![]() Microsoft, having previously disabled the ms-appinstaller protocol handler in 2022, recently re-disabled it as of December 28, 2023. Notably, the AppX Installer vulnerability facilitated the distribution of BazarLoader malware through malicious packages hosted on Microsoft Azure with *. URLs. Emotet similarly misused Windows AppX Installer disguised as Adobe PDF software in 2021 to infect Windows 10 and 11 systems. Sangria Tempest, previously linked to ransomware operations, was tied to attacks on PaperCut printing servers using Clop ransomware. Some cybercriminals even offer a malware kit as a service, exploiting the MSIX file format and ms-app installer protocol handler. Threat actors, including financially motivated groups like Storm-0569, Storm-1113, Sangria Tempest (also known as FIN7), and Storm-1674, have leveraged the ms-appinstaller URI scheme to propagate malware, with observed activities posing ransomware risks. Exploiting the CVE-2021-43890 Windows AppX Installer vulnerability, attackers bypassed protective measures like Defender SmartScreen and browser alerts, utilizing tactics such as malicious software ads and Microsoft Teams phishing messages to distribute signed malicious MSIX application packages. ![]() Microsoft has taken action to address security threats related to the exploitation of the MSIX ms-appinstaller protocol handler by various threat groups aiming to infiltrate Windows systems with malware. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |