Malware Threats: Microsoft Disables ‘App Installer’ Used by Hackers To Spread Malware

Microsoft has disabled its ms-appinstaller URI scheme (App Installer) after observing that threat actors are using it to distribute malware.

Microsoft (Photo Credit: Wikimedia Commons)

New Delhi, December 31: Microsoft has disabled its ms-appinstaller URI scheme (App Installer) after observing that threat actors are using it to distribute malware. According to a blog from Microsoft Threat Intelligence, the tech giant has been observing threat actors since mid-November 2023. "Since mid-November 2023, Microsoft Threat Intelligence has observed threat actors, including financially motivated actors like Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674, utilising the ms-appinstaller URI scheme (App Installer) to distribute malware," Microsoft said.

"In addition to ensuring that customers are protected from observed attacker activity, Microsoft investigated the use of App Installer in these attacks. In response to this activity, Microsoft has disabled the ms-appinstaller protocol handler by default," it added. According to the tech giant, the observed threat actor activity abuses the current implementation of the ms-appinstaller protocol handler as an access vector for malware that may lead to ransomware distribution. Microsoft to Discontinue Support for Windows 10 From October 2025, PCs Could Remain Functional for Years After End of OS Support

It also observed that multiple cybercriminals are selling a malware kit as a service that abuses the MSIX file format and ms-appinstaller protocol handler. "These threat actors distribute signed malicious MSIX application packages using websites accessed through malicious advertisements for legitimate popular software. A second vector of phishing through Microsoft Teams is also in use by Storm-1674," the company stated.

According to Microsoft, hackers have likely chosen the ms-appinstaller protocol handler vector because "it can bypass mechanisms designed to help keep users safe from malware, such as Microsoft Defender SmartScreen and built-in browser warnings for downloads of executable file formats". In mid-November of this year, Microsoft Threat Intelligence discovered many cyber gangs employing App Installer as a conduit for ransomware operations. Microsoft Working To Bring New Surface Laptop Series With AI-Enabled Features and Next-Gen Neural Processing Unit: Reports

As mentioned in the report, the observed activity includes spoofing legitimate applications, luring users into installing malicious MSIX packages posing as legitimate applications, and evading detections on the initial installation files.

(The above story first appeared on LatestLY on Dec 31, 2023 02:32 PM IST. For more news and updates on politics, world, sports, entertainment and lifestyle, log on to our website latestly.com).

Share Now

Share Now