Microsoft has restricted access to a feature designed to streamline Windows app installs after several threat groups were spotted using it to trick victims into downloading malware.
The software giant disabled the feature in February 2022 after discovering a spoofing vulnerability, CVE-2021-43890 was being exploited to deliver Emotet malware. It was enabled again several months later after a patch was developed.
In a post last week, Microsoft’s threat intelligence team said the ms-appinstaller protocol handler was still available but had now been disabled by default after several financially motivated threat groups were observed during November and December abusing it to distribute malware.
Among the groups abusing the feature were FIN7, which Microsoft tracks as Sangria Tempest. It also identified three other unknown, emerging, or developing groups (which it tracks using the “Storm” prefix).
“Threat actors have likely chosen the ms-appinstaller protocol handler vector because it can bypass mechanisms designed to help keep users safe from malware, such as Microsoft Defender SmartScreen and built-in browser warnings for downloads of executable file formats,” the threat intelligence team said in its post.
The first of the emerging groups, Storm-0569, was spotted distributing BatLoader malware through SEO poisoning using malicious sites that spoofed legitimate downloads for popular apps including Zoom, Tableau, TeamViewer and AnyDesk.
“Storm-0569 is an access broker that focuses on downloading post-compromise payloads, such as BATLOADER, through malvertising and phishing emails containing malicious links to download sites,” the threat intelligence team said.
“The threat actor also provides malicious installers and landing page frameworks to other actors.”
The second threat group, Storm-1113, had been observed deploying a malicious MSIX installer, EugenLoader, which was then used to deliver further malicious payloads. Like Storm-0569, it used malicious search ads to direct victims to fake download sites.
FIN7 was seen using Storm-1113’s EugenLoader malware through MSIX package installs, and following them up with drops of Carbanak, a backdoor the long-established threat group had been using since 2014.
The final group the threat intelligence team identified, Storm-1674, delivered fake landing pages through messages delivered using Microsoft Teams.
“The landing pages spoof Microsoft services like OneDrive and SharePoint, as well as other companies. Tenants created by the threat actor are used to create meetings and send chat messages to potential victims using the meeting’s chat functionality,” the post said.
“Microsoft has taken action to mitigate the spread of malware from confirmed malicious tenants by blocking their ability to send messages thus cutting off the main method used for phishing.”
In October, Elastic Security Labs posted about a similar campaign where threat actors used signed MSIX application packages to gain initial access to victims’ systems. The security firm observed malicious websites promoting fake installers for Chrome, Brave, Edge, Grammarly, WebEx and other applications.