Tech News Microsoft Disables MSIX App Installer Protocol (Widely Used in Malware Attacks)

Microsoft on Thursday said it's once again disabling the

You must be registered for see links

by default following its abuse by multiple threat actors to distribute malware.

"The observed threat actor activity abuses the current implementation of the ms-appinstaller protocol handler as an access vector for malware that may lead to ransomware distribution," the Microsoft Threat Intelligence team

You must be registered for see links

.

It further noted that several cybercriminals are offering a malware kit for sale as a service that leverages the MSIX file format and ms-appinstaller protocol handler. The

You must be registered for see links

have gone into effect in App Installer version 1.21.3421.0 or higher.

The attacks take the form of signed malicious MSIX application packages that are distributed via Microsoft Teams or malicious advertisements for legitimate popular software on search engines like Google.

At least four different financially motivated hacking groups have been observed taking advantage of the App Installer service since mid-November 2023, using it as an entry point for follow-on human-operated ransomware activity -

• Storm-0569, an initial access broker which propagates
  You must be registered for see links
  through search engine optimization (SEO) poisoning with sites spoofing Zoom, Tableau, TeamViewer, and AnyDesk, and uses the malware to deliver Cobalt Strike and handoff the access to Storm-0506 for Black Basta ransomware deployment.
• Storm-1113, an initial access broker that uses bogus MSIX installers masquerading as Zoom to distribute
  You must be registered for see links
  (aka FakeBat), which acts as a conduit for a variety of stealer malware and remote access trojans.
• You must be registered for see links
  (aka Carbon Spider and FIN7), which uses Storm-1113's EugenLoader to drop
  You must be registered for see links
  that, in turn, delivers an implant called
  You must be registered for see links
  . Alternatively, the group has relied on Google ads to lure users into downloading malicious MSIX application packages from rogue landing pages to distribute
  You must be registered for see links
  , which is then used to load NetSupport RAT and Gracewire.
• Storm-1674, an initial access broker that sends fake landing pages masquerading as Microsoft OneDrive and SharePoint through Teams messages using the
  You must be registered for see links
  , urging recipients to open PDF files that, when clicked, prompts them to update their Adobe Acrobat Reader to download a malicious MSIX installer that contains SectopRAT or
  You must be registered for see links
  payloads.

Microsoft described Storm-1113 as an entity that also dabbles in "as-a-service," providing malicious installers and landing page frameworks mimicking well-known software to other threat actors such as Sangria Tempest and Storm-1674.

In October 2023, Elastic Security Labs

You must be registered for see links

another campaign in which spurious MSIX Windows app package files for Google Chrome, Microsoft Edge, Brave, Grammarly, and Cisco Webex were used to distribute a malware loader dubbed GHOSTPULSE.

This is not the first time Microsoft has disabled the MSIX ms-appinstaller protocol handler in Windows. In February 2022, the tech giant

You must be registered for see links

to prevent threat actors from weaponizing it to deliver Emotet, TrickBot, and Bazaloader.

"Threat actors have likely chosen the ms-appinstaller protocol handler vector because it can bypass mechanisms designed to help keep users safe from malware, such as Microsoft Defender SmartScreen and built-in browser warnings for downloads of executable file formats," Microsoft said.

From:

You must be registered for see links

 

[Twistty]

I have heard of the MSIX file format - but don't think I ever used it?
Has anyone used it?
(And if so, for what) ?

 

[Elzer]

MSIX file is a Zip-compressed package used to distribute and install application in Windows 10 version 1809 and later. Contains application data files and .XML configuration files, required to install the application. The MSIX file format is based on the .MSI, .APPX, ClickOnce, and App-V installation technologies. Microsoft Visual Studio, the MSIX packaging tool, and Caphyon Advanced Installer can create MSIX packages. If you want to view the contents of the MSIX file instead of installing the packaged application, you can extract the contents using a Zip decompression utility such as WinZip or WinRAR. To extract the contents, change the .msix file extension to .zip and then extract the files using a file decompression program. Be sure to change the .zip extension to .msix before installing the application.

 

[RedDove]

Why am I not surprised by that bit of info
Apps like that seems to be easily manipulated by underhanded Jerks,
thanks for the info @Twistty

 

[Erwin0265]

I just downloaded a trial version of TouchCopy; an app that allows you to access files on your (?) iPhone and the the downloaded file is "TouchCopy.msix!
I don't even have an app that will enable me to install the trial (yes, I downloaded it from the publisher's website initiated by a search for such software by me (ie. nothing elicited via an email or an online ad, etc).
I may have to search for another app to do the job. This .msix file format appears to be "half-baked"; but Microsoft would never release an application until it was "ready", would they? (Totally rhetorical, in case my sarcasm didn't dribble through my keyboard)...