Malware, Threat Intelligence

Malware attacks exploiting app installation protocol prompt deactivation

Several threat operations including Sangria Tempest or FIN7, Storm-0569, Storm-1674, and Storm-1113 have exploited Microsoft's "ms-appinstaller protocol" for expediting Windows app installation to facilitate malware distribution, resulting in the deactivation of the protocol, reports The Record, a news site by cybersecurity firm Recorded Future. Attacks launched in November and December involved the spoofing of legitimate apps that were malicious MSIX packages that would install loader malware and other payloads, such as Black Basta and IcedID, a report from the Microsoft Threat Intelligence team revealed. Researchers noted Sangria Tempest exploited the protocol to deploy the Carbanak malware while Storm-0569 spread BATLOADER and other post-compromise payloads using the exploit, a report from the Microsoft Threat Intelligence team revealed. "Threat actors have likely chosen the ms-appinstaller protocol handler vector because it can bypass mechanisms designed to help keep users safe from malware, such as Microsoft Defender SmartScreen and built-in browser warnings for downloads of executable file formats," said Microsoft.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.