Microsoft disables app installation protocol abused by hackers


Microsoft said Thursday it disabled a feature intended to streamline application installation after discovering financially motivated hacker groups using it to distribute malware.

The functionality, the ms-appinstaller protocol, essentially allowed users to skip a step or two when adding Windows apps to their devices. Cybercriminals discovered that it also allowed the installation of loader-style malware, Microsoft Threat Intelligence said in a statement. blog post.

“Bad actors likely chose the ms-appinstaller protocol handler vector because it can bypass mechanisms designed to protect users from malware, such as Microsoft Defender SmartScreen and built-in browser warnings for file format downloads executables,” Microsoft said.

Disabling the protocol means that Windows apps will not be installed directly from a server onto a device. Instead, users must first download the software package and then run App Installer.

Microsoft attributed the activity to groups it tracks like Storm-0569, Storm-1113, Storm-1674 and Sangria Tempest. The label “Storm” refers to a group with unknown origins to the company. Sangria Tempest, a long-running cybercrime group, is also being tracked as FIN7 by cybersecurity researchers and has been linked to ransomware groups such as clap.

These groups were found in November and December to “spoof legitimate applications, trick users into installing malicious MSIX packages masquerading as legitimate applications, and evade detection on initial installation files,” Microsoft said.

Cybercriminals aimed to install loader malware enabling new infections, including common data exfiltration tools such as Glossy ID or ransomware like Basta black.

Company summaries of each Storm group’s activity:

  • Storm-0569 “is an access broker that focuses on downloading post-compromised payloads, such as BATLOADER, via malvertising and phishing emails containing malicious links to download sites.”
  • Storm-1113 “is a threat actor that acts as both an access broker focused on distributing malware via search advertisements and as an “as-a-service” entity providing malicious installers and page frames destination.
  • Storm-1674 “is an access broker known to use tools based on the publicly available TeamsPhisher tool to distribute DarkGate malware.”

Sangria Tempest, meanwhile, was spotted dropping Carbanak, “a backdoor used by the actor since 2014, which in turn delivers the Gracewire malware implant.” Microsoft Previously reported on the group in May.

Get more information with the

Future saved

Intelligence cloud.

Learn more.

No previous articles

No new articles

Joe Warminsky

Joe Warminsky is the editor-in-chief of Recorded Future News. He has more than 25 years of experience as an editor and writer in the Washington, DC area. Most recently, he helped lead CyberScoop for over five years. Before that, he was a digital editor at WAMU 88.5, NPR’s Washington affiliate, and he spent more than a decade editing congressional coverage for CQ Roll Call.

Share This Article
Leave a comment