Microsoft on Thursday stated it is as soon as once more disabling the ms-appinstaller protocol handler by default following its abuse by a number of risk actors to distribute malware.
“The noticed risk actor exercise abuses the present implementation of the ms-appinstaller protocol handler as an entry vector for malware which will result in ransomware distribution,” the Microsoft Menace Intelligence crew stated.
It additional famous that a number of cybercriminals are providing a malware package on the market as a service that leverages the MSIX file format and ms-appinstaller protocol handler. The modifications have gone into impact in App Installer model 1.21.3421.0 or greater.
The assaults take the type of signed malicious MSIX software packages which can be distributed by way of Microsoft Groups or malicious commercials for legit common software program on engines like google like Google.
From USER to ADMIN: Study How Hackers Achieve Full Management
Uncover the key ways hackers use to change into admins, the best way to detect and block it earlier than it is too late. Register for our webinar at the moment.
At the least 4 totally different financially motivated hacking teams have been noticed profiting from the App Installer service since mid-November 2023, utilizing it as an entry level for follow-on human-operated ransomware exercise –
- Storm-0569, an preliminary entry dealer which propagates BATLOADER via SEO (website positioning) poisoning with websites spoofing Zoom, Tableau, TeamViewer, and AnyDesk, and makes use of the malware to ship Cobalt Strike and handoff the entry to Storm-0506 for Black Basta ransomware deployment.
- Storm-1113, an preliminary entry dealer that makes use of bogus MSIX installers masquerading as Zoom to distribute EugenLoader (aka FakeBat), which acts as a conduit for a wide range of stealer malware and distant entry trojans.
- Sangria Tempest (aka Carbon Spider and FIN7), which makes use of Storm-1113’s EugenLoader to drop Carbanak that, in flip, delivers an implant referred to as Gracewire. Alternatively, the group has relied on Google advertisements to lure customers into downloading malicious MSIX software packages from rogue touchdown pages to distribute POWERTRASH, which is then used to load NetSupport RAT and Gracewire.
- Storm-1674, an preliminary entry dealer that sends pretend touchdown pages masquerading as Microsoft OneDrive and SharePoint via Groups messages utilizing the TeamsPhisher device, urging recipients to open PDF information that, when clicked, prompts them to replace their Adobe Acrobat Reader to obtain a malicious MSIX installer that incorporates SectopRAT or DarkGate payloads.
Microsoft described Storm-1113 as an entity that additionally dabbles in “as-a-service,” offering malicious installers and touchdown web page frameworks mimicking well-known software program to different risk actors similar to Sangria Tempest and Storm-1674.
In October 2023, Elastic Safety Labs detailed one other marketing campaign wherein spurious MSIX Home windows app bundle information for Google Chrome, Microsoft Edge, Courageous, Grammarly, and Cisco Webex have been used to distribute a malware loader dubbed GHOSTPULSE.
This isn’t the primary time Microsoft has disabled the MSIX ms-appinstaller protocol handler in Home windows. In February 2022, the tech big took the identical step to forestall risk actors from weaponizing it to ship Emotet, TrickBot, and Bazaloader.
“Menace actors have probably chosen the ms-appinstaller protocol handler vector as a result of it may possibly bypass mechanisms designed to assist hold customers secure from malware, similar to Microsoft Defender SmartScreen and built-in browser warnings for downloads of executable file codecs,” Microsoft stated.
Discover more from PressNewsAgency
Subscribe to get the latest posts sent to your email.