Microsoft has disabled its ms-appinstaller URI scheme (App Installer) after observing that threat actors are using it to distribute malware.
According to a blog from Microsoft Threat Intelligence, it has been observing threat actors since mid-November 2023.
Since mid-November 2023, Microsoft Threat Intelligence has observed threat actors, including financially motivated actors like Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674, utilising the ms-appinstaller URI scheme (App Installer) to distribute malware. Microsoft investigated the use of App Installer in these attaks. In response to this activity, Microsoft has disabled the ms-appinstaller protocol handler by default.
The observed threat actor activity abuses the current implementation of the ms-appinstaller protocol handler as an access vector for malware that may lead to ransomware distribution.
It also observed that multiple cybercriminals are selling a malware kit as a service that abuses the MSIX file format and ms-appinstaller protocol handler.
According to Microsoft, hackers have likely chosen the ms-appinstaller protocol handler vector because it can bypass mechanisms designed to help keep users safe from malware, such as Microsoft Defender SmartScreen and built-in browser warnings for downloads of executable file formats.
In mid-November of this year, Microsoft Threat Intelligence discovered many cyber gangs employing App Installer as a conduit for ransomware operations.
As mentioned in the report, the observed activity includes spoofing legitimate applications, luring users into installing malicious MSIX packages posing as legitimate applications, and evading detections on the initial installation files.
