Microsoft has disabled the App Installer functionality that allowed Windows 10 apps to be installed directly from a web page by clicking on a link that used the ms-appinstaller URI scheme. This functionality has been heavily abused in recent months by different threat actors to deploy ransomware and other malicious implants.
“Threat actors have likely chosen the ms-appinstaller protocol handler vector because it can bypass mechanisms designed to help keep users safe from malware, such as Microsoft Defender SmartScreen and built-in browser warnings for downloads of executable file formats,” Microsoft said in a report last week.
The protocol handler was disabled on December 28 with the release of App Installer version 1.21.3421.0 after the company previously warned about the Windows AppX Installer Spoofing Vulnerability (CVE-2021-43890) on the last Patch Tuesday.
How does Microsoft App Installer work?
App Installer is a feature that was introduced in Windows 10 in 2016 to facilitate the installation of Universal Windows Platform (UWP) apps, previously known as Windows Store apps. These applications can be deployed on all Windows devices and are distributed in a package format called MSIX as .msxi or .msixbundle files. MSIX was introduced in 2019 and replaced the older AppX packaging format for apps on the Microsoft Store.
However, MSIX packages don’t necessarily have to be deployed from the Microsoft Store, they can also be installed offline and can also be deployed from any website thanks to the ms-appinstaller URI scheme and protocol handler. Microsoft encourages enterprises to use MSIX packages to deploy their applications because they offer better reliability and installation success rate, as well as optimized bandwidth and disk space usage.
“MSIX enables enterprises to stay current and ensure their applications are always up to date. It allows IT pros and developers to deliver a user centric solution while still reducing the cost of ownership of application by reducing the need to repackage,” the company said.
When deployed directly from a website, the page will contain a link of the form ms-appinstaller:?source=http://link-to.domain/app-name.msix. When clicked, the browser will pass the request to the ms-appinstaller protocol handler in Windows, which will invoke App Installer. This is the same type of functionality seen with other apps that register custom protocol handlers in Windows, such as when clicking a button on a web page to join a conference call and having the browser automatically open the Zoom or Microsoft Teams desktop apps.
Extensive Microsoft App Installer abuse
Attackers started abusing the ms-appinstaller URI scheme a while ago by leading users to spoofed web pages for popular software and instead delivering malware packaged as MSIX. According to Microsoft, the technique saw adoption with multiple groups, culminating with a spike in attacks during November and December 2023.
At the beginning of December, an access broker group that Microsoft tracks as Storm-0569 launched a search engine optimization campaign that distributed BATLOADER using this technique. The group poisoned search results with links to web pages that posed as the official websites for legitimate software applications such as Zoom, Tableau, TeamViewer, and AnyDesk.
“Users who search for a legitimate software application on Bing or Google may be presented with a landing page spoofing the original software provider’s landing pages that include links to malicious installers through the ms-appinstaller protocol,” Microsoft said. “Spoofing and impersonating popular legitimate software is a common social engineering tactic.”
If the rogue links are clicked, users are presented with the App Installer window, which displays an install button. If that button is clicked, the malicious MSIX package is installed along with additional PowerShell and batch scripts that deploy BATLOADER. This malware loader is then used to deploy additional implants such as the Cobalt Strike Beacon, the Rclone data exfiltration tool and the Black Basta ransomware.
Another access broker tracked as Storm-1113 that also specializes in malware distribution through search advertisements has also used this technique in mid-November 2023 to deploy a malware loader called EugenLoader by spoofing Zoom downloads. Since this group offers malware deployment as a service, EugenLoader has been used to deploy a variety of implants including Gozi, Redline stealer, IcedID, Smoke Loader, NetSupport Manager (also known as NetSupport RAT), Sectop RAT, and Lumma stealer. Another group tracked as Sangria Tempest (also known as FIN7) used EugenLoader in November to drop its infamous Carbanak malware framework which in turn deployed the Gracewire implant.
“In other cases, Sangria Tempest uses Google ads to lure users into downloading malicious MSIX application packages–possibly relying on Storm-1113 infrastructure–leading to the delivery of POWERTRASH, a highly obfuscated PowerShell script,” the Microsoft researchers said.
Yet another group tracked by Microsoft as Storm-1674 used Storm-1113’s infrastructure and services that abused the malicious the ms-appinstaller protocol handler to deploy SectopRAT or DarkGate. However, the group distributed links to the spoofed landing pages using messages on Teams. The landing pages spoofed Microsoft services like OneDrive and SharePoint and prompted users to download Adobe Acrobat Reader or other tools to access the files supposedly listed there.
All the rogue MSIX files delivered through such websites are digitally signed to prevent security warnings. By disabling the ms-appinstaller protocol handler by default, Microsoft forces such files to now be downloaded first to disk before being executed which means endpoint security products have a chance to scan and flag them.
While this breaks the installation of MSIX files directly from websites, such files can still be downloaded and installed offline, which shouldn’t impact companies that use this application packaging format. Users who do need the functionality can re-enable it by changing the Group Policy EnableMSAppInstallerProtocol to Disabled.