[ad_1]
Microsoft has disabled the ms-appinstaller protocol handler as default after it discovered new proof of hackers utilizing it to deploy malware.
“The noticed menace actor exercise abuses the present implementation of the ms-appinstaller protocol handler as an entry vector for malware that will result in ransomware distribution,” Microsoft stated in a brand new safety advisory.
Moreover, the Redmond large noticed hackers promoting malware kits on the darkish internet, which use the MSIX file format and the ms-appinstaller protocol handler.
4 menace actors
Apparently, the menace actors are creating malicious faux adverts for authentic and common software program, to redirect the victims to web sites beneath their management. There, they trick them into downloading malware. A second distribution vector is phishing via Microsoft Groups, the corporate stated.
“Risk actors have seemingly chosen the ms-appinstaller protocol handler vector as a result of it will probably bypass mechanisms designed to assist preserve customers secure from malware, equivalent to Microsoft Defender SmartScreen and built-in browser warnings for downloads of executable file codecs,” the advisory reads.
Since mid-November this yr, no less than 4 menace actors abused the App Installer service, Microsoft additional defined, with these being Storm-0569, Storm-1113, Sangria Tempest (AKA FIN7), and Storm-1674. The previous is an entry dealer that normally arms off the entry to Storm-0506, which then deploys the Black Basta ransomware. FIN7, which researchers additionally noticed impersonating banking software program earlier this week, used the App Installer service to drop Gracewire, whereas Storm-1674 masquerades as Microsoft OneDrive and SharePoint via Groups messages.
The handler is disabled within the App Installer model 1.21.3421.0 or increased.
This isn’t the primary time MSIX Home windows app package deal recordsdata had been abused in malware distribution, TheHackerNews says. In October 2023, Elastic Safety Labs discovered such recordsdata for Google Chrome, Microsoft Edge, Courageous, Grammarly, and Cisco Webex getting used to distribute a malware loader dubbed GHOSTPULSE. What’s extra, Microsoft disabled the handler as soon as earlier than, in February final yr.
Extra from TechRadar Professional
[ad_2]
Source link
