Microsoft has disabled its ms-appinstaller URI scheme (App Installer) after observing that threat actors are using it to distribute malware.

According to a blog from Microsoft Threat Intelligence, the tech giant has been observing threat actors since mid-November 2023.

“Since mid-November 2023, Microsoft Threat Intelligence has observed threat actors, including financially motivated actors like Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674, utilising the ms-appinstaller URI scheme (App Installer) to distribute malware,” Microsoft said.

“In addition to ensuring that customers are protected from observed attacker activity, Microsoft investigated the use of App Installer in these attacks. In response to this activity, Microsoft has disabled the ms-appinstaller protocol handler by default,” it added.

According to the tech giant, the observed threat actor activity abuses the current implementation of the ms-appinstaller protocol handler as an access vector for malware that may lead to ransomware distribution.

Buy Me A Coffee

It also observed that multiple cybercriminals are selling a malware kit as a service that abuses the MSIX file format and ms-appinstaller protocol handler.

“These threat actors distribute signed malicious MSIX application packages using websites accessed through malicious advertisements for legitimate popular software. A second vector of phishing through Microsoft Teams is also in use by Storm-1674,” the company stated.

According to Microsoft, hackers have likely chosen the ms-appinstaller protocol handler vector because “it can bypass mechanisms designed to help keep users safe from malware, such as Microsoft Defender SmartScreen and built-in browser warnings for downloads of executable file formats”.

READ
Los Angeles Housing Authority Hit by Cactus Ransomware Attack, Sensitive Data at Risk

In mid-November of this year, Microsoft Threat Intelligence discovered many cyber gangs employing App Installer as a conduit for ransomware operations.

As mentioned in the report, the observed activity includes spoofing legitimate applications, luring users into installing malicious MSIX packages posing as legitimate applications, and evading detections on the initial installation files.