Microsoft has once again deactivated the MSIX ms-appinstaller protocol handler due to repeated exploitation by financially motivated threat organizations, resulting in the infection of Windows users with malware.
The assailants utilized the CVE-2021-43890 Windows AppX Installer spoofing vulnerability to bypass security protocols designed to safeguard Windows users from malicious software. These protocols include the Defender SmartScreen anti-phishing and anti-malware feature, as well as built-in browser alerts that warn users about downloading executable files.
According to Microsoft, the threat actors employ both malevolent adverts for widely-used software and phishing communications targeting Microsoft Teams in order to distribute signed malicious MSIX application packages.
According to Microsoft Threat Intelligence, starting from mid-November 2023, they have detected threat actors, including financially driven ones like Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674, using the ms-appinstaller URI scheme (App Installer) to spread malware.
“The observed malicious activity exploits the existing implementation of the ms-appinstaller protocol handler as a means of gaining access for malware, which could potentially result in the distribution of ransomware.” Several fraudsters are offering a virus kit for sale, which exploits the MSIX file format and ms-app installer protocol handler.
The Sangria Tempest, also known as FIN7, is a hacking group driven by financial motives. They have been previously associated with the REvil and Maze ransomware, following their participation in the no longer active BlackMatter and DarkSide ransomware campaigns.
BleepingComputer has obtained a secret Microsoft threat analytics report that links FIN7 to assaults aimed at PaperCut printing systems using Clop ransomware.