December 29, 2023 at 01:06AM
Microsoft has disabled the ms-appinstaller protocol handler by default due to abuse by threat actors distributing malware. Malicious MSIX application packages are used to deliver ransomware via Microsoft Teams or fake advertisements. Multiple financially motivated hacking groups have exploited the App Installer service. This is not the first time Microsoft has taken this step.
Key takeaways from the meeting notes:
– Microsoft announced the disabling of the ms-appinstaller protocol handler by default due to its abuse by threat actors to distribute malware, leading to ransomware distribution.
– Several financially motivated hacking groups have been observed taking advantage of the App Installer service since mid-November 2023, using it as an entry point for follow-on human-operated ransomware activity.
– The attacks take the form of signed malicious MSIX application packages that are distributed via Microsoft Teams or malicious advertisements for legitimate popular software on search engines like Google.
– The threat actors have been observed using various tactics and platforms, such as fake landing pages, malicious installers, and Google ads to distribute malware and gain unauthorized access.
This issue had also been previously addressed by Microsoft in February 2022, indicating a recurring nature of the threat.