertisements for legitimate software on popular search engines and Microsoft Teams.

Threat actors have chosen to misuse the ms-application protocol handler vector as it can “bypass mechanisms designed to help keep users safe from malware.”

Microsoft Threat Intelligence noticed various cyber gangs using App Installer as a passageway for ransomware activity in mid-November of this year.

According to the report, “the observed activity includes spoofing legitimate applications, luring users into installing malicious MSIX packages posing as legitimate applications, and evading detections on the initial installation files."

The blog outlines the various ways that Storm-0569, Storm-1113, Sangria Tempest, and Storm 1674 have been observed as utilizing the service to lure victims to download spoof applications and malicious MSIX application packages.


More from Cybernews:

Clash of Clans gamers at risk while using third-party app

Cybernews podcast unpacks 2023's AI odyssey

Top ten biggest security incidents of 2023

Hackers expose masses of personal data on dark web during Christmas

Google settles $5 billion consumer privacy lawsuit

Subscribe to our newsletter



Leave a Reply

Your email address will not be published. Required fields are markedmarked