When deployed instantly from an internet site, the web page will comprise a hyperlink of the shape ms-appinstaller:?supply=http://link-to.area/app-name.msix. When clicked, the browser will move the request to the ms-appinstaller protocol handler in Home windows, which is able to invoke App Installer. This is similar sort of performance seen with different apps that register customized protocol handlers in Home windows, similar to when clicking a button on an online web page to hitch a convention name and having the browser mechanically open the Zoom or Microsoft Groups desktop apps.
In depth Microsoft App Installer abuse
Attackers began abusing the ms-appinstaller URI scheme some time in the past by main customers to spoofed net pages for widespread software program and as an alternative delivering malware packaged as MSIX. In keeping with Microsoft, the approach noticed adoption with a number of teams, culminating with a spike in assaults throughout November and December 2023.
Initially of December, an entry dealer group that Microsoft tracks as Storm-0569 launched a search engine marketing marketing campaign that distributed BATLOADER utilizing this method. The group poisoned search outcomes with hyperlinks to net pages that posed because the official web sites for official software program functions similar to Zoom, Tableau, TeamViewer, and AnyDesk.
“Customers who seek for a official software program utility on Bing or Google could also be introduced with a touchdown web page spoofing the unique software program supplier’s touchdown pages that embody hyperlinks to malicious installers via the ms-appinstaller protocol,” Microsoft mentioned. “Spoofing and impersonating widespread official software program is a typical social engineering tactic.”
If the rogue hyperlinks are clicked, customers are introduced with the App Installer window, which shows an set up button. If that button is clicked, the malicious MSIX bundle is put in together with extra PowerShell and batch scripts that deploy BATLOADER. This malware loader is then used to deploy extra implants such because the Cobalt Strike Beacon, the Rclone information exfiltration instrument and the Black Basta ransomware.
One other entry dealer tracked as Storm-1113 that additionally focuses on malware distribution via search commercials has additionally used this method in mid-November 2023 to deploy a malware loader known as EugenLoader by spoofing Zoom downloads. Since this group provides malware deployment as a service, EugenLoader has been used to deploy a wide range of implants together with Gozi, Redline stealer, IcedID, Smoke Loader, NetSupport Supervisor (often known as NetSupport RAT), Sectop RAT, and Lumma stealer. One other group tracked as Sangria Tempest (often known as FIN7) used EugenLoader in November to drop its notorious Carbanak malware framework which in flip deployed the Gracewire implant.