You must be registered for see links
by default following its abuse by multiple threat actors to distribute malware."The observed threat actor activity abuses the current implementation of the ms-appinstaller protocol handler as an access vector for malware that may lead to ransomware distribution," the Microsoft Threat Intelligence team
You must be registered for see links
.It further noted that several cybercriminals are offering a malware kit for sale as a service that leverages the MSIX file format and ms-appinstaller protocol handler. The
You must be registered for see links
have gone into effect in App Installer version 1.21.3421.0 or higher.The attacks take the form of signed malicious MSIX application packages that are distributed via Microsoft Teams or malicious advertisements for legitimate popular software on search engines like Google.
At least four different financially motivated hacking groups have been observed taking advantage of the App Installer service since mid-November 2023, using it as an entry point for follow-on human-operated ransomware activity -
- Storm-0569, an initial access broker which propagates
You must be registered for see linksthrough search engine optimization (SEO) poisoning with sites spoofing Zoom, Tableau, TeamViewer, and AnyDesk, and uses the malware to deliver Cobalt Strike and handoff the access to Storm-0506 for Black Basta ransomware deployment.
- Storm-1113, an initial access broker that uses bogus MSIX installers masquerading as Zoom to distribute
You must be registered for see links(aka FakeBat), which acts as a conduit for a variety of stealer malware and remote access trojans.
-
You must be registered for see links(aka Carbon Spider and FIN7), which uses Storm-1113's EugenLoader to dropYou must be registered for see linksthat, in turn, delivers an implant calledYou must be registered for see links. Alternatively, the group has relied on Google ads to lure users into downloading malicious MSIX application packages from rogue landing pages to distributeYou must be registered for see links, which is then used to load NetSupport RAT and Gracewire.
- Storm-1674, an initial access broker that sends fake landing pages masquerading as Microsoft OneDrive and SharePoint through Teams messages using the
You must be registered for see links, urging recipients to open PDF files that, when clicked, prompts them to update their Adobe Acrobat Reader to download a malicious MSIX installer that contains SectopRAT orYou must be registered for see linkspayloads.
In October 2023, Elastic Security Labs
You must be registered for see links
another campaign in which spurious MSIX Windows app package files for Google Chrome, Microsoft Edge, Brave, Grammarly, and Cisco Webex were used to distribute a malware loader dubbed GHOSTPULSE.This is not the first time Microsoft has disabled the MSIX ms-appinstaller protocol handler in Windows. In February 2022, the tech giant
You must be registered for see links
to prevent threat actors from weaponizing it to deliver Emotet, TrickBot, and Bazaloader."Threat actors have likely chosen the ms-appinstaller protocol handler vector because it can bypass mechanisms designed to help keep users safe from malware, such as Microsoft Defender SmartScreen and built-in browser warnings for downloads of executable file formats," Microsoft said.
From:
You must be registered for see links