Since mid-November 2023, Microsoft Threat Intelligence has observed threat actors, including financially motivated actors like Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674, utilizing the ms-appinstaller URI scheme to distribute malware.
In addition to ensuring that customers are protected from observed attacker activity, Microsoft investigated the use of App Installer in these attacks.
Threat actors have likely chosen the ms-appinstaller protocol handler vector because it can bypass mechanisms designed to help keep users safe from malware, such as Microsoft Defender SmartScreen and built-in browser warnings for downloads of executable file formats.
In this blog, we provide an analysis of activity by financially motivated threat actors abusing App Installer observed since mid-November 2023.
Microsoft Threat intelligence observed several actors-including Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674-using App Installer as a point of entry for human-operated ransomware activity.
At the beginning of December 2023, Microsoft observed Storm-0569 distributing BATLOADER through search engine optimization poisoning with sites spoofing legitimate software downloads such as Zoom, Tableau, TeamViewer, and AnyDesk.
They cover multiple infection chains that typically begin with maliciously signed Microsoft Installer files posing as legitimate software installations or updates for applications such as TeamViewer, Zoom, and AnyDesk.
Since mid-November 2023, Microsoft observed Storm-1113's EugenLoader delivered through search advertisements mimicking the Zoom app.
In mid-November 2023, Microsoft observed Sangria Tempest using Storm-1113's EugenLoader delivered through malicious MSIX package installations.
Microsoft has taken action to mitigate the spread of malware from confirmed malicious tenants by blocking their ability to send messages thus cutting off the main method used for phishing.
In September 2023, Microsoft observed handoffs from Storm-1674 to ransomware operators that have led to Black Basta ransomware deployment.
Refer to the Microsoft Security Response Blog for App Installer protection tips.
Microsoft recommends the following mitigations to reduce the impact of this threat.
Educate Microsoft Teams users to verify 'External' tagging on communication attempts from external entities, be cautious about what they share, and never share their account information or authorize sign-in requests over chat.
Apply Microsoft's security best practices for Microsoft Teams to safeguard Teams users.
Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host malware.
Microsoft Defender Antivirus detects threat components as the malware listed below.
Microsoft Defender for Office 365 detects malicious activity associated with this threat.
Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog.
For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.
This Cyber News was published on www.microsoft.com. Publication date: Fri, 29 Dec 2023 14:13:05 +0000