Several threat operations including Sangria Tempest or FIN7, Storm-0569, Storm-1674, and Storm-1113 have exploited Microsoft's "ms-appinstaller protocol" for expediting Windows app installation to facilitate malware distribution, resulting in the deactivation of the protocol, reports The Record, a news site by cybersecurity firm Recorded Future.
Attacks launched in November and December involved the spoofing of legitimate apps that were malicious MSIX packages that would install loader malware and other payloads, such as Black Basta and IcedID, a report from the Microsoft Threat Intelligence team revealed.
Researchers noted Sangria Tempest exploited the protocol to deploy the Carbanak malware while Storm-0569 spread BATLOADER and other post-compromise payloads using the exploit, a report from the Microsoft Threat Intelligence team revealed.
"Threat actors have likely chosen the ms-appinstaller protocol handler vector because it can bypass mechanisms designed to help keep users safe from malware, such as Microsoft Defender SmartScreen and built-in browser warnings for downloads of executable file formats," said Microsoft.
Malware, Threat Intelligence
Malware attacks exploiting app installation protocol prompt deactivation
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds