On Thursday, Microsoft announced the reactivation of the ms-appinstaller protocol handler, reverting it to its default state due to widespread exploitation by various threat actors for malware dissemination. The Microsoft Threat Intelligence team reported that the misuse of the current implementation of the ms-appinstaller protocol handler has become a common method for threat actors to introduce malware, potentially leading to the distribution of ransomware.

The team highlighted the emergence of cybercriminals offering a malware kit as a service, utilizing the MSIX file format and ms-appinstaller protocol handler. These alterations are now in effect starting from App Installer version 1.21.3421.0 or newer.

The attacks are manifested through signed malicious MSIX application packages, circulated through platforms such as Microsoft Teams or deceptive advertisements appearing on popular search engines like Google. Since mid-November 2023, at least four financially motivated hacking groups have exploited the App Installer service, utilizing it as an entry point for subsequent human-operated ransomware activities.

The identified groups involved in these activities include Storm-0569, employing BATLOADER through SEO poisoning with sites mimicking Zoom, Tableau, TeamViewer, and AnyDesk, ultimately leading to Black Basta ransomware deployment. Storm-1113 serves as an initial access broker distributing EugenLoader disguised as Zoom, facilitating the delivery of various stealer malware and remote access trojans. Sangria Tempest (also known as Carbon Spider and FIN7) utilizes EugenLoader from Storm-1113 to drop Carbanak, delivering an implant named Gracewire. 

Alternatively, the group relies on Google ads to entice users into downloading malicious MSIX application packages from deceptive landing pages, distributing POWERTRASH, which is then utilized to load NetSupport RAT and Gracewire. Storm-1674, another initial access broker, sends seemingly harmless landing pages masquerading as Microsoft OneDrive and SharePoint through Teams messages using the TeamsPhisher tool, leading recipients to download a malicious MSIX installer containing SectopRAT or DarkGate payloads.

Microsoft characterized Storm-1113 as an entity involved in "as-a-service," providing malicious installers and landing page frameworks imitating well-known software to other threat actors like Sangria Tempest and Storm-1674. In October 2023, Elastic Security Labs detailed a separate campaign involving counterfeit MSIX Windows app package files for popular applications like Google Chrome, Microsoft Edge, Brave, Grammarly, and Cisco Webex, used to distribute a malware loader called GHOSTPULSE.

This marks a recurrence of Microsoft taking action to disable the MSIX ms-appinstaller protocol handler in Windows. A similar step was taken in February 2022 to thwart threat actors from exploiting it to deliver Emotet, TrickBot, and Bazaloader. Microsoft emphasized that threat actors likely choose the ms-appinstaller protocol handler vector due to its ability to bypass safety mechanisms such as Microsoft Defender SmartScreen and built-in browser warnings designed to protect users from malicious content.