Microsoft disables Windows feature amid flurry of cyberattacks

abstract illustrated image of cyberattacks, person wearing a hoodie is sat in front of computer screens | cyberattacks

Key Takeaways

Microsoft has disabled the App Installer feature in Windows due to its exploitation by cybercriminals using the ms-appinstaller URI scheme to spread malware.

Threat actors, including groups like Storm-0569 and Storm-1113, have been leveraging search engine ads and SEO poisoning to distribute malware disguised as legitimate applications.

In response to these attacks, Microsoft has taken measures such as blocking Teams accounts linked to the malware campaigns and disabling code signing certifications for identified malicious applications.

Microsoft has disabled a Windows feature, App Installer, which allows users to download new applications after discovering that financially motivated actors were using it to spread malware, the company announced in a recent blog.

Since mid-November of last year, the company’s threat intelligence has been observing threat actors such as Storm-0569, Storm-1113, Sangria Tempest and Storm-1674 using the ms-appinstaller URI scheme to distribute malware. To ensure customer safety from hacker activity, Microsoft also investigated the use of App Installer in these attacks and because of the activities, disabled the App Installer.

During its investigations, the company found that multiple cybercriminals were also selling a malware kit as a service that abuses the MSIX file format and ms-appinstaller protocol handler. The hackers distributed signed malicious MSIX application packages using websites accessed through malicious advertisements for legitimate popular software.

Storm-1113 and Sangria Tempest leveraged search engine ads, such as Google ads, to distribute their malware, unbeknown to users who clicked on these ads. They were then lured into downloading harmful MSIX files disguised as legitimate programs. Microsoft believes that these attacks by Sangria Tempest were supported by Storm-1113 infrastructure which led to the delivery of POWERTRASH, a PowerShell script.

Another hacking group, Storm-0569, was observed distributing BATLOADER through SEO poisoning, with sites imitating legitimate software downloads such as Zoom, Tableau, TeamViewer and AnyDesk.

The company stated that the ms-appinstaller was likely chosen as hackers can bypass mechanisms that keep users safe from malware, such as Microsoft Defender SmartScreen and built-in browser warnings for downloads of executable file formats.

To prevent upcoming cyberattacks, Microsoft has blocked the Teams accounts linked to the malware campaigns. In addition to this, the company has also disabled the code signing certifications of the malicious applications it identified during its research.

Customers can now use Microsoft’s reports in various products in order to access the most up-to-date information about any malicious activity.

The development follows Microsoft and Amazon’s announcement from October 2023 when the duo joined forces along with international law enforcement in the fight against perpetrators of tech support fraud.