Microsoft Takes Down Abused App Installer Targeted by Hackers

Microsoft Takes Down Abused App Installer: Threat players, especially those who want to make money, have been seen using the ms-app installer URI scheme (App Installer) to spread malware. Microsoft has turned off the ms-appinstaller protocol driver by default because of this.

The Microsoft Threat Intelligence team said, “The observed threat actor activity abuses the current implementation of the ms-app installer protocol handler as a way for malware to get in, which could lead to the distribution of ransomware.”

Microsoft Takes Down Abused App Installer Targeted by Hackers

Threat actors likely chose the ms-appinstaller protocol handling vector because it can get around security measures like Microsoft Defender SmartScreen and built-in browser alerts for getting executable file types, which are meant to keep users safe from malware.

Microsoft Threat Intelligence has found that App Installer is a way for several players, such as Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674, to spread ransomware that is run by humans.

People have seen people pretending to be legitimate applications, getting people to install harmful MSIX packages that look like legitimate applications, and avoiding detection on the original installation files.

Microsoft found that Storm-0569 was spreading BATLOADER by pretending to be websites like AnyDesk, Zoom, Tableau, and TeamViewer that gave real files. This was done by using search engine optimization (SEO) poisoning.

When someone searches on Bing or Google for a real piece of software, they might see links to harmful downloads that use the ms-app installer protocol on a landing page that looks like it belongs to the real software provider. Spoofing and copying well-known, real software is a common way to trick people into giving you money.

Catholic Benefits Association: Introducing Religious Investment Guidelines in MEP

Microsoft found out that Storm-1113’s EugenLoader was being spread through search ads that looked like the Zoom app. When a user visits a hacked website, a harmful MSIX installer called EugenLoader is downloaded onto their device. This installer is then used to spread other viruses.

There’s a chance that these packages have malware installs that have been seen before, such as Gozi, IcedID, NetSupport Manager (also known as NetSupport RAT), Lumma stealer, and Sectop RAT.

EugenLoader from Storm-1113 is used by Sangria Tempest. It was spread through rogue MSIX package installs. Another thing Sangria Tempest does is spread Carbanak, a backdoor that the hacker has been using since 2014 and that then spreads the Gracewire malware implant.

Because they want to make money, hackers known as Sangria Tempest (formerly ELBRUS, sometimes tracked as Carbon Spider, FIN7) mostly use ransomware like Clop or demand money from people after breaking into systems and stealing data.

Storm-1674 sent texts with fake web pages through Teams. The home pages look like those of a lot of different companies, as well as Microsoft services like OneDrive and SharePoint. Tenants that the threat actor sets up can set up meetings and talk to possible victims through the meeting’s chat tool.

Recommendation

• Create and use user login methods that are not vulnerable to hacking.
• Increase the strength of Conditional Access security so that it requires identification that can’t be stolen by phishing.
• Teach Microsoft Teams users to check the “External” tag on messages sent by outside organizations.
• Get people to use Microsoft Edge and other web browsers that work with Microsoft Defender SmartScreen.
• Make Microsoft Defender for Office 365 check links again every time you click on them.
• To stop popular attack methods, turn on attack surface reduction rules.