Microsoft disables the ms-appinstaller protocol handler by default due to its misuse by several threat actors to spread malware.
“The observed threat actor activity abuses the current implementation of the ms-appinstaller protocol handler as an access vector for malware that may lead to ransomware distribution,” the Microsoft Threat Intelligence team said.
By infosecbulletin
/ Thursday , September 5 2024
CISCO released security updates for two critical security flaws impacting its smart Licensing Utility that could allow unauthenticated, remote attackers...
Read More
By infosecbulletin
/ Wednesday , September 4 2024
OpenBAS is a platform that helps organizations to plan, schedule, and conduct crisis exercises, adversary simulations, and breach simulations. OpenBAS...
Read More
By infosecbulletin
/ Wednesday , September 4 2024
Zyxel has released software updates to fix a serious security issue in certain access point (AP) and security router versions....
Read More
By infosecbulletin
/ Tuesday , September 3 2024
VMware released a security advisory for a major vulnerability in the VMware Fusion product. This vulnerability could be exploited by...
Read More
By infosecbulletin
/ Tuesday , September 3 2024
Indian Computer Emergency Response Team (CERT-IN) issued advisories about multiple vulnerabilities in various Palo Alto Networks applications. Attackers could exploit...
Read More
By infosecbulletin
/ Tuesday , September 3 2024
Malaysia is quickly becoming a leading choice for investing in data centers. It aims to generate RM3.6 billion (US$781 million)...
Read More
By infosecbulletin
/ Tuesday , September 3 2024
US authorities have issued a cybersecurity advisory about a ransomware group called RansomHub. The group is thought to have stolen data...
Read More
By infosecbulletin
/ Tuesday , September 3 2024
There is a new way to attack Atlassian Confluence using the vulnerability CVE-2023-22527. The Confluence Data Center and Server products...
Read More
By infosecbulletin
/ Tuesday , September 3 2024
The Cicada3301 ransomware is made in Rust and attacks Windows and Linux/ESXi hosts. Truesec researchers examined a version that targets...
Read More
By infosecbulletin
/ Tuesday , September 3 2024
Lloyds Bank and Virgin Money's internet banking services were down on Monday, causing trouble for users to access and view...
Read More
ALSO READ:
India’s ISRO to launch AI enabled 50 Spy Satellites
Cybercriminals offer a malware kit that uses the MSIX file format and ms-appinstaller protocol handler. The changes are in effect in App Installer version 1.21.3421.0 or higher.
The attacks involve signed malicious MSIX application packages. These packages are distributed through Microsoft Teams or malicious ads for popular software on search engines like Google.
Since mid-November 2023, four different hacking groups have been exploiting the App Installer service for financial gain. In October 2023, Elastic Security Labs discovered a campaign involving fake MSIX Windows app package files for popular software like Google Chrome, Microsoft Edge, Brave, Grammarly, and Cisco Webex. These files were used to distribute a malware loader called GHOSTPULSE.
Microsoft disabled the MSIX ms-appinstaller protocol handler in Windows before, in February 2022, to block threat actors from using it to distribute harmful software like Emotet, TrickBot, and Bazaloader.
“Threat actors have likely chosen the ms-appinstaller protocol handler vector because it can bypass mechanisms designed to help keep users safe from malware, such as Microsoft Defender SmartScreen and built-in browser warnings for downloads of executable file formats,” Microsoft said.