Microsoft takes action against malware distribution through 'App Installer'

Follow us on

Microsoft has disabled its ms-app installer URI scheme (App Installer) after observing that the threat actors are using the tool to distribute malware. As per the blog from Microsoft Threat Intelligence, the tech giant has been observing threat actors since mid-November 2023.

Microsoft stated. "Since mid-November 2023, Microsoft Threat Intelligence has observed threat actors, including financially motivated actors like Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674, utilising the ms-appinstaller URI scheme (App Installer) to distribute malware.”

It further added, "In addition to ensuring that customers are protected from observed attacker activity, Microsoft investigated the use of App Installer in these attacks. In response to this activity, Microsoft has disabled the ms-appinstaller protocol handler by default.”

The tech giant notes the observed threat actor’s activity which was involved in the exploitation of the current implementation of the ms-appinstaller protocol handler. This misuse serves as an access vector for malware, which potentially results in the distribution of ransomware.

Furthermore, it observed the multiple cybercriminals who are selling a malware kit as a service that abuses the MSIX file format and ms-appinstaller protocol handler.

The company stated, "These threat actors distribute signed malicious MSIX application packages using websites accessed through malicious advertisements for legitimate popular software. A second vector of phishing through Microsoft Teams is also in use by Storm-1674.”

According to Microsoft, hackers have likely chosen the ms-appinstaller protocol handler vector because "it can bypass mechanisms designed to help keep users safe from malware, such as Microsoft Defender SmartScreen and built-in browser warnings for downloads of executable file formats".In mid-November of this year, Microsoft Threat Intelligence discovered many cyber gangs employing App Installer as a conduit for ransomware operations.

Related Stories

Microsoft Windows Server 2022 launched ahead of Windows 11

Google rolls out the first Chrome update in 2022, fixes 37 security bugs

Microsoft Windows 11 Update: All you need to know about the new features

Microsoft Windows 11 Xbox controller bar launched, here is how to use it

Google Docs update will let you edit multiple texts together, and more

Microsoft to discontinue Windows 8.1 and user will have only this option to upgrade

Microsoft brings new Outlook for Windows for office insiders- Know the new features

How to erase data permanently from an iPhone? Step-by-step guide

Google adds memory saver and energy saver mode: All you need to know

How to create secret, blank folders on Windows to store private files?

WhatsApp adds in-app chat support to Windows beta version

Google rolls out Nearby Share for Windows: Check details here

Microsoft launches Windows 365 Switch public preview

Microsoft brings new Surface laptops, Windows 11 update, and more: All details here

Windows 12 launch details possibly revealed by Intel CFO

As mentioned in the report, the observed activity includes spoofing legitimate applications, luring users into installing malicious MSIX packages posing as legitimate applications, and evading detections on the initial installation files.

ALSO READ: Here is how you can buy an iPhone 15 below Rs 70,000 | Limited period offer you must not miss