Application developers relying on Windows’ App Installer feature for distributing software over the web will have to find another vehicle, after Microsoft disabled a key protocol because it is being abused by threat actors.
Microsoft said Thursday it has disabled the ms-appinstaller protocol handler by default because at least four groups have been using it in the past two months to distribute malware.
It’s the second time in two years that Microsoft has blocked this protocol because of abuse.
The protocol allows developers to send links that start with ms-appinstaller:// rather than the more familiar http:// or https:// to trigger Microsoft’s App Installer system that orchestrates a download process.
Not only are threat groups abusing the protocol, multiple cybercriminals are also selling a malware kit as a service that abuses the MSIX file format. These threat actors distribute signed malicious MSIX application packages using websites accessed through malicious advertisements for legitimate popular software.
“Threat actors have likely chosen the ms-appinstaller protocol handler vector because it can bypass mechanisms designed to help keep users safe from malware, such as Microsoft Defender SmartScreen and built-in browser warnings for downloads of executable file formats,” Microsoft says.
In one example of abuse, a gang is spreading malware by fooling people using search engines to find legitimate software such Zoom, Tableau, TeamViewer, and AnyDesk. Victims who click on links to these sites after doing a search go to a landing page spoofing the original software provider’s landing pages that include links to malicious installers through the ms-appinstaller protocol. The victim sees a popup box that says, for example, “Install Zoom?”. The box includes an “Install” button. One tip this is a scam: The box says the app publisher is “Legion LLC” instead of Zoom Communications.
Another gang is distributing so-called versions of Adobe Acrobat Reader. It first serves a message that the victim’s computer needs an update. A popup box says “Install Adobe Protected PDF Viewer?” Again, one sign this is a fraud is the Publisher is an unknown company instead of Adobe.
Infosec leaders should warn employees about the risks of downloading and installing applications without approval. Users should also be educated to use the browser URL navigator to validate that, upon clicking a link in search results, they have arrived at an expected legitimate domain. They should also be told to verify that the software that is being installed is expected to be published by a legitimate publisher.
It also helps to have phishing-resistant authentication processes.
The threat actors using this tactic are Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674.
