Microsoft has once more disabled the MSIX ms-appinstaller protocol handler after a number of financially motivated risk teams abused it to contaminate Home windows customers with malware.
The attackers exploited the CVE-2021-43890 Home windows AppX Installer spoofing vulnerability to bypass safety measures that might in any other case shield Home windows customers from malware, such because the Defender SmartScreen anti-phishing and anti-malware element and built-in browser alerts cautioning customers towards executable file downloads.
Microsoft says the risk actors use each malicious ads for well-liked software program and Microsoft Groups phishing messages to push signed malicious MSIX utility packages.
“Since mid-November 2023, Microsoft Risk Intelligence has noticed risk actors, together with financially motivated actors like Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674, using the ms-appinstaller URI scheme (App Installer) to distribute malware,” the corporate stated.
“The noticed risk actor exercise abuses the present implementation of the ms-appinstaller protocol handler as an entry vector for malware that will result in ransomware distribution. A number of cybercriminals are additionally promoting a malware equipment as a service that abuses the MSIX file format and ms-app installer protocol handler.”
The Sangria Tempest (aka FIN7) financially-motivated hacking group has beforehand been linked to REvil and Maze ransomware after their involvement within the now-defunct BlackMatter and DarkSide ransomware operations.
In a personal Microsoft risk analytics report seen by BleepingComputer, FIN7 was additionally linked to assaults focusing on PaperCut printing servers with Clop ransomware.
Emotet and BazarLoader malware assaults
As BleepingComputer reported over two years in the past, Emotet additionally used malicious Home windows AppX Installer packages camouflaged as Adobe PDF software program in December 2021 to infect Home windows 10 and Home windows 11 methods.
Moreover, the AppX Installer spoofing vulnerability was exploited to distribute the BazarLoader malware utilizing malicious packages hosted on Microsoft Azure, utilizing *.internet.core.home windows.internet URLs.
Microsoft beforehand disabled the ms-appinstaller protocol handler in February 2022 to thwart Emotet’s onslaught.
Since units compromised as a part of these assaults may additionally be focused with ransomware, Redmond disabled the ms-appinstaller protocol handler as soon as once more earlier this month.
Whereas Microsoft says that it was disabled by default at present, December 28, 2023, others report that the change was pushed out earlier this month. Nevertheless, it’s unclear when and why Microsoft reenabled the Home windows App Installer between February 2022 and December 2023.
At this time, Microsoft really helpful putting in the patched App Installer model 1.21.3421.0 or later to dam exploitation makes an attempt.
The corporate additionally suggested admins who cannot instantly deploy the most recent App Installer model to disable the protocol by setting the Group Coverage EnableMSAppInstallerProtocol to Disabled.