“The observed threat actor activity abuses the current implementation of the ms-appinstaller protocol handler as an access vector for malware that may lead to ransomware distribution,” Microsoft said in a new security advisory.
Furthermore, the Redmond giant saw hackers selling malware kits on the dark web, which use the MSIX file format and the ms-appinstaller protocol handler.
Four threat actors
Apparently, the threat actors are creating malicious fake ads for legitimate and popular software, to redirect the victims to websites under their control. There, they trick them into downloading malware. A second distribution vector is phishing through Microsoft Teams, the company said.
“Threat actors have likely chosen the ms-appinstaller protocol handler vector because it can bypass mechanisms designed to help keep users safe from malware, such as Microsoft Defender SmartScreen and built-in browser warnings for downloads of executable file formats,” the advisory reads.
Since mid-November this year, at least four threat actors abused the App Installer service, Microsoft further explained, with those being Storm-0569, Storm-1113, Sangria Tempest (AKA FIN7), and Storm-1674. The former is an access broker that usually hands off the access to Storm-0506, which then deploys the Black Basta ransomware. FIN7, which researchers also observed impersonating banking software earlier this week, used the App Installer service to drop Gracewire, while Storm-1674 masquerades as Microsoft OneDrive and SharePoint through Teams messages.
The handler is disabled in the App Installer version 1.21.3421.0 or higher.
This is not the first time MSIX Windows app package files were abused in malware distribution, TheHackerNews says. In October 2023, Elastic Security Labs found such files for Google Chrome, Microsoft Edge, Brave, Grammarly, and Cisco Webex being used to distribute a malware loader dubbed GHOSTPULSE. What’s more, Microsoft disabled the handler once before, in February last year.