Microsoft disables MS-app installation protocol


Microsoft has once again disabled the MSIX MS app installer. This decision by Microsoft was made recently, as several malicious organizations began using it. The threat actors used the MS-app installation protocol to infect Windows systems with malware.

To bypass security measures that would normally protect Windows users from malware, attackers took advantage of Windows AppX Installer impersonation. vulnerability (CVE-2021-43890). Components such as the Defender SmartScreen anti-phishing and anti-malware component and built-in browser alerts warn users against downloading these .exe files.

Detailed information about MS-app installation protocol

Microsoft has investigated misuse of the App Installer by malicious actors. In response to these attacks, the tech giant has now disabled the MS-app installation protocol handler for its users by default.

Explain the operation of App Installer, Microsoft said“Since mid-November 2023, Microsoft Threat Intelligence has observed threat actors, including financially motivated actors like Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674, using the Uniform URI (URI) scheme. Resource Identifier) ​​of the ms-app installer. (protocol) to distribute malware.”

The financially motivated hacking group Sangria Tempest (also known as FIN7) has previously been connected to REvil and Maze. Ransomware. These groups are known for their involvement in the now-defunct BlackMatter and DarkSide ransomware operations.

The MS-app Installer Protocol Manager was being abused by malicious actors, who exploited it as a means of distribution. Ransomware via an access vector. Additionally, many scammers offer a malware kit for sale that exploits the MSIX file format and MS application installation protocol handler.

Spread of malicious files

MSIX application packages serve as a disguise for malicious files. These packages are signed and distributed via Microsoft Teams or as search engine malvertising on Google and other major search engines.

In similar cases in December 2021, Emotet pirate group deployed malicious Windows AppX Installer packages. These packages appeared as Adobe PDF apps to stealthily infiltrate Windows 10 and Windows 11 systems.

Additionally, malicious packages stored on Microsoft Azure using * URLs was used to spread the BazarLoader malware. This particular operation took advantage of the AppX Installer spoofing vulnerability.

In a bid to stop the Emotet attack, Microsoft had previously disabled the MS-app Installer Protocol Handler in February 2022. Microsoft Redmond Center also disabled the MS-app Installer Protocol Handler in February 2022. app earlier this month, as victims of these attacks may also be subject to ransomware.

Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only and users take full responsibility for their reliance on it. The Cyber ​​Express assumes no responsibility for the accuracy or consequences of the use of this information.

Leave a comment