When deployed immediately from a web site, the web page will comprise a hyperlink of the shape ms-appinstaller:?supply=http://link-to.area/app-name.msix. When clicked, the browser will cross the request to the ms-appinstaller protocol handler in Home windows, which is able to invoke App Installer. This is similar kind of performance seen with different apps that register customized protocol handlers in Home windows, reminiscent of when clicking a button on an online web page to affix a convention name and having the browser mechanically open the Zoom or Microsoft Groups desktop apps.
Intensive Microsoft App Installer abuse
Attackers began abusing the ms-appinstaller URI scheme some time in the past by main customers to spoofed internet pages for widespread software program and as a substitute delivering malware packaged as MSIX. In accordance with Microsoft, the method noticed adoption with a number of teams, culminating with a spike in assaults throughout November and December 2023.
At the start of December, an entry dealer group that Microsoft tracks as Storm-0569 launched a SEO marketing campaign that distributed BATLOADER utilizing this method. The group poisoned search outcomes with hyperlinks to internet pages that posed because the official web sites for professional software program functions reminiscent of Zoom, Tableau, TeamViewer, and AnyDesk.
“Customers who seek for a professional software program utility on Bing or Google could also be offered with a touchdown web page spoofing the unique software program supplier’s touchdown pages that embody hyperlinks to malicious installers by the ms-appinstaller protocol,” Microsoft mentioned. “Spoofing and impersonating widespread professional software program is a standard social engineering tactic.”
If the rogue hyperlinks are clicked, customers are offered with the App Installer window, which shows an set up button. If that button is clicked, the malicious MSIX package deal is put in together with further PowerShell and batch scripts that deploy BATLOADER. This malware loader is then used to deploy further implants such because the Cobalt Strike Beacon, the Rclone knowledge exfiltration instrument and the Black Basta ransomware.
One other entry dealer tracked as Storm-1113 that additionally makes a speciality of malware distribution by search commercials has additionally used this method in mid-November 2023 to deploy a malware loader known as EugenLoader by spoofing Zoom downloads. Since this group affords malware deployment as a service, EugenLoader has been used to deploy a wide range of implants together with Gozi, Redline stealer, IcedID, Smoke Loader, NetSupport Supervisor (often known as NetSupport RAT), Sectop RAT, and Lumma stealer. One other group tracked as Sangria Tempest (often known as FIN7) used EugenLoader in November to drop its notorious Carbanak malware framework which in flip deployed the Gracewire implant.
