Microsoft disables app installation protocol abused by hackers

Omega Balla
Microsoft said Thursday that it disabled a feature intended to streamline app installation after it discovered financially motivated hacking groups using it to distribute malware.

Microsoft said Thursday that it disabled a feature intended to streamline app installation after it discovered financially motivated hacking groups using it to distribute malware.

The feature, the ms-appinstaller protocol, essentially allowed people to skip a step or two when adding Windows apps to their devices. Cybercriminals figured out that it also provided a way to install loader malware, Microsoft Threat Intelligence said in a blog post.

“Threat actors have likely chosen the ms-appinstaller protocol handler vector because it can bypass mechanisms designed to help keep users safe from malware, such as Microsoft Defender SmartScreen and built-in browser warnings for downloads of executable file formats,” Microsoft said.

Disabling the protocol means that Windows apps won’t install directly from a server onto a device. Instead, users must download the software package first, then run App Installer.

Microsoft attributed the activity to groups it tracks as Storm-0569, Storm-1113, Storm-1674 and Sangria Tempest. The “Storm” label refers to a group with origins unknown to the company. Sangria Tempest, a long-running cybercrime group, is also tracked as FIN7 by cybersecurity researchers and has been tied to ransomware groups such as Clop.

The groups were found in November and December to be “spoofing legitimate applications, luring users into installing malicious MSIX packages posing as legitimate applications, and evading detections on the initial installation files,” Microsoft said.

The cybercriminals aimed to install loader malware that allowed for further infections, including common data exfiltration tools like IcedID or ransomware like Black Basta.

The company’s summaries of each Storm group’s activity:

Storm-0569 “is an access broker that focuses on downloading post-compromise payloads, such as BATLOADER, through malvertising and phishing emails containing malicious links to download sites.”
Storm-1113 “is a threat actor that acts both as an access broker focused on malware distribution through search advertisements and as an “as-a-service” entity providing malicious installers and landing page frameworks.”
Storm-1674 “is an access broker known for using tools based on the publicly available TeamsPhisher tool to distribute DarkGate malware.”

Sangria Tempest, meanwhile, was spotted dropping Carbanak, “a backdoor used by the actor since 2014, that in turn delivers the Gracewire malware implant.” Microsoft previously reported on the group in May.

Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Joe Warminsky is the news editor for Recorded Future News. He has more than 25 years experience as an editor and writer in the Washington, D.C., area. Most recently he helped lead CyberScoop for more than five years. Prior to that, he was a digital editor at WAMU 88.5, the NPR affiliate in Washington, and he spent more than a decade editing coverage of Congress for CQ Roll Call.


Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

First American says funds secure despite cyberattack

Next Post

Careless oversight of Linux SSH servers draws cryptominers, DDoS bots

Related Posts

ExCobalt Cyber Gang Targets Russian Sectors with New GoRed Backdoor

Russian organizations have been targeted by a cybercrime gang called ExCobalt using a previously unknown Golang-based backdoor known as GoRed. "ExCobalt focuses on cyber espionage and includes several members active since at least 2016 and presumably once part of the notorious Cobalt Gang," Positive Technologies researchers Vladislav Lunin and Alexander Badayev said in a technical report
Read More