Application developers who rely on Windows’ App Installer feature to distribute software over the web will need to look elsewhere as threat actors exploit it after Microsoft disabled the key protocol. there is.
Microsoft on Thursday ms-app installer That’s because over the past two months, at least four groups have been using protocol handlers to distribute malware.
This is the second time in two years that Microsoft has blocked this protocol due to abuse.
This protocol allows developers to send links that start with: ms-appinstaller:// rather than something more familiar http:// or https:// Trigger Microsoft’s app installer system to orchestrate the download process.
Not only are threat groups abusing this protocol, but several cybercriminals are selling malware kits as a service that exploit the MSIX file format. These attackers use websites accessed through malicious advertisements for legitimate popular software to distribute signed malicious MSIX application packages.
“The attacker is probably ms-app installer “This is because protocol handler vectors can bypass mechanisms designed to protect users from malware, such as Microsoft Defender SmartScreen and built-in browser warnings for downloading executable file formats,” Microsoft said.
One example of exploitation involves criminal organizations spreading malware by tricking people into using search engines to find legitimate software such as Zoom, Tableau, TeamViewer, and AnyDesk. Victims who click on links to these sites after performing a search are directed to a landing page that impersonates the original software provider’s landing page. This landing page contains a link to a malicious installer. ms-app installer protocol. Victims will see a pop-up box that says something like “Do you want to install Zoom?” The box contains an “Install” button. This is a scam. The box lists the app’s publisher as “Legion LLC” rather than his Zoom Communications.
Another gang is distributing a so-called version of Adobe Acrobat Reader. First, a message is displayed stating that the victim’s computer needs an update. A pop-up box appears asking “Do you want to install Adobe Protected PDF Viewer?” Again, one sign that this is a scam is that the publisher is an unknown company rather than Adobe.
Information security leaders must warn employees about the risks of downloading and installing applications without authorization. Users should also be educated to use their browser’s URL navigator to verify that when they click on a link within a search result, they are reaching the expected legitimate domain. You should also instruct them to ensure that the software being installed is expected to be published by a legitimate publisher.
It also helps make the authentication process phish-resistant.
Attackers using this tactic include: Arashi-0569Storm-1113, sangria tempestand Storm-1674.