When deployed immediately from an internet site, the web page will comprise a hyperlink of the shape ms-appinstaller:?supply=http://link-to.area/app-name.msix. When clicked, the browser will move the request to the ms-appinstaller protocol handler in Home windows, which is able to invoke App Installer. This is similar kind of performance seen with different apps that register customized protocol handlers in Home windows, reminiscent of when clicking a button on an online web page to affix a convention name and having the browser mechanically open the Zoom or Microsoft Groups desktop apps.
Intensive Microsoft App Installer abuse
Attackers began abusing the ms-appinstaller URI scheme some time in the past by main customers to spoofed net pages for fashionable software program and as an alternative delivering malware packaged as MSIX. In line with Microsoft, the approach noticed adoption with a number of teams, culminating with a spike in assaults throughout November and December 2023.
In the beginning of December, an entry dealer group that Microsoft tracks as Storm-0569 launched a search engine marketing marketing campaign that distributed BATLOADER utilizing this method. The group poisoned search outcomes with hyperlinks to net pages that posed because the official web sites for reliable software program purposes reminiscent of Zoom, Tableau, TeamViewer, and AnyDesk.
“Customers who seek for a reliable software program software on Bing or Google could also be introduced with a touchdown web page spoofing the unique software program supplier’s touchdown pages that embrace hyperlinks to malicious installers by means of the ms-appinstaller protocol,” Microsoft mentioned. “Spoofing and impersonating fashionable reliable software program is a typical social engineering tactic.”
If the rogue hyperlinks are clicked, customers are introduced with the App Installer window, which shows an set up button. If that button is clicked, the malicious MSIX package deal is put in together with extra PowerShell and batch scripts that deploy BATLOADER. This malware loader is then used to deploy extra implants such because the Cobalt Strike Beacon, the Rclone information exfiltration software and the Black Basta ransomware.
One other entry dealer tracked as Storm-1113 that additionally makes a speciality of malware distribution by means of search commercials has additionally used this method in mid-November 2023 to deploy a malware loader known as EugenLoader by spoofing Zoom downloads. Since this group gives malware deployment as a service, EugenLoader has been used to deploy a wide range of implants together with Gozi, Redline stealer, IcedID, Smoke Loader, NetSupport Supervisor (also referred to as NetSupport RAT), Sectop RAT, and Lumma stealer. One other group tracked as Sangria Tempest (also referred to as FIN7) used EugenLoader in November to drop its notorious Carbanak malware framework which in flip deployed the Gracewire implant.