Malware Distribution: Microsoft Disables App Installation Protocol (Photo by BoliviaInteligente on Unsplash)

Microsoft has recently disabled the ms-appinstaller protocol handler by default. The tech giant took this decision after observing that the threat actors were using the tool to distribute malware. Microsoft Threat Intelligence has been observing threat actors since mid-November 2023.

According to Microsoft, financially motivated actors like Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674 are utilizing the ms-appinstaller URI scheme to distribute malware. In a detailed blog post, Microsoft also said that they investigated the use of App Installer in these attacks. The threat actor activity abuses the current implementation of the ms-appinstaller protocol handler as an access vector for malware.

“Multiple cybercriminals are also selling a malware kit as a service that abuses the MSIX file format and ms-appinstaller protocol handler,” added Microsoft Threat Intelligence in its blog. Microsoft observed several threat actors using App Installer as a point of entry for human-operated ransomware activity. This includes spoofing legitimate applications and evading detections on the initial installation files. Notably, the company unveiled the ms-appinstaller URI scheme handler to enhance the installation experience for MSIX and MSIXBundles.

Microsoft says that threat actors have likely chosen the ms-appinstaller protocol handler vector because “it can bypass mechanisms designed to help keep users safe from malware.” According to Microsoft, some actors are leveraging search engine optimization (SEO) poisoning techniques to surface as the top search results on Google and Bing when users search for popular applications such as Zoom, Tableau, and TeamViewer. Thus, users who search for a legitimate software application may be presented with a landing page spoofing the original software provider’s landing pages. It will include links to malicious installers through the ms-appinstaller protocol.