Microsoft to Disable MSIX App Installer Protocol Due to Malware Attacks

Microsoft announced on Thursday that it is once more turning off the ms-appinstaller protocol handler by default as a result of several threat actors using it to spread malware.

“The observed threat actor activity abuses the current implementation of the protocol as an access vector for malware that may lead to ransomware distribution,” the team from Microsoft Threat Intelligence stated.

It also mentioned that several fraudsters are using the MSIX file format and ms-appinstaller protocol to sell a malware kit. App Installer versions 1.21.3421.0 and above are the latest versions that have the modifications.

The assaults manifest as malicious MSIX application packages that are signed and distributed through Microsoft Teams or as malicious search engine adverts on Google and other major search engines promoting popular applications.

At least 4 money-driven hacking groups have been taking advantage of the ms-appinstaller protocol since the middle of November 2023. They have been using it as an entry point for motivated human-operated ransomware operations - 

  1. Storm-0569, the commencing access broker that grows BATLOADER through SEO poisoning with website spoofing AnyDesk, Tableau, TeamViewer, and Zoom. Also, it uses malware & viruses to carry out Cobalt Strike and transfer access to Storm-0506 for deploying the Black Basta ransomware.
  2. Storm-1113 is an initial access broker that distributes EugenLoader (also known as FakeBat), a conduit for various stealer malware and remote access trojans, via fake MSIX installers that pose as Zoom.
  3. Sangria Tempest drops Carbanak, which then delivers an implant known as Gracewire, using Storm-1113's EugenLoader. As an alternative, the hacking group is using bougie landing pages to spread POWERTRASH by tricking users into downloading malicious MSIX app packages.
  4. Using the TeamsPhisher tool, Storm-1674 poses as Microsoft OneDrive & SharePoint to send fake landing pages through Teams messages. The messages encourage recipients to open PDF files, which upon clicking, prompt them to update Adobe Acrobat Reader. In turn, it downloads a malicious MSIX installer that contains SectopRAT or DarkGate payloads.

Microsoft describes Storm-1113 as a system that splashes in as a service to provide malicious installers & landing pages acting as a well-known software to other hacking groups.

In October month of 2023, Elastic Security Lab provided another detailed campaign. The campaign included a fake MSIX Windows app package for Microsoft EdgeGoogle Chrome, Cisco Webex, etc. to spread a malware loader - GHOSTPULSE.

Microsoft has previously turned off Windows’ MSIX ms-appinstaller protocol handler. The tech giant made the same move again in February 2022 to stop the hacking groups from using it as a weapon to spread Emotet, TrickBot, and Bazaloader.

The Microsoft Officials said, “Threat actors have likely chosen the ms-appinstaller protocol handler vector because it can bypass mechanisms designed to help keep users safe from malware, such as Microsoft Defender SmartScreen and built-in browser warnings for downloads of executable file formats”.