7.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
7 High
AI Score
Confidence
Low
6 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:P/I:P/A:P
0.002 Low
EPSS
Percentile
52.2%
Microsoft on Thursday said itβs once again disabling the ms-appinstaller protocol handler by default following its abuse by multiple threat actors to distribute malware.
βThe observed threat actor activity abuses the current implementation of the ms-appinstaller protocol handler as an access vector for malware that may lead to ransomware distribution,β the Microsoft Threat Intelligence team said.
It further noted that several cybercriminals are offering a malware kit for sale as a service that leverages the MSIX file format and ms-appinstaller protocol handler. The changes have gone into effect in App Installer version 1.21.3421.0 or higher.
The attacks take the form of signed malicious MSIX application packages that are distributed via Microsoft Teams or malicious advertisements for legitimate popular software on search engines like Google.
At least four different financially motivated hacking groups have been observed taking advantage of the App Installer service since mid-November 2023, using it as an entry point for follow-on human-operated ransomware activity -
Microsoft described Storm-1113 as an entity that also dabbles in βas-a-service,β providing malicious installers and landing page frameworks mimicking well-known software to other threat actors such as Sangria Tempest and Storm-1674.
In October 2023, Elastic Security Labs detailed another campaign in which spurious MSIX Windows app package files for Google Chrome, Microsoft Edge, Brave, Grammarly, and Cisco Webex were used to distribute a malware loader dubbed GHOSTPULSE.
This is not the first time Microsoft has disabled the MSIX ms-appinstaller protocol handler in Windows. In February 2022, the tech giant took the same step to prevent threat actors from weaponizing it to deliver Emotet, TrickBot, and Bazaloader.
βThreat actors have likely chosen the ms-appinstaller protocol handler vector because it can bypass mechanisms designed to help keep users safe from malware, such as Microsoft Defender SmartScreen and built-in browser warnings for downloads of executable file formats,β Microsoft said.
Found this article interesting? Follow us on Twitter ο and LinkedIn to read more exclusive content we post.
7.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
7 High
AI Score
Confidence
Low
6 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:P/I:P/A:P
0.002 Low
EPSS
Percentile
52.2%