Microsoft Warns of FalseFont Backdoor Threat in Defense Sector
December 27, 2023Alert 3 PyPI Packages Target Linux with Crypto Miners
January 8, 2024The Problem is Microsoft has once again disabled the ms-appinstaller protocol handler due to the widespread abuse by hackers to distribute malware. This protocol allowed users to install apps directly from websites, bypassing security checks. Attackers exploited this vulnerability to deliver malware disguised as legitimate software, potentially the leading to ransomware infections, data theft, and other serious threats.
The Attackers:
- Storm-0569: Spreads malware through fake websites and delivers Cobalt Strike for ransomware deployment.
- Storm-1113: Uses bogus MSIX installers to distribute EugenLoader, which leads to various malware and remote access tools.
- Sangria Tempest: Employs EugenLoader to drop Carbanak and Gracewire implants, or uses Google ads to distribute POWERTRASH for remote access.
- Storm-1674: Sends fake OneDrive and SharePoint links through Teams messages, tricking users into downloading SectopRAT or DarkGate payloads.
Previous Incidents: This is not the first time Microsoft has disabled the ms-appinstaller protocol handler. In February 2022, they took similar action against Emotet, TrickBot, and Bazaloader malware.
Why Attackers Love MSIX: This protocol bypasses security measures like Microsoft Defender SmartScreen and browser warnings, making it easier to install malware without detection.
What You Can Do:
- Update to the latest version of App Installer (1.21.3421.0 or higher).
- Only download apps from trusted sources.
- Be cautious when clicking on links in emails or on websites.
- Use a reputable antivirus program.
- Stay vigilant and protect yourself from these evolving threats!