Microsoft disables ms-appinstaller after malicious use>
Malware Bytes Blog – Pieter Arntz
Microsoft has made changes to disable the ms-appinstaller protocol handler by default, which was originally designed to simplify app installation but has also been exploited by cybercriminals to facilitate malware installation.
By leveraging links using the ms-appinstaller URI scheme, criminals were able to bypass security mechanisms like SmartScreen, camouflaging malicious activities under the guise of legitimate software distribution.
This abuse of the mechanism was observed in scenarios including SEO poisoning, malvertising, Microsoft Teams messages, and social engineering, leading to phishing attempts and unauthorized malware installations.
Specifically, cybercriminals employed the use of the MSIX file format and ms-appinstaller protocol handler to distribute signed malicious MSIX application packages, often mimicking legitimate software vendors’ websites.
Notably, the criminal groups involved were identified as initial access brokers (IABs), specializing in providing ransomware gangs with access to company networks.
To identify malicious installers, it’s recommended to examine the publisher information in the ms-appinstaller prompt.
To manually disable the ms-appinstaller on a network, one can set the Group Policy EnableMSAppInstallerProtocol to disabled.
This adjustment reflects Microsoft’s response to the security risks associated with the ms-appinstaller protocol handler.
Link: https://www.malwarebytes.com/blog/news/2024/01/microsoft-disables-ms-appinstaller-after-malicious-use