Social News XYZ     

Microsoft disables ‘App Installer’ used by hackers to spread malware

Microsoft disables 'App Installer' used by hackers to spread malware

New Delhi, Dec 31 (SocialNews.XYZ) Microsoft has disabled its ms-appinstaller URI scheme (App Installer) after observing that threat actors are using it to distribute malware.

According to a blog from Microsoft Threat Intelligence, the tech giant has been observing threat actors since mid-November 2023.

 

"Since mid-November 2023, Microsoft Threat Intelligence has observed threat actors, including financially motivated actors like Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674, utilising the ms-appinstaller URI scheme (App Installer) to distribute malware," Microsoft said.

"In addition to ensuring that customers are protected from observed attacker activity, Microsoft investigated the use of App Installer in these attacks. In response to this activity, Microsoft has disabled the ms-appinstaller protocol handler by default," it added.

According to the tech giant, the observed threat actor activity abuses the current implementation of the ms-appinstaller protocol handler as an access vector for malware that may lead to ransomware distribution.

It also observed that multiple cybercriminals are selling a malware kit as a service that abuses the MSIX file format and ms-appinstaller protocol handler.

"These threat actors distribute signed malicious MSIX application packages using websites accessed through malicious advertisements for legitimate popular software. A second vector of phishing through Microsoft Teams is also in use by Storm-1674," the company stated.

According to Microsoft, hackers have likely chosen the ms-appinstaller protocol handler vector because "it can bypass mechanisms designed to help keep users safe from malware, such as Microsoft Defender SmartScreen and built-in browser warnings for downloads of executable file formats".

In mid-November of this year, Microsoft Threat Intelligence discovered many cyber gangs employing App Installer as a conduit for ransomware operations.

As mentioned in the report, the observed activity includes spoofing legitimate applications, luring users into installing malicious MSIX packages posing as legitimate applications, and evading detections on the initial installation files.

Source: IANS

Facebook Comments
Microsoft disables 'App Installer' used by hackers to spread malware

About Gopi

Gopi Adusumilli is a Programmer. He is the editor of SocialNews.XYZ and President of AGK Fire Inc.

He enjoys designing websites, developing mobile applications and publishing news articles on current events from various authenticated news sources.

When it comes to writing he likes to write about current world politics and Indian Movies. His future plans include developing SocialNews.XYZ into a News website that has no bias or judgment towards any.

He can be reached at gopi@socialnews.xyz