Microsoft disables one of its own software tools following multiple malware attacks

ms-appinstaller protocol handler is being disabled by Microsoft once again

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Microsofthas disabled the ms-appinstaller protocol handler as default after it found new evidence of hackers using it to deploymalware.

“The observed threat actor activity abuses the current implementation of the ms-appinstaller protocol handler as an access vector for malware that may lead to ransomware distribution,” Microsoft said in a newsecurity advisory.

Furthermore, the Redmond giant saw hackers selling malware kits on the dark web, which use the MSIX file format and the ms-appinstaller protocol handler.

Reader Offer: Save up to 68% on Aura identity theft protectionTechRadar editors praise Aura’s upfront pricing and simplicity. Aura also includes a password manager, VPN, and antivirus to make its security solution an even more compelling deal. Save up to 50% today.

Preferred partner (What does this mean?)

Four threat actors

Apparently, the threat actors are creating malicious fake ads for legitimate and popular software, to redirect the victims to websites under their control. There, they trick them into downloading malware. A second distribution vector is phishing through Microsoft Teams, the company said.

“Threat actors have likely chosen the ms-appinstaller protocol handler vector because it can bypass mechanisms designed to help keep users safe from malware, such as Microsoft Defender SmartScreen and built-in browser warnings for downloads of executable file formats,” the advisory reads.

Since mid-November this year, at least four threat actors abused the App Installer service, Microsoft further explained, with those being Storm-0569, Storm-1113, Sangria Tempest (AKA FIN7), and Storm-1674. The former is an access broker that usually hands off the access to Storm-0506, which then deploys the Black Basta ransomware. FIN7, which researchers also observed impersonating banking software earlier this week, used the App Installer service to drop Gracewire, while Storm-1674 masquerades as Microsoft OneDrive and SharePoint through Teams messages.

The handler is disabled in the App Installer version 1.21.3421.0 or higher.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

This is not the first time MSIX Windows app package files were abused in malware distribution,TheHackerNewssays. In October 2023, Elastic Security Labs found such files forGoogleChrome, Microsoft Edge, Brave, Grammarly, and Cisco Webex being used to distribute a malware loader dubbed GHOSTPULSE. What’s more, Microsoft disabled the handler once before, in February last year.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

A new form of macOS malware is being used by devious North Korean hackers

Scammers are using fake copyright infringement claims to hack businesses

The 6 best electric motorcycle concepts and launches from EICMA 2024