Microsoft has taken action to address the abuse of the ms-appinstaller protocol handler by financially motivated threat groups. This protocol handler has been exploited to distribute malware, including ransomware [2] [5], through the use of malicious advertisements and phishing messages [2].
Description
The attackers took advantage of a vulnerability in the Windows AppX Installer to bypass security measures and infect Windows users with malware. They distributed signed malicious MSIX application packages using the ms-appinstaller protocol handler as an access vector [2]. Additionally, cybercriminals are selling a malware kit that abuses the MSIX file format and ms-appinstaller protocol handler [1] [2] [5]. The Sangria Tempest hacking group [2], associated with REvil and Maze ransomware [2], has been involved in these operations [2].
To address this issue [3], Microsoft has disabled the ms-appinstaller protocol handler by default and revoked abused code signing certificates. They have also launched investigations and made improvements to protect customers [3]. This action was taken in response to the discovery of the issue in November 2023. On December 28th, 2023 [3], Microsoft disabled the ms-appinstaller URI scheme by default [1] [3] [4], requiring users to download the MSIX package before installing an app [3]. Microsoft will continue to monitor and prevent malicious activity [3].
The ms-appinstaller protocol handler has been used to bypass security mechanisms such as Microsoft Defender SmartScreen and Edge’s built-in browser protection services. Threat actors [1] [3] [4] [5], including Storm-0569, Storn-1113 [4], Sangria Tempest [2] [4], and Storm-1674 [4], have utilized this protocol to distribute malware, particularly through the MSIX file format [4]. These actors register fake domain names and upload installers for popular programs to lure targets into installing malware [4].
Conclusion
The abuse of the ms-appinstaller protocol handler has had significant impacts, with malware being distributed to Windows users. Microsoft’s actions to disable the protocol handler by default and revoke abused certificates are important mitigations to prevent further exploitation. However, the involvement of threat groups like Sangria Tempest highlights the ongoing challenges in combating these attacks. Microsoft’s continued monitoring and prevention efforts will be crucial in protecting users from future malicious activity.
References
[1] https://thehackernews.com/2023/12/microsoft-disables-msix-app-installer.html
[2] https://blog.cyberconvoy.com/microsoft-disables-msix-protocol-handler-abused-in-malware-attacks/
[3] https://msrc.microsoft.com/blog/2023/12/microsoft-addresses-app-installer-abuse/
[4] https://news.thewindowsclub.com/microsoft-disables-ms-appinstaller-protocol-handler-for-security-reasons-108552/
[5] https://www.techradar.com/pro/security/microsoft-disables-one-of-its-own-software-tools-following-multiple-malware-attacks
