Microsoft disables 'App Installer' used by hackers to spread malware

New Delhi, Dec 31 (IANS): Microsoft has disabled its ms-appinstaller URI scheme (App Installer) after observing that threat actors are using it to distribute malware.

According to a blog from Microsoft Threat Intelligence, the tech giant has been observing threat actors since mid-November 2023.

"Since mid-November 2023, Microsoft Threat Intelligence has observed threat actors, including financially motivated actors like Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674, utilising the ms-appinstaller URI scheme (App Installer) to distribute malware," Microsoft said.

"In addition to ensuring that customers are protected from observed attacker activity, Microsoft investigated the use of App Installer in these attacks. In response to this activity, Microsoft has disabled the ms-appinstaller protocol handler by default," it added.

According to the tech giant, the observed threat actor activity abuses the current implementation of the ms-appinstaller protocol handler as an access vector for malware that may lead to ransomware distribution.

It also observed that multiple cybercriminals are selling a malware kit as a service that abuses the MSIX file format and ms-appinstaller protocol handler.

"These threat actors distribute signed malicious MSIX application packages using websites accessed through malicious advertisements for legitimate popular software. A second vector of phishing through Microsoft Teams is also in use by Storm-1674," the company stated.

According to Microsoft, hackers have likely chosen the ms-appinstaller protocol handler vector because "it can bypass mechanisms designed to help keep users safe from malware, such as Microsoft Defender SmartScreen and built-in browser warnings for downloads of executable file formats".

In mid-November of this year, Microsoft Threat Intelligence discovered many cyber gangs employing App Installer as a conduit for ransomware operations.

As mentioned in the report, the observed activity includes spoofing legitimate applications, luring users into installing malicious MSIX packages posing as legitimate applications, and evading detections on the initial installation files.



Top Stories

Leave a Comment

Title: Microsoft disables 'App Installer' used by hackers to spread malware

You have 2000 characters left.


Please write your correct name and email address. Kindly do not post any personal, abusive, defamatory, infringing, obscene, indecent, discriminatory or unlawful or similar comments. will not be responsible for any defamatory message posted under this article.

Please note that sending false messages to insult, defame, intimidate, mislead or deceive people or to intentionally cause public disorder is punishable under law. It is obligatory on Daijiworld to provide the IP address and other details of senders of such comments, to the authority concerned upon request.

Hence, sending offensive comments using daijiworld will be purely at your own risk, and in no way will be held responsible.