Microsoft has once more disabled the MSIX ms-appinstaller protocol handler after a number of financially motivated menace teams abused it to contaminate Home windows customers with malware.
The attackers exploited the CVE-2021-43890 Home windows AppX Installer spoofing vulnerability to bypass safety measures that will in any other case defend Home windows customers from malware, such because the Defender SmartScreen anti-phishing and anti-malware part and built-in browser alerts cautioning customers towards executable file downloads.
Microsoft says the menace actors use each malicious commercials for in style software program and Microsoft Groups phishing messages to push signed malicious MSIX utility packages.
“Since mid-November 2023, Microsoft Risk Intelligence has noticed menace actors, together with financially motivated actors like Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674, using the ms-appinstaller URI scheme (App Installer) to distribute malware,” the corporate stated.
“The noticed menace actor exercise abuses the present implementation of the ms-appinstaller protocol handler as an entry vector for malware that will result in ransomware distribution. A number of cybercriminals are additionally promoting a malware equipment as a service that abuses the MSIX file format and ms-app installer protocol handler.”
The Sangria Tempest (aka FIN7) financially-motivated hacking group has beforehand been linked to REvil and Maze ransomware after their involvement within the now-defunct BlackMatter and DarkSide ransomware operations.
In a non-public Microsoft menace analytics report seen by BleepingComputer, FIN7 was additionally linked to assaults focusing on PaperCut printing servers with Clop ransomware.
Emotet and BazarLoader malware assaults
As BleepingComputer reported over two years in the past, Emotet additionally used malicious Home windows AppX Installer packages camouflaged as Adobe PDF software program in December 2021 to infect Home windows 10 and Home windows 11 methods.
Moreover, the AppX Installer spoofing vulnerability was exploited to distribute the BazarLoader malware utilizing malicious packages hosted on Microsoft Azure, utilizing *.internet.core.home windows.internet URLs.
Microsoft beforehand disabled the ms-appinstaller protocol handler in February 2022 to thwart Emotet’s onslaught.
Since units compromised as a part of these assaults may additionally be focused with ransomware, Redmond disabled the ms-appinstaller protocol handler as soon as once more earlier this month.
Whereas Microsoft says that it was disabled by default at this time, December 28, 2023, others report that the change was pushed out earlier this month. Nonetheless, it’s unclear when and why Microsoft reenabled the Home windows App Installer between February 2022 and December 2023.
Right this moment, Microsoft beneficial putting in the patched App Installer model 1.21.3421.0 or later to dam exploitation makes an attempt.
The corporate additionally suggested admins who cannot instantly deploy the newest App Installer model to disable the protocol by setting the Group Coverage EnableMSAppInstallerProtocol to Disabled.
