Microsoft disables one of its own software tools following multiple malware attacks

Sead Fadilpašić

December 29, 2023 at 9:04 AM·2 min read

Microsoft has disabled the ms-appinstaller protocol handler as default after it found new evidence of hackers using it to deploy malware.

"The observed threat actor activity abuses the current implementation of the ms-appinstaller protocol handler as an access vector for malware that may lead to ransomware distribution," Microsoft said in a new security advisory.

Furthermore, the Redmond giant saw hackers selling malware kits on the dark web, which use the MSIX file format and the ms-appinstaller protocol handler.

Four threat actors

Apparently, the threat actors are creating malicious fake ads for legitimate and popular software, to redirect the victims to websites under their control. There, they trick them into downloading malware. A second distribution vector is phishing through Microsoft Teams, the company said.

“Threat actors have likely chosen the ms-appinstaller protocol handler vector because it can bypass mechanisms designed to help keep users safe from malware, such as Microsoft Defender SmartScreen and built-in browser warnings for downloads of executable file formats,” the advisory reads.

Since mid-November this year, at least four threat actors abused the App Installer service, Microsoft further explained, with those being Storm-0569, Storm-1113, Sangria Tempest (AKA FIN7), and Storm-1674. The former is an access broker that usually hands off the access to Storm-0506, which then deploys the Black Basta ransomware. FIN7, which researchers also observed impersonating banking software earlier this week, used the App Installer service to drop Gracewire, while Storm-1674 masquerades as Microsoft OneDrive and SharePoint through Teams messages.

The handler is disabled in the App Installer version 1.21.3421.0 or higher.

This is not the first time MSIX Windows app package files were abused in malware distribution, TheHackerNews says. In October 2023, Elastic Security Labs found such files for Google Chrome, Microsoft Edge, Brave, Grammarly, and Cisco Webex being used to distribute a malware loader dubbed GHOSTPULSE. What’s more, Microsoft disabled the handler once before, in February last year.

More from TechRadar Pro

This dangerous malware pretends to be some of your most-used business software tools, so watch out
Here's a list of the best firewalls today
These are the best endpoint protection services right now

Yahoo Finance
The FDIC change that leaves wealthy bank depositors with less protection
Affluent Americans may want to double-check how much of their bank deposits are protected by government-backed insurance. The rules governing trust accounts just changed.
Yahoo Sports
Former NBA guard Darius Morris dies at 33
Former NBA guard Darius Morris has died at the age of 33. He played for five teams during his four NBA seasons. Morris played college basketball at Michigan.
Yahoo Sports
No one was airing Angel Reese and Kamilla Cardoso's WNBA preseason debuts, so an X user livestreamed it
The quality was choppy, but it was better than what the WNBA had.
Yahoo Sports
2024 NFL Draft grades: Denver Broncos earn one of our lowest grades mostly due to one pick
Yahoo Sports' Charles McDonald breaks down the Broncos' 2024 draft.
Yahoo Sports
NFL Power Rankings, draft edition: Did Patriots fix their offensive issues?
Which teams did the best in the NFL Draft?
Yahoo Sports
NFL Draft grades for all 32 teams | Zero Blitz
Jason Fitz and Frank Schwab join forces to recap the draft in the best way they know how: letter grades! Fitz and Frank discuss all 32 teams division by division as they give a snapshot of how fans should be feeling heading into the 2024 season. The duo have key debates on the Dallas Cowboys, New York Giants, New Orleans Saints, Los Angeles Rams, New England Patriots, Las Vegas Raiders and more.
Yahoo Sports
Formula 1: Miami Grand Prix sends cease and desist letter to prevent Donald Trump fundraiser during race
Race organizers say they'll revoke a Trump fundraiser's suite license if he holds an event for the former president on Sunday at the race.
Yahoo Sports
New details emerge in alleged gambling ring behind Shohei Ohtani-Ippei Mizuhara scandal
It turns out the money was going from Ohtani's bank account to an illegal bookie to ... casinos.
Yahoo Sports
Bulls' Lonzo Ball picks up $21.4 million option for 2024-25 season amid knee concerns
Ball hasn't played since the 2021-22 season.
Yahoo Sports
Kentucky Derby: Mystik Dan wins in three-horse photo finish, outruns favorite Fierceness in stunning upset
The 150th Kentucky Derby produced yet another magnificent two-minute spectacle.
Yahoo Sports
Anthony Edwards' arrival should have the Nuggets — and the entire league — on high alert
The Timberwolves' rising superstar led Minnesota to a Game 1 victory over Denver, then reminded the world that he's 22, not 23 ... yet.
Yahoo Finance
CVS stock plunges after earnings numbers one analyst 'did not even believe'
CVS warns it could cede Medicare Advantage market share as reimbursement rates pressure the company.
Yahoo Sports
The best QBs for 2024 fantasy football according to our analysts
The Yahoo Fantasy football analysts reveal their first quarterback rankings for the 2024 NFL season.
Autoblog
Why did Musk ax the Supercharger team?
Elon Musk’s decision to dismiss much of Tesla’s Supercharger team this week came as a shock. A look at possible reasons why he did it.
Yahoo Sports
Canelo Álvarez and Oscar De La Hoya erupt in heated exchange ahead of title bout with Jaime Munguía
Canelo Álvarez is set to defend his title against undefeated Jaime Munguía on Saturday in Las Vegas.
Yahoo Sports
Diana Taurasi’s trash-talking, in-your-face ways may be a bit of a shock to new WNBA fans
Caitlin Clark fans beware: You never know what the 20-year veteran might say … or do.
Yahoo Sports
Caitlin Clark catches fire from 3 in WNBA preseason debut; Arike Ogunbowale's late heroics send Wings past Fever
Caitlin Clark’s WNBA preseason debut went much like her senior year at Iowa. She hit a bunch of 3s and did so in front of a sold-out crowd.
Yahoo Sports
Ex-Florida State QB and 1999 Fiesta Bowl starter Marcus Outzen dies at 46
The Seminoles lost 23-16 to Tennessee in the first-ever BCS title game.
Yahoo News
2nd Boeing whistleblower found dead. Here's a timeline of the company's mounting problems.
This is the second Boeing whistleblower to die in the last two months.
Yahoo Sports
UFC 301: Alexandre Pantoja survives bloody wounds and bad advice to retain flyweight belt vs. Steve Erceg
A challenger with less than a year of UFC experience gave Pantoja plenty of problems. And wounds.

News

Life

Entertainment

Finance

Sports

New on Yahoo

Microsoft disables one of its own software tools following multiple malware attacks

Four threat actors

More from TechRadar Pro

Recommended Stories

The FDIC change that leaves wealthy bank depositors with less protection

Former NBA guard Darius Morris dies at 33

No one was airing Angel Reese and Kamilla Cardoso's WNBA preseason debuts, so an X user livestreamed it

2024 NFL Draft grades: Denver Broncos earn one of our lowest grades mostly due to one pick

NFL Power Rankings, draft edition: Did Patriots fix their offensive issues?

NFL Draft grades for all 32 teams | Zero Blitz

Formula 1: Miami Grand Prix sends cease and desist letter to prevent Donald Trump fundraiser during race

New details emerge in alleged gambling ring behind Shohei Ohtani-Ippei Mizuhara scandal

Bulls' Lonzo Ball picks up $21.4 million option for 2024-25 season amid knee concerns

Kentucky Derby: Mystik Dan wins in three-horse photo finish, outruns favorite Fierceness in stunning upset

Anthony Edwards' arrival should have the Nuggets — and the entire league — on high alert

CVS stock plunges after earnings numbers one analyst 'did not even believe'

The best QBs for 2024 fantasy football according to our analysts

Why did Musk ax the Supercharger team?

Canelo Álvarez and Oscar De La Hoya erupt in heated exchange ahead of title bout with Jaime Munguía

Diana Taurasi’s trash-talking, in-your-face ways may be a bit of a shock to new WNBA fans

Caitlin Clark catches fire from 3 in WNBA preseason debut; Arike Ogunbowale's late heroics send Wings past Fever

Ex-Florida State QB and 1999 Fiesta Bowl starter Marcus Outzen dies at 46

2nd Boeing whistleblower found dead. Here's a timeline of the company's mounting problems.

UFC 301: Alexandre Pantoja survives bloody wounds and bad advice to retain flyweight belt vs. Steve Erceg