Microsoft disables one of its own software tools following multiple malware attacks

News
By published

ms-appinstaller protocol handler is being disabled by Microsoft once again

Cyberattack
(Image credit: Pixabay)

Microsoft has disabled the ms-appinstaller protocol handler as default after it found new evidence of hackers using it to deploy malware

"The observed threat actor activity abuses the current implementation of the ms-appinstaller protocol handler as an access vector for malware that may lead to ransomware distribution," Microsoft said in a new security advisory

Furthermore, the Redmond giant saw hackers selling malware kits on the dark web, which use the MSIX file format and the ms-appinstaller protocol handler.

Reader Offer: Save up to 68% on Aura identity theft protection

Reader Offer: Save up to 68% on Aura identity theft protection
TechRadar editors praise Aura's upfront pricing and simplicity. Aura also includes a password manager, VPN, and antivirus to make its security solution an even more compelling deal. Save up to 50% today. 

 Preferred partner (What does this mean?) 

View Deal

Four threat actors

Apparently, the threat actors are creating malicious fake ads for legitimate and popular software, to redirect the victims to websites under their control. There, they trick them into downloading malware. A second distribution vector is phishing through Microsoft Teams, the company said.

“Threat actors have likely chosen the ms-appinstaller protocol handler vector because it can bypass mechanisms designed to help keep users safe from malware, such as Microsoft Defender SmartScreen and built-in browser warnings for downloads of executable file formats,” the advisory reads.

Since mid-November this year, at least four threat actors abused the App Installer service, Microsoft further explained, with those being Storm-0569, Storm-1113, Sangria Tempest (AKA FIN7), and Storm-1674. The former is an access broker that usually hands off the access to Storm-0506, which then deploys the Black Basta ransomware. FIN7, which researchers also observed impersonating banking software earlier this week, used the App Installer service to drop Gracewire, while Storm-1674 masquerades as Microsoft OneDrive and SharePoint through Teams messages. 

The handler is disabled in the App Installer version 1.21.3421.0 or higher.

This is not the first time MSIX Windows app package files were abused in malware distribution, TheHackerNews says. In October 2023, Elastic Security Labs found such files for Google Chrome, Microsoft Edge, Brave, Grammarly, and Cisco Webex being used to distribute a malware loader dubbed GHOSTPULSE. What’s more, Microsoft disabled the handler once before, in February last year. 

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Magnifying glass enlarging the word 'malware' in computer machine code
Microsoft Teams and AnyDesk abused to deploy dangerous malware, so be on your guard
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
Microsoft Teams and other Windows tools hijacked to hack corporate networks
Representational image of a cybercriminal
Microsoft discovers five potentially damaging attacks against its own software
Phone scammer
Microsoft thinks it could stop this dangerous scam forever
Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
Microsoft reveals over a million PCs hit by malvertising campaign
Mustang Panda
Chinese hackers abuse Microsoft tool to get past antivirus and cause havoc
Latest in Security
Image depicting hands typing on a keyboard, with phishing hooks holding files, passwords and credit cards.
Microsoft warns about a new phishing campaign impersonating Booking.com
Ransomware
Microsoft uncovers sleuthy new XCSSET MacOS malware campaign
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Meta warns of worrying security flaw hitting open source type software
Hand holding smartphone and scan fingerprint biometric identity for unlock her mobile phone
Biometrics add another layer of security to passwordless authentication
Data leak
Hacked Tata Technologies data leaked by ransomware gang
A close-up photo of an iPhone, with the App Store icon prominent in the center of the image.
Thousands of iOS apps found to expose user data and leak Stripe keys
Latest in News
A graphic of the PC Gaming Show
Get ready for a bounty of PC games on June 8, as the PC Gaming show is back
A smartphone on a sofa showing the WhatsApp, Telegram and Signal apps
Forget AI – WhatsApp is planning a simple messages feature that could be its most useful upgrade in years
NordicTrack Ultra 1
The new NordicTrack Ultra 1 treadmill looks like it was designed by an architect and costs $15,000
An Nvidia GeForce RTX 5070
Nvidia RTX 5080 stock is so barren that retailers are holding competitions where you can "win" the right to buy one for MSRP
Assassin's Creed Shadows
Ubisoft shareholder accuses publisher of 'misleading investors', plans protest outside Paris HQ
Google Gemini AI logo on a smartphone with Google background
I made an AI version of Bilbo Baggins using Goggle Gemini for free, and shared a pipe with him outside Bag End – here’s what you can now do with Gems
More about security
Ransomware

Microsoft uncovers sleuthy new XCSSET MacOS malware campaign
Hand holding smartphone and scan fingerprint biometric identity for unlock her mobile phone

Biometrics add another layer of security to passwordless authentication
Global Special Forces server

AI server designed for Chinese military use wins major global design award in Europe
See more latest
Most Popular
Global Special Forces server
AI server designed for Chinese military use wins major global design award in Europe
Ransomware
Microsoft uncovers sleuthy new XCSSET MacOS malware campaign
A smartphone on a sofa showing the WhatsApp, Telegram and Signal apps
Forget AI – WhatsApp is planning a simple messages feature that could be its most useful upgrade in years
A graphic of the PC Gaming Show
Get ready for a bounty of PC games on June 8, as the PC Gaming show is back
Hand holding smartphone and scan fingerprint biometric identity for unlock her mobile phone
Biometrics add another layer of security to passwordless authentication
An Nvidia GeForce RTX 5070
Nvidia RTX 5080 stock is so barren that retailers are holding competitions where you can "win" the right to buy one for MSRP
Assassin's Creed Shadows
Ubisoft shareholder accuses publisher of 'misleading investors', plans protest outside Paris HQ
Gemini 2.0
Gemini Deep Research just got even smarter and it’s now free for everyone to try - here's why you should give it a go
Google Gemini AI logo on a smartphone with Google background
I made an AI version of Bilbo Baggins using Goggle Gemini for free, and shared a pipe with him outside Bag End – here’s what you can now do with Gems
Google Gemini with Search history access. Image says "Get help from AI that gets you"
Google just gave Gemini a superpower by allowing it to access your Search history - here's why I'm excited and also a little terrified