Microsoft disables feature after abuse by threat actors

Share post:

Application developers relying on Windows’ App Installer feature for distributing software over the web will have to find another vehicle, after Microsoft disabled a key protocol because it is being abused by threat actors.

Microsoft said Thursday it has disabled the ms-appinstaller protocol handler by default because at least four groups have been using it in the past two months to distribute malware.

It’s the second time in two years that Microsoft has blocked this protocol because of abuse.

The protocol allows developers to send links that start with ms-appinstaller:// rather than the more familiar http:// or https://  to trigger Microsoft’s App Installer system that orchestrates a download process.

Not only are threat groups abusing the protocol, multiple cybercriminals are also selling a malware kit as a service that abuses the MSIX file format. These threat actors distribute signed malicious MSIX application packages using websites accessed through malicious advertisements for legitimate popular software.

“Threat actors have likely chosen the ms-appinstaller protocol handler vector because it can bypass mechanisms designed to help keep users safe from malware, such as Microsoft Defender SmartScreen and built-in browser warnings for downloads of executable file formats,” Microsoft says.

In one example of abuse, a gang is spreading malware by fooling people using search engines to find legitimate software such Zoom, Tableau, TeamViewer, and AnyDesk. Victims who click on links to these sites after doing a search go to a landing page spoofing the original software provider’s landing pages that include links to malicious installers through the ms-appinstaller protocol. The victim sees a popup box that says, for example, “Install Zoom?”. The box includes an “Install” button. One tip this is a scam: The box says the app publisher is “Legion LLC” instead of Zoom Communications.

Another gang is distributing so-called versions of Adobe Acrobat Reader. It first serves a message that the victim’s computer needs an update. A popup box says “Install Adobe Protected PDF Viewer?” Again, one sign this is a fraud is the Publisher is an unknown company instead of Adobe.

Infosec leaders should warn employees about the risks of downloading and installing applications without approval. Users should also be educated to use the browser URL navigator to validate that, upon clicking a link in search results, they have arrived at an expected legitimate domain. They should also be told to verify that the software that is being installed is expected to be published by a legitimate publisher.

It also helps to have phishing-resistant authentication processes.

The threat actors using this tactic are Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674.

The post Microsoft disables feature after abuse by threat actors first appeared on IT World Canada.
Howard Solomon
Howard Solomonhttps://www.itworldcanada.com
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

SUBSCRIBE NOW

Related articles

Costs from Global CrowdStrike Outage Could Exceed $1 Billion

The global tech outage caused by a faulty CrowdStrike update on Friday could result in damages exceeding $1...

CrowdStrike update: Warnings from national cyber agencies, repair options from Microsoft

National cybersecurity agencies in the U.S., Canada, the U.K. and Australia issued security warnings about the faulty CrowdStrike...

CrowdStrike update causes global IT outages, fix is available

Some airlines, banks and government services around the world have been affected by a faulty software update for...

Charges dismissed in SolarWinds hacking case

A judge has dismissed most of the Securities and Exchange Commission's (SEC) fraud charges against SolarWinds related to...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways