Microsoft Disables App Installer Feature Amid Security Concerns

Microsoft on Thursday took steps to safeguard users by disabling the App Installer feature in Windows 10, following the discovery that threat actors were exploiting it to spread malware.

The company said the decision was made after seeing a rise in malware kits for sale on cybercriminal forums and the dark web, with growing usage of elements from the kits.

"Recently, malicious activity was observed where bad actors are now using the ms-appinstaller URI scheme handler to trick users into installing malicious software," wrote Microsoft in a security advisory. "We highly recommend customers do not install apps from unknown websites."

App Installer is a feature only available in Windows 10 that allows users to install and modify .appx or .appxbundle files, used to develop Windows Store apps. Outside of using the feature, the only other way to install and modify these files in Windows 10 is through PowerShell.

With last week's update, users will no longer have the ability to install an app directly from a web page using the MSIX package installer. Instead, Microsoft will require users to download the MSIX package first before starting the installation process. This change ensures that locally installed antivirus protections are activated, providing an additional layer of defense against potential threats, said the company.

In a follow-up blog post, Microsoft dove into some of its findings when it comes to the cybercriminal groups who are attempting what are mostly financially motivated cyber incidents. Since November 2023, the company has monitored the activity of multiple cybercriminal groups, including Storm-0569, Storm-1113, Sangria Tempest and Storm-1674, and broke down how these groups have operated.

"The observed activity includes spoofing legitimate applications, luring users into installing malicious MSIX packages posing as legitimate applications, and evading detections on the initial installation files," said Microsoft.

In one example, Microsoft outlined how Storm-0569 had conducted a campaign of spreading the Batloader malware family by spoofing .appx download landing pages that appear to contain installation files for popular apps like Zoom, TeamViewer, AnyDesk and Tableau. If a user downloads and runs the malicious installer, additional harmful processes and scripts are run.

"Storm-0569 then uses PowerShell and batch scripts that lead to the download of BATLOADER. In one observed instance, Storm-0569's BATLOADER dropped a Cobalt Strike Beacon followed by data exfiltration using the Rclone data exfiltration tools and Black Basta ransomware deployment by Storm-0506."

Microsoft said that the group then creates specially crafted phishing and malvertizing emails to users based on the data exfiltration, with the goal of leading to a ransomware demand.

Along with disabling App Installer for Windows 10 users, Microsoft has provided some mitigation recommendations for IT, including:

  • Implementing Conditional Access authentication strength that requires employees and external users to undergo phishing-resistant authentication when accessing critical applications.
  • Providing end users with best practices when searching and downloading external files.
  • Deploying the latest phishing-resistant authentication methods for users.
  • Configuring Microsoft 365 to scan and check any external links clicked on by users.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.


comments powered by Disqus

Subscribe on YouTube