Microsoft has disabled its ms-app installer URI scheme (App Installer) after observing that the threat actors are using the tool to distribute malware. As per the blog from Microsoft Threat Intelligence, the tech giant has been observing threat actors since mid-November 2023. Microsoft stated, “Since mid-November 2023, Microsoft Threat Intelligence has observed threat actors, including financially motivated actors like Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674, utilising the ms-appinstaller URI scheme (App Installer) to distribute malware.”
In response to this activity, Microsoft has disabled the ms-appinstaller protocol handler by default. The tech giant notes the observed threat actor’s activity which was involved in the exploitation of the current implementation of the ms-appinstaller protocol handler. This misuse serves as an access vector for malware, which potentially results in the distribution of ransomware.
Furthermore, it observed the multiple cybercriminals who are selling a malware kit as a service that abuses the MSIX file format and ms-appinstaller protocol handler. According to Microsoft, hackers have likely chosen the ms-appinstaller protocol handler vector because “it can bypass mechanisms designed to help keep users safe from malware, such as Microsoft Defender SmartScreen and built-in browser warnings for downloads of executable file formats”.
In mid-November of this year, Microsoft Threat Intelligence discovered many cyber gangs employing App Installer as a conduit for ransomware operations. The observed activity includes spoofing legitimate applications, luring users into installing malicious MSIX packages posing as legitimate applications, and evading detections on the initial installation files.
Stay tuned for more updates on this developing story.
