Governance & Risk Management , Patch Management

Microsoft Disables Abused Application Installation Protocol

Attackers Have Been Exploiting App Installer to Evade Malware Defenses in Windows
Microsoft Disables Abused Application Installation Protocol

Microsoft has deactivated a tool designed to simplify the installation of Windows applications after hacking groups began exploiting it to distribute malware loaders, leading to infections involving backdoors and ransomware.

The feature in question is the ms-appinstaller uniform resource identifier plan, originally intended to simplify the process of adding Windows apps to devices. Since mid-November, enterprising criminal hackers have been using the tool to deploy loader malware, Microsoft's security team reported Thursday in a blog post.

Attackers have been exploiting it using both malicious advertisements for popular software as well as Microsoft Teams phishing messages to propagate signed, malicious MSIX application packages designed to exploit the flaw, they said.

"In response to this activity, Microsoft has disabled the ms-appinstaller protocol handler by default," the researchers said.

Attackers likely opted for ms-appinstaller because using it enabled them to circumvent anti-malware safety mechanisms, such as Microsoft Defender SmartScreen, as well as built-in browser warnings about downloading executable files, the researchers said.

One wrinkle is that ms-appinstaller contains a Windows AppX installer spoofing vulnerability, tracked as CVE-2021-43890. Security researcher Will Dormann said Microsoft first mitigated the vulnerability in December 2021 and then apparently deactivated its fix this past April, leading to attackers being able to exploit it again.

Microsoft didn't immediately respond to a request for comment.

The technology giant has since tracked multiple groups exploiting the flaw, including attackers of unknown origin, which it gave the codename Storm. Microsoft also tracked attacks back to a financially motivated - aka "tempest" - group it tracks as Sangria Tempest. Researchers have previously linked this long-running cybercrime player, also known as FIN7, to such ransomware groups as Clop.

Microsoft's security researchers said all of the attacks focused on ms-appinstaller that it has found so far have been designed to install loader malware onto an endpoint, facilitating further infections. Specific groups of activity it has been tracking include:

  • Storm-0569: This access broker, which sells access to hacked endpoints and sites to others, focuses on downloading post-compromise payloads such as Batloader via search engine optimization poisoning, malvertising and phishing emails with links that lead to malicious download sites, Microsoft said. "In one observed instance, Storm-0569's Batloader dropped a Cobalt Strike Beacon followed by data exfiltration using the Rclone data exfiltration tools and BlackBasta ransomware deployment," it said.
  • Storm-1113: This group functions as both an access broker that gathers logins via malware distributed through search advertisements as well as an as-a-service entity that furnishes malicious installers and landing page frameworks to others, Microsoft said. The panoply of malicious payloads used by the group have included Gozi, Redline Stealer, IcedID, Smoke Loader, NetSupport Manager, Sectop RAT and Lumma Stealer.
  • Storm-1674: Since early December, this access broker has been using the publicly available TeamsPhisher tool to distribute DarkGate malware, which can facilitate keystroke logging, password theft, cryptocurrency mining and more, Microsoft said. Researchers said the group often uses fake landing pages for such Microsoft services as OneDrive and SharePoint, and that in previous attacks - in September - they have tracked the group handing off infected endpoints to attackers wielding BlackBasta ransomware.
  • Sangria Tempest: Microsoft said this group has been exploiting the application installer to infect endpoints with Carbanak - a backdoor and loader the group has used since 2014 - which in turn installs GraceWire spyware, which can steal passwords, banking information and other data.

Because Microsoft has disabled the ms-appinstaller protocol handler, Windows administrators can no longer directly install Windows apps from a server onto an endpoint. Instead, admins must first download a software package to the endpoint and then run its application installer.

While Microsoft first reported Thursday that it had disabled the protocol handler by default, the change likely occurred earlier this month, based on reports from distressed users, who said it was having "a huge impact on enterprise use."

About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.