Microsoft on Thursday said it had disabled a feature intended to streamline app installation after discovering that financially motivated hacking groups were using the feature to distribute malware.
This feature, the ms-appinstaller protocol, essentially allows users to skip a step or two when adding Windows apps to their devices. Microsoft Threat Intelligence said in a blog post that it found that cybercriminals also provide a way to install loader malware.
“Threat actors may have chosen the ms-appinstaller protocol handler vector to leverage mechanisms designed to protect users from malware, such as Microsoft Defender SmartScreen and browsers’ built-in warnings for downloading executable file formats. Microsoft says.
Disabling the protocol prevents Windows apps from being installed directly from the server to your device. Instead, users must first download the software package and then run the app installer.
Microsoft has attributed this activity to groups it tracks as Storm-0569, Storm-1113, Storm-1674, and Sangria Tempest. The “Storm” label refers to a group whose origins are unknown to the company. Sangria Tempest, a long-running cybercrime group, is also tracked by cybersecurity researchers as his FIN7 and has been associated with ransomware groups such as Clop.
According to Microsoft, these groups “impersonate legitimate applications to trick users into installing malicious MSIX packages, evading detection of initial installation files.”11 It was revealed in April and December.
Cybercriminals aimed to install loader malware that enables further infections, including popular data leakage tools such as IcedID and ransomware such as Black Basta.
Here is the company’s overview of each Storm group’s activities:
- Storm-0569 is an “access broker focused on downloading post-compromise payloads such as BATLOADER through malvertising and phishing emails containing malicious links to download sites.”
- Storm-1113 is a “threat actor that acts both as an access broker focused on malware distribution through search ads and as an ‘as-a-service’ entity that provides malicious installers and landing page frameworks.” ”
- Storm-1674 is an “access broker known for using tools based on the publicly available TeamsPhisher tool to distribute DarkGate malware.”
Meanwhile, Sangria Tempest was spotted dropping Carbanak, a “backdoor used by attackers since 2014 to deliver Gracewire malware implants.” Microsoft previously reported on this group in May.
recorded future
intelligence cloud.
learn more.
There are no past articles
There are no new articles
Joe Warminsky is the news editor at Recorded Future News. He has over 25 years of experience as an editor and writer in the Washington, DC area. Most recently, he served as a leader at CyberScoop for over five years. Previously, he served as digital editor at NPR affiliate WAMU 88.5 in Washington, where he spent more than a decade editing Congressional coverage for CQ Roll Call.