Financially motivated threat actors misusing App Installer

Since mid-November 2023, Microsoft Threat Intelligence has observed threat actors, including financially motivated actors like Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674, utilizing the ms-appinstaller URI scheme to distribute malware.
In addition to ensuring that customers are protected from observed attacker activity, Microsoft investigated the use of App Installer in these attacks.
Threat actors have likely chosen the ms-appinstaller protocol handler vector because it can bypass mechanisms designed to help keep users safe from malware, such as Microsoft Defender SmartScreen and built-in browser warnings for downloads of executable file formats.
In this blog, we provide an analysis of activity by financially motivated threat actors abusing App Installer observed since mid-November 2023.
Microsoft Threat intelligence observed several actors-including Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674-using App Installer as a point of entry for human-operated ransomware activity.
At the beginning of December 2023, Microsoft observed Storm-0569 distributing BATLOADER through search engine optimization poisoning with sites spoofing legitimate software downloads such as Zoom, Tableau, TeamViewer, and AnyDesk.
They cover multiple infection chains that typically begin with maliciously signed Microsoft Installer files posing as legitimate software installations or updates for applications such as TeamViewer, Zoom, and AnyDesk.
Since mid-November 2023, Microsoft observed Storm-1113's EugenLoader delivered through search advertisements mimicking the Zoom app.
In mid-November 2023, Microsoft observed Sangria Tempest using Storm-1113's EugenLoader delivered through malicious MSIX package installations.
Microsoft has taken action to mitigate the spread of malware from confirmed malicious tenants by blocking their ability to send messages thus cutting off the main method used for phishing.
In September 2023, Microsoft observed handoffs from Storm-1674 to ransomware operators that have led to Black Basta ransomware deployment.
Refer to the Microsoft Security Response Blog for App Installer protection tips.
Microsoft recommends the following mitigations to reduce the impact of this threat.
Educate Microsoft Teams users to verify 'External' tagging on communication attempts from external entities, be cautious about what they share, and never share their account information or authorize sign-in requests over chat.
Apply Microsoft's security best practices for Microsoft Teams to safeguard Teams users.
Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host malware.
Microsoft Defender Antivirus detects threat components as the malware listed below.
Microsoft Defender for Office 365 detects malicious activity associated with this threat.
Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog.
For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.


This Cyber News was published on www.microsoft.com. Publication date: Fri, 29 Dec 2023 14:13:05 +0000


Cyber News related to Financially motivated threat actors misusing App Installer

Financially motivated threat actors misusing App Installer - Since mid-November 2023, Microsoft Threat Intelligence has observed threat actors, including financially motivated actors like Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674, utilizing the ms-appinstaller URI scheme to distribute malware. In ...
11 months ago Microsoft.com
Staying ahead of threat actors in the age of AI - At the same time, it is also important for us to understand how AI can be potentially misused in the hands of threat actors. In collaboration with OpenAI, today we are publishing research on emerging threats in the age of AI, focusing on identified ...
10 months ago Microsoft.com
Threat actors misuse OAuth applications to automate financially driven attacks - Threat actors are misusing OAuth applications as an automation tool in financially motivated attacks. Threat actors compromise user accounts to create, modify, and grant high privileges to OAuth applications that they can misuse to hide malicious ...
1 year ago Microsoft.com
Microsoft addresses App Installer abuse - In recent months, Microsoft Threat Intelligence has observed threat actors leveraging social engineering and phishing techniques to target Windows OS users and utilizing the ms-appinstaller URI scheme. We have addressed and mitigated this malicious ...
11 months ago Msrc.microsoft.com
TeamCity Intrusion Saga: APT29 Suspected Among the Attackers Exploiting CVE-2023-42793 - As part of this analysis, we look at threat actor TTPs employed throughout the intrusion and how they were identified and pieced together by the FortiGuard IR team. The following section of this report focuses on the activities of one of these threat ...
1 year ago Feeds.fortinet.com
Operation Morpheus took down 593 Cobalt Strike servers used by threat actors - Threat actors actively exploit D-Link DIR-859 router flaw CVE-2024-0769. Experts released PoC exploit code for a critical bug in Progress Telerik Report Servers. Threat actors may have exploited a zero-day in older iPhones, Apple warns. Nation-state ...
5 months ago Securityaffairs.com
Microsoft disables MSIX protocol handler abused in malware attacks - Microsoft has again disabled the MSIX ms-appinstaller protocol handler after multiple financially motivated threat groups abused it to infect Windows users with malware. The attackers exploited the CVE-2021-43890 Windows AppX Installer spoofing ...
11 months ago Bleepingcomputer.com
Microsoft Implements Disablement of Widely Exploited MSIX App Installer Protocol Due to Malware Attacks - On Thursday, Microsoft announced the reactivation of the ms-appinstaller protocol handler, reverting it to its default state due to widespread exploitation by various threat actors for malware dissemination. The Microsoft Threat Intelligence team ...
11 months ago Cysecurity.news
Hundreds of Thousands of Dollars Worth of Solana Cryptocurrency Assets Stolen in Recent CLINKSINK Drainer Campaigns - On January 3, 2024, Mandiant's X social media account was taken over and subsequently used to distribute links to a cryptocurrency drainer phishing page. The following blog post provides additional insight into the drainer leveraged in this campaign, ...
11 months ago Mandiant.com
Lets Open(Dir) Some Presents: An Analysis of a Persistent Actor's Activity - By analyzing tools, logs and artifacts left open to the internet, we were able to profile the threat actor and their victims. After analyzing the artifacts we can conclude with moderate confidence that the majority of the threat actor activity ...
1 year ago Thedfirreport.com
How to Overcome the Most Common Challenges with Threat Intelligence - Today's typical approach to threat intelligence isn't putting organizations in a place to do that. Instead, many threat intelligence tools are delivering too much uncurated and irrelevant information that arrives too late to act upon. Organizations ...
11 months ago Cyberdefensemagazine.com
Buzzing on Christmas Eve: Trigona Ransomware in 3 Hours - In late December 2022, we observed threat actors exploiting a publicly exposed Remote Desktop Protocol host, leading to data exfiltration and the deployment of Trigona ransomware. On Christmas Eve, within just three hours of gaining initial access, ...
10 months ago Thedfirreport.com
What Is Threat Modeling? - Threat modeling emerges as a pivotal process in this landscape, offering a structured approach to identify, assess, and address potential security threats. Threat Modeling Adoption and Implementation The successful adoption of threat modeling within ...
11 months ago Feeds.dzone.com
What Is Cyber Threat Hunting? - Cyber threat hunting involves proactively searching for threats on an organization's network that are unknown to traditional cybersecurity solutions. A recent report from Armis found that cyber attack attempts increased by 104% in 2023, underscoring ...
10 months ago Techrepublic.com
Top 7 Cyber Threat Hunting Tools for 2024 - Cyber threat hunting is a proactive security measure taken to detect and neutralize potential threats on a network before they cause significant damage. To seek out this type of threat, security professionals use cyber threat-hunting tools. With ...
10 months ago Techrepublic.com
Companies Must Strengthen Cyber Defense in Face of Shifting Threat Actor Strategies - Critical for organizations to understand attackers' tactics, techniques, and procedures. The 2023 mid-year cyber threat report card portends an ominous outlook with staggering data including the fact that 332 million cryptojacking attacks were ...
11 months ago Cyberdefensemagazine.com
Threat actors actively exploit D-Link DIR-859 router flaw - MUST READ. Threat actors actively exploit D-Link DIR-859 router flaw CVE-2024-0769. Expert released PoC exploit code for Veeam Backup Enterprise Manager flaw CVE-2024-29849. CISA adds D-Link DIR router flaws to its Known Exploited Vulnerabilities ...
5 months ago Securityaffairs.com
Threat actors actively exploit D-Link DIR-859 router flaw - MUST READ. Threat actors actively exploit D-Link DIR-859 router flaw CVE-2024-0769. Expert released PoC exploit code for Veeam Backup Enterprise Manager flaw CVE-2024-29849. CISA adds D-Link DIR router flaws to its Known Exploited Vulnerabilities ...
5 months ago Securityaffairs.com
Windows Incident Response: Human Behavior In Digital Forensics, pt III - Digital forensics can provide us insight into a threat actor's sophistication and situational awareness, which can, in turn, help us understand their intent. Observing the threat actor's actions helps us understand not just their intent, but what ...
11 months ago Windowsir.blogspot.com
Windows Incident Response: Human Behavior In Digital Forensics, pt II - Targeted Threat ActorI was working a targeted threat actor response, and while we were continuing to collect information for scoping, so we could move to containment, we found that on one day, from one endpoint, the threat actor pushed their RAT ...
11 months ago Windowsir.blogspot.com
How to Use Threat Intelligence Feeds for SOC/DFIR Teams - Threat intelligence feeds provide real-time updates on indicators of compromise, such as malicious IPs and URLs. Security systems can then ingest these IOCs to identify and block potential threats, which essentially grants organizations immunity to ...
7 months ago Cybersecuritynews.com
New Tool Set Found Used Against Organizations in the Middle East, Africa and the US - Unit 42 researchers observed a series of apparently related attacks against organizations in the Middle East, Africa and the U.S. We will discuss a set of tools used in the course of the attacks that reveal clues about the threat actors' activity. We ...
1 year ago Unit42.paloaltonetworks.com
IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities - SUMMARY. The Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency, National Security Agency, Environmental Protection Agency, and the Israel National Cyber Directorate-hereafter referred to as "The authoring agencies"-are ...
1 year ago Cisa.gov
Fake app impersonating LastPass spotted in Apple's App Store The Register - LastPass says a rogue application impersonating its popular password manager made it past Apple's gatekeepers and was listed in the iOS App Store for unsuspecting folks to download and install. A screenshot of the fake LastPass app in the Apple App ...
10 months ago Go.theregister.com
Sandman APT Gains Traction: Chinese Hackers Amplify Cybersecurity Risks - Following this assessment, SentinelOne, PwC, and Microsoft Threat Intelligence have been working together on this since they have determined that the adversary's Lua-based malware, LuaDream, and the KEYPLUG have both been found to cohabit in the ...
1 year ago Cysecurity.news

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)