HomeWinBuzzer NewsMicrosoft Reactivates Protective Measures Against Malware Through MSIX Protocol Amendments

Microsoft Reactivates Protective Measures Against Malware Through MSIX Protocol Amendments

Malware gangs like Storm-0569 and FIN7 exploited a Windows flaw to install ransomware via signed MSIX apps. Microsoft disabled the vulnerable protocol


has disabled the MSIX ms-appinstaller protocol handler in response to ongoing attacks from various malware distributors. The attackers have taken advantage of the CVE-2021-43890 Windows AppX Installer spoofing vulnerability, allowing them to bypass important features. Operations from financial threat groups using this scheme have been detected by Microsoft Threat Intelligence since mid-November 2023.

Persistent Threat From Malicious Groups

These threat actors include financially motivated groups such as Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674. They have been distributing signed malicious MSIX application packages through misleading advertisements and phishing messages, notably through Microsoft Teams. The activity exploits the MSIX protocol handler as an entry point for harmful software, potentially leading to the distribution of . Notably, a malware kit service utilizing the MSIX file format is now being sold on the cybercriminal market.

If you are unfamiliar with the MSIX Packaging Tool, it gives developers an easy way to move win32 apps to the MSIX format. Launched in 2018, the tool is available to Microsoft Account holders on  and . Features of the packaging tool include the ability to run desktop installers on the app. Furthermore, MSIX packages are installable on a device, where they can be migrated directly to the .

The Sangria Tempest group, also recognized as FIN7, has a notorious history of associations with prominent ransomware threats like REvil and Maze, and their involvement with defunct ransomware operations such as BlackMatter and DarkSide. Furthermore, FIN7 has been implicated in ransomware attacks targeting PaperCut printing servers with Clop ransomware.

Reinforced Windows Defensive Strategies

In the face of these threats, Microsoft periodically adjourns the utilization of the ms-appinstaller protocol handler to protect its user base. Following the protocol's reactivation, which was not disclosed, the company has once again disabled it as of December 28, 2023, to prevent future ransomware attacks.

To mitigate risks, Microsoft recommends updating to the new App Installer version 1.21.3421.0 or a later iteration, which guards against these exploitation efforts. For administrators unable to complete the update immediately, Microsoft advises disabling the protocol via the Group Policy setting ‘EnableMSAppInstallerProtocol' to ‘Disabled.' Such precautionary measures will provide additional layers of security against the evolving landscape of .

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News