Microsoft has again disabled the MSIX ms-appinstaller protocol handler after multiple financially motivated threat groups abused it to infect Windows users with malware.
The attackers exploited the CVE-2021-43890 Windows AppX Installer spoofing vulnerability to circumvent security measures that would otherwise protect Windows users from malware, such as the Defender SmartScreen anti-phishing and anti-malware component and built-in browser alerts cautioning users against executable file downloads.
Microsoft says the threat actors use both malicious advertisements for popular software and Microsoft Teams phishing messages to push signed malicious MSIX application packages.
The Sangria Tempest financially-motivated hacking group has previously been linked to REvil and Maze ransomware after their involvement in the now-defunct BlackMatter and DarkSide ransomware operations.
In a private Microsoft threat analytics report seen by BleepingComputer, FIN7 was also connected to attacks targeting PaperCut printing servers with Clop ransomware.
As BleepingComputer reported over two years ago, Emotet also used malicious Windows AppX Installer packages camouflaged as Adobe PDF software in December 2021 to infect Windows 10 and Windows 11 systems.
The AppX Installer spoofing vulnerability was exploited to distribute the BazarLoader malware using malicious packages hosted on Microsoft Azure, using *.web.
Microsoft previously disabled the ms-appinstaller protocol handler in February 2022 to thwart Emotet's onslaught.
Since devices compromised as part of these attacks may also be targeted with ransomware, Redmond disabled the ms-appinstaller protocol handler again on December 28, 2023.
Today, Microsoft recommended installing the patched App Installer version 1.21.3421.0 or later to block exploitation attempts.
The company also advised admins who can't immediately deploy the latest App Installer version to disable the protocol by setting the Group Policy EnableMSAppInstallerProtocol to Disabled.
New Xamalicious Android malware installed 330k times on Google Play.
Get productive in the holidays with $200 off Microsoft Office 2019.
Fake VPN Chrome extensions force-installed 1.5 million times.
Microsoft: Hackers target defense firms with new FalseFont malware.
New Web injections campaign steals banking data from 50,000 people.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 28 Dec 2023 19:05:19 +0000