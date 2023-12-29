Key Takeaways Microsoft warns of increased cyberattacks using AppX Installer, with threat groups like Storm-0569 and Sangria Tempest distributing ransomware through fake websites and Microsoft Teams.

Malicious actors exploit the ms-appinstaller protocol to bypass security measures, distributing signed malicious MSIX packages through spoofed landing pages for popular applications.

Storm-1674 targets users through Teams messages, using spoofed applications to deliver malware and engaging in activities like data exfiltration and remote monitoring of infected devices. Microsoft has taken steps to combat these attacks and disabled the ms-appinstaller URI handler.

The Windows AppX Installer spoofing vulnerability has been used by malicious actors for quite some time. Microsoft documented it as CVE-2021-43890 a couple of years ago. Back then, attackers were crafting packages containing ransomware that was distributed by exploiting this vulnerability, with Microsoft recommending customers to either install the latest version of the Installer or disable the ms-appinstaller protocol using Group Policy completely. Now, Microsoft has once again issued guidance regarding the vulnerability following a recent resurgence in its exploitation.

In a detailed blog post, Microsoft has noted that since November 2023, there has been an increase in the number of cyberattacks utilizing AppX Installer as an attack vector. Multiple threat groups including Storm-0569, Storm-1113, Storm-1674, and Sangria Tempest have been leveraging the MSIX file format and the ms-appinstaller protocol to distribute ransomware. These malicious actors typically distribute signed malicious MSIX packages through fake websites for popular software and even through Microsoft Teams, in some cases. The ms-appinstaller protocol handler serves as an attractive attack surface for malicious actors since it can bypass certain security mechanisms such as Microsoft Defender SmartScreen and built-in browser protection services in Edge.

Microsoft has shed more light on the malware distribution process too. It says that some actors are leveraging SEO poisoning techniques to surface as the top search results on Google and Bing when you search for popular applications such as Zoom, Tableau, and TeamViewer. A user then downloads the malicious package from the spoofed landing page under the assumption that they are downloading legitimate software. Once they open the installer, they are once again presented a spoofed installation experience and if they click "Install", the malicious package gets installed on their computer.

Meanwhile, at least one threat actor, namely Storm-1674, has been delivering spoofed landing pages for OneDrive and SharePoint through Teams messages. The tenant created by this threat actor set up one-to-one chats and meeting invites with their targets and then lured them to spoofed applications that were used to deliver malware. In some cases, Storm-1674 was seen to be using malicious packages developed by Storm-1113. In order to combat this sophisticated method of attack, Microsoft has begun showing accept/block screens for external users in Teams and has also blocked tenant accounts that are confirmed to be malicious.

Numerous malicious activities were observed during this latest spree of attacks, including data exfiltration, remote management and monitoring of infected devices, and the installation of various payloads such as BATLOADER, Cobalt Strike Beacon, Redline stealer, Gozi, Smoke Loader, and more. Storm-1113 also acted as a malware-as-a-service provider for some other threat actors too.

As a result of these activities, Microsoft has disabled the ms-appinstaller URI scheme handler by default in the latest version of App Installer. Interestingly, BleepingComputer claims that the Redmond tech firm made the same modification back in February 2022, so it's unclear what caused it to roll back the change initially. Other recommendations include deployment of phishing-resistant authentication methods, configuring conditional access (CA) policies, educating users regarding secure usage of Microsoft Teams and their machine's browser, and enabling advanced security mechanisms in Microsoft Defender for Office 365. The company has also shared details regarding indicators-of-compromise (IOCs), threat intelligence reports, and hunting queries for Microsoft Defender XDR in its blog post, which you should definitely check out if you are responsible for managing the security posture of your organization.