Microsoft has disabled the App Installer feature that lets you install Windows 10 apps directly from a web page by clicking a link using the ms-appinstaller URI scheme. This feature has been heavily exploited by various attackers in recent months to deploy ransomware and other malicious implants.
“Threat actors may have chosen the ms-appinstaller protocol handler vector because they are using mechanisms designed to protect users from malware, such as Microsoft Defender SmartScreen and browsers’ built-in warnings for downloading executable file formats. “This is because it can be bypassed,” Microsoft said in the document. Last week’s report.
After the company previously warned about the Windows AppX Installer spoofing vulnerability (CVE-2021-43890) in its last patch Tuesday, this protocol handler was disabled with the release of App Installer version 1.21.3421.0 on December 28th. became.
How does Microsoft App Installer work?
App Installer is a feature introduced in Windows 10 in 2016 to facilitate the installation of Universal Windows Platform (UWP) apps, formerly known as Windows Store apps. These applications can be deployed to all Windows devices and are distributed as .msxi or .msixbundle files in a package format called MSIX. MSIX was introduced in 2019 and replaced the old AppX packaging format for apps on the Microsoft Store.
However, MSIX packages do not necessarily have to be deployed from the Microsoft Store; they can be installed offline or from any website thanks to the ms-appinstaller URI scheme and protocol handlers. Microsoft recommends that enterprises use MSIX packages to deploy applications because they improve reliability and installation success rates, and optimize bandwidth and disk space usage.
“MSIX allows businesses to stay up to date and keep their applications up to date. It reduces the need for repackaging and gives IT professionals and developers the ability to own applications “This will enable us to deliver user-centric solutions while reducing costs,” the company said.
If you deploy directly from the website, the page will contain a link in the format ms-appinstaller:?source=http://link-to.domain/app-name.msix. When clicked, the browser passes the request to Windows’ ms-appinstaller protocol handler, which calls the app installer. This is the same type of functionality found in other apps that register custom protocol handlers on Windows. For example, if he clicks a button on a web page to join a conference call and his browser automatically opens the Zoom or Microsoft Teams desktop app.
Widespread exploitation of Microsoft App Installer
Attackers have recently begun exploiting the ms-appinstaller URI scheme by redirecting users to a spoofed web page for popular software and instead distributing malware packaged as MSIX. According to Microsoft, the technique was adopted by multiple groups and saw a spike in attacks between November and December 2023.
In early December, a group of access brokers tracked by Microsoft as Storm-0569 launched a search engine optimization campaign using this technique to distribute BATLOADER. The group contaminated search results containing links to his webpages disguised as official websites of legitimate software applications such as Zoom, Tableau, TeamViewer, and AnyDesk.
“Users searching for legitimate software applications on Bing or Google may be presented with a landing page that impersonates the original software provider’s landing page and contains a link to a malicious installer via the ms-appinstaller protocol. Microsoft said. “Impersonation and spoofing of popular legitimate software is a common social engineering tactic.”
Clicking on the malicious link will cause the user to see an app installer window with an install button. Clicking this button will install a malicious MSIX package along with additional PowerShell and batch scripts that deploy BATLOADER. This malware loader is used to deploy additional implants such as Cobalt Strike Beacon, Rclone data extraction tool, and Black Basta ransomware.
Another access broker, tracked as Storm-1113 and also specializing in malware distribution through search ads, also used this technique in mid-November 2023 to disguise Zoom downloads and deploy a malware loader called EugenLoader. Did. The group offers malware deployment as a service, so EugenLoader supports a variety of implants including Gozi, Redline stealer, IcedID, Smoke Loader, NetSupport Manager (also known as NetSupport RAT), Sectop RAT, and Lumma stealer. used for deployment. Another group tracked as Sangria Tempest (also known as FIN7) used his EugenLoader to drop the infamous Carbanak malware framework and deploy Gracewire implants in November.
“In other cases, Sangria Tempest uses Google ads to lure users into downloading malicious MSIX application packages, likely relying on Storm-1113 infrastructure and highly obfuscated PowerShell scripts. , leading to the delivery of POWERTRASH,” Microsoft researchers said.
Yet another group, tracked by Microsoft as Storm-1674, deployed SectopRAT or DarkGate using Storm-1113’s infrastructure and services by exploiting a malicious ms-appinstaller protocol handler. However, the group used messages on Teams to distribute links to spoofed landing pages. The landing page spoofed Microsoft services such as OneDrive and SharePoint and prompted users to download Adobe Acrobat Reader or other tools to access files purportedly listed there.
All malicious MSIX files distributed through such websites are digitally signed to prevent security warnings. By disabling the ms-appinstaller protocol handler by default, Microsoft forces such files to first be downloaded to disk before they can be executed. This means it gives your endpoint security product a chance to scan and flag the file.
Although this prevents MSIX files from being installed directly from the website, such files can still be downloaded and installed offline, so businesses using this application packaging format are not affected. Users who require this feature can re-enable it by changing the Group Policy EnableMSAppInstallerProtocol to Disable.