Microsoft disables feature after abuse by threat actors

Share post:

Application developers relying on Windows’ App Installer feature for distributing software over the web will have to find another vehicle, after Microsoft disabled a key protocol because it is being abused by threat actors.

Microsoft said Thursday it has disabled the ms-appinstaller protocol handler by default because at least four groups have been using it in the past two months to distribute malware.

It’s the second time in two years that Microsoft has blocked this protocol because of abuse.

The protocol allows developers to send links that start with ms-appinstaller:// rather than the more familiar http:// or https://  to trigger Microsoft’s App Installer system that orchestrates a download process.

Not only are threat groups abusing the protocol, multiple cybercriminals are also selling a malware kit as a service that abuses the MSIX file format. These threat actors distribute signed malicious MSIX application packages using websites accessed through malicious advertisements for legitimate popular software.

“Threat actors have likely chosen the ms-appinstaller protocol handler vector because it can bypass mechanisms designed to help keep users safe from malware, such as Microsoft Defender SmartScreen and built-in browser warnings for downloads of executable file formats,” Microsoft says.

In one example of abuse, a gang is spreading malware by fooling people using search engines to find legitimate software such Zoom, Tableau, TeamViewer, and AnyDesk. Victims who click on links to these sites after doing a search go to a landing page spoofing the original software provider’s landing pages that include links to malicious installers through the ms-appinstaller protocol. The victim sees a popup box that says, for example, “Install Zoom?”. The box includes an “Install” button. One tip this is a scam: The box says the app publisher is “Legion LLC” instead of Zoom Communications.

Another gang is distributing so-called versions of Adobe Acrobat Reader. It first serves a message that the victim’s computer needs an update. A popup box says “Install Adobe Protected PDF Viewer?” Again, one sign this is a fraud is the Publisher is an unknown company instead of Adobe.

Infosec leaders should warn employees about the risks of downloading and installing applications without approval. Users should also be educated to use the browser URL navigator to validate that, upon clicking a link in search results, they have arrived at an expected legitimate domain. They should also be told to verify that the software that is being installed is expected to be published by a legitimate publisher.

It also helps to have phishing-resistant authentication processes.

The threat actors using this tactic are Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674.

The post Microsoft disables feature after abuse by threat actors first appeared on IT World Canada.
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Tech Jobs


Related articles

Cyber Security Today, Week in Review for week ending Friday, Feb. 23, 2024

This episode features discussion on the takedown of the LockBit ransomware gang

Breaking news: RCMP facing ‘alarming’ cyber attack

The RCMP is facing a serious cyber attack from an unspecified threat actor. The Mounties told CBC News today that a “breach of this magnitude is alarming.” “The situation is evolving quickly but at this time, there is no impact on RCMP operations and no known threat to the safety and security of Canadians,” a spokesperson

Leaked documents may show the inside of China’s hacking strategy

Documents apparently stolen by disgruntled employees to embarrass their firm may give insight into China's cyber

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways