Microsoft Deactivates MSIX Protocol Handler Misused in Malware Attacks

December 28, 2023

Microsoft has once again deactivated the MSIX ms-appinstaller protocol handler, which has been exploited by numerous financially driven cybercriminal groups to distribute malware to Windows users. These threat actors have exploited the CVE-2021-43890 Windows AppX Installer spoofing vulnerability to bypass security measures, including the Defender SmartScreen anti-phishing and anti-malware component and browser alerts warning users about executable file downloads.

Microsoft has reported that the threat actors have utilized malicious ads for popular software and Microsoft Teams phishing messages to distribute signed malicious MSIX application packages. The company stated, "Since mid-November 2023, Microsoft Threat Intelligence has observed threat actors, including financially motivated actors like Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674, utilizing the ms-appinstaller URI scheme (App Installer) to distribute malware."

The misuse of the ms-appinstaller protocol handler by these threat actors could potentially lead to ransomware distribution. Various cybercriminals are also offering a malware kit as a service that exploits the MSIX file format and ms-app installer protocol handler.

The Sangria Tempest group, also known as FIN7, has been previously associated with REvil and Maze ransomware following their participation in the now-defunct BlackMatter and DarkSide ransomware operations. The same group, FIN7, has also been linked to attacks targeting PaperCut printing servers with Clop ransomware.

More than two years ago, Emotet used malicious Windows AppX Installer packages disguised as Adobe PDF software to infect Windows 10 and Windows 11 systems. The AppX Installer spoofing vulnerability was also used to distribute the BazarLoader malware via malicious packages hosted on Microsoft Azure, with URLs ending in *.web.core.windows.net.

Microsoft first disabled the ms-appinstaller protocol handler in February 2022 to counter Emotet's attacks. Given the potential for devices compromised in these attacks to be targeted with ransomware, Microsoft once again deactivated the ms-appinstaller protocol handler earlier this month. While Microsoft indicated that it was deactivated by default on December 28, 2023, other sources report that the change was implemented earlier this month. It remains unclear when and why Microsoft reactivated the Windows App Installer between February 2022 and December 2023.

Today, Microsoft advised installing the patched App Installer version 1.21.3421.0 or later to prevent exploitation attempts. For administrators who cannot immediately update the latest App Installer version, the company suggested disabling the protocol by setting the Group Policy EnableMSAppInstallerProtocol to Disabled.

Latest News

• Barracuda Patches ESG Zero-Day Exploited by Chinese Hackers
• Multiple Zero-Day Vulnerabilities Exploited in Windows CLFS Driver
• Nim-Based Malware Delivered via Phishing Campaign Using Decoy Microsoft Word Documents
• UAC-0099 Exploits WinRAR Vulnerability to Launch LONEPAGE Malware Attacks on Ukrainian Firms
• Microsoft Alerts on 'FalseFont' Backdoor Aimed at Defense Sector