Microsoft disables app installation protocol abused by hackers

Microsoft said Thursday that it disabled a feature intended to streamline app installation after it discovered financially motivated hacking groups using it to distribute malware.

The feature, the ms-appinstaller protocol, essentially allowed people to skip a step or two when adding Windows apps to their devices. Cybercriminals figured out that it also provided a way to install loader malware, Microsoft Threat Intelligence said in a blog post.

“Threat actors have likely chosen the ms-appinstaller protocol handler vector because it can bypass mechanisms designed to help keep users safe from malware, such as Microsoft Defender SmartScreen and built-in browser warnings for downloads of executable file formats,” Microsoft said.

Disabling the protocol means that Windows apps won’t install directly from a server onto a device. Instead, users must download the software package first, then run App Installer.

Microsoft attributed the activity to groups it tracks as Storm-0569, Storm-1113, Storm-1674 and Sangria Tempest. The “Storm” label refers to a group with origins unknown to the company. Sangria Tempest, a long-running cybercrime group, is also tracked as FIN7 by cybersecurity researchers and has been tied to ransomware groups such as Clop.

The groups were found in November and December to be “spoofing legitimate applications, luring users into installing malicious MSIX packages posing as legitimate applications, and evading detections on the initial installation files,” Microsoft said.

The cybercriminals aimed to install loader malware that allowed for further infections, including common data exfiltration tools like IcedID or ransomware like Black Basta.

The company’s summaries of each Storm group’s activity:

• Storm-0569 “is an access broker that focuses on downloading post-compromise payloads, such as BATLOADER, through malvertising and phishing emails containing malicious links to download sites.”
• Storm-1113 “is a threat actor that acts both as an access broker focused on malware distribution through search advertisements and as an “as-a-service” entity providing malicious installers and landing page frameworks.”
• Storm-1674 “is an access broker known for using tools based on the publicly available TeamsPhisher tool to distribute DarkGate malware.”

Sangria Tempest, meanwhile, was spotted dropping Carbanak, “a backdoor used by the actor since 2014, that in turn delivers the Gracewire malware implant.” Microsoft previously reported on the group in May.