In response to the growing threat of malware attacks, the Microsoft Project team has quickly taken action by disabling the much-abused ms-appinstaller protocol driver. This strategic move is part of Microsoft's efforts to use its cyber threat intelligence tools to counter the alarming exploitation of this protocol by multiple threat actors attempting to distribute malware. Ransomware attacks are seen as a significant risk.
Revealing the threat
The Microsoft Threat Intelligence team, leveraging advanced cyber threat intelligence tools, discovered the exploitation of the ms-appinstaller protocol driver as an access vector for malware distribution. As a result, the company decided to disable the protocol driver by default. The company aims to protect users from potential dangers associated with malicious activities.
malware Microsoft Project: Kit for sale
To compound the threat, cybercriminals are actively selling a malware kit as a service, leveraging the MSIX file format and the ms-appinstaller protocol driver. To address this emerging threat, Microsoft implemented changes to application installer version 1.21.3421.0 and higher, a testament to the value of effective threat intelligence sources.
Attack method
The attacks orchestrated by at least four financially motivated hacking groups involve the deployment of signed malicious MSIX application packages. Scammers deceptively distribute these packages through trusted channels like Microsoft Teams. They also disguise them as advertisements for legitimate software on search engines like Google.
Various threat actors in action
Several hacking groups have been identified exploiting the App Installer service since mid-November 2023. Each employs different tactics and highlights the need for robust sources of threat intelligence:
- Storm-0569: It uses SEO poisoning with spoofed sites to spread BATLOADER, deploying Cobalt Strike and Black Basta ransomware.
- Storm-1113: It distributes EugenLoader disguised as Zoom and serves as an entry point for various stealing malware and remote access Trojans.
- Sangria Tempest (Carbon Spider and FIN7): Leverage Storm-1113's EugenLoader to remove Carbanak and distribute POWERTRASH via Google ads.
- Storm-1674: Send fake landing pages via Teams messages. It also encourages users to download malicious MSIX installers that contain SectopRAT or DarkGate payloads.
Microsoft: persistent threats and past actions
This is not the first time that Microsoft has disabled the MSIX ms-appinstaller protocol driver. In February 2022, the company also took a similar step to thwart the delivery of Emotet, TrickBot, and Bazaloader. The protocol's appeal to threat actors lies in its ability to bypass security mechanisms. However, this poses a significant challenge to user security.
As Microsoft lists its past actions and remains vigilant in the fight against evolving cybersecurity threats, it urges users to stay informed and employ best practices to improve their digital security. This includes regular updates, being careful with downloads, and staying informed about emerging threats in the ever-evolving landscape of online security, highlighting the importance of cyber threat intelligence tools.
!function(f,b,e,v,n,t,s){if(f.fbq)return;n=f.fbq=function(){n.callMethod?n.callMethod.apply(n,arguments):n.queue.push(arguments)};if(!f._fbq)f._fbq=n;n.push=n;n.loaded=!0;n.version=’2.0′;n.queue=();t=b.createElement(e);t.async=!0;t.src=v;s=b.getElementsByTagName(e)(0);s.parentNode.insertBefore(t,s)}(window,document,’script’,’https://connect.facebook.net/en_US/fbevents.js’);fbq(‘init’,’504526293689977′);fbq(‘track’,’PageView’)