Malware attacks exploiting app installation protocol prompt deactivation

Several threat operations including Sangria Tempest or FIN7, Storm-0569, Storm-1674, and Storm-1113 have exploited Microsoft's "ms-appinstaller protocol" for expediting Windows app installation to facilitate malware distribution, resulting in the deactivation of the protocol, reports The Record, a news site by cybersecurity firm Recorded Future. Attacks launched in November and December involved the spoofing of legitimate apps that were malicious MSIX packages that would install loader malware and other payloads, such as Black Basta and IcedID, a report from the Microsoft Threat Intelligence team revealed. Researchers noted Sangria Tempest exploited the protocol to deploy the Carbanak malware while Storm-0569 spread BATLOADER and other post-compromise payloads using the exploit, a report from the Microsoft Threat Intelligence team revealed. "Threat actors have likely chosen the ms-appinstaller protocol handler vector because it can bypass mechanisms designed to help keep users safe from malware, such as Microsoft Defender SmartScreen and built-in browser warnings for downloads of executable file formats," said Microsoft.