Microsoft has disabled the MSIX ms-appinstaller protocol handler in response to ongoing attacks from various malware distributors. The attackers have taken advantage of the CVE-2021-43890 Windows AppX Installer spoofing vulnerability, allowing them to bypass important Windows security features. Operations from financial threat groups using this scheme have been detected by Microsoft Threat Intelligence since mid-November 2023.
Persistent Threat From Malicious Groups
These threat actors include financially motivated groups such as Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674. They have been distributing signed malicious MSIX application packages through misleading advertisements and phishing messages, notably through Microsoft Teams. The activity exploits the MSIX protocol handler as an entry point for harmful software, potentially leading to the distribution of ransomware. Notably, a malware kit service utilizing the MSIX file format is now being sold on the cybercriminal market.
If you are unfamiliar with the MSIX Packaging Tool, it gives developers an easy way to move win32 apps to the MSIX format. Launched in 2018, the tool is available to Microsoft Account holders on Windows 11 and Windows 10. Features of the packaging tool include the ability to run desktop installers on the app. Furthermore, MSIX packages are installable on a device, where they can be migrated directly to the Microsoft Store.
The Sangria Tempest group, also recognized as FIN7, has a notorious history of associations with prominent ransomware threats like REvil and Maze, and their involvement with defunct ransomware operations such as BlackMatter and DarkSide. Furthermore, FIN7 has been implicated in ransomware attacks targeting PaperCut printing servers with Clop ransomware.
Reinforced Windows Defensive Strategies
In the face of these threats, Microsoft periodically adjourns the utilization of the ms-appinstaller protocol handler to protect its user base. Following the protocol's reactivation, which was not disclosed, the company has once again disabled it as of December 28, 2023, to prevent future ransomware attacks.
To mitigate risks, Microsoft recommends updating to the new App Installer version 1.21.3421.0 or a later iteration, which guards against these exploitation efforts. For administrators unable to complete the update immediately, Microsoft advises disabling the protocol via the Group Policy setting ‘EnableMSAppInstallerProtocol' to ‘Disabled.' Such precautionary measures will provide additional layers of security against the evolving landscape of cyber threats.