When deployed directly from a website, the page will contain a link of the form ms-appinstaller:?source=http://link-to.domain/app-name.msix. When you click on it, the browser will forward the request to the ms-appinstaller protocol handler in Windows, which will invoke App Installer. This is the same type of functionality seen with other applications that register custom protocol handlers in Windows, such as when you click a button on a web page to join a conference call and the browser opens Zoom or Microsoft Teams desktop apps automatically.
Extensive abuse of Microsoft App Installer
Attackers began abusing the ms-appinstaller URI system some time ago by leading users to web pages spoofed for popular software and instead delivering MSIX-packaged malware. According to Microsoft, the technique has been adopted by several groups, culminating in an increase in attacks in November and December 2023.
In early December, a group of access brokers that Microsoft tracks under the name Storm-0569 launched a search engine optimization campaign that distributed BATLOADER using this technique. The group poisoned search results with links to web pages masquerading as the official websites of legitimate software applications such as Zoom, Tableau, TeamViewer and AnyDesk.
“Users searching for a legitimate software application on Bing or Google may be presented with a landing page that spoofs the original software provider’s landing pages and includes links to malicious installers via the ms-appinstaller protocol,” it said. Microsoft said. “Identity theft and impersonation of popular legitimate software is a common social engineering tactic. »
If malicious links are clicked, users are presented with the App Installer window, which displays an install button. If you click this button, the malicious MSIX package is installed along with additional PowerShell and batch scripts that deploy BATLOADER. This malware loader is then used to deploy additional implants such as the Cobalt Strike Beacon, the Rclone data exfiltration tool, and the Black Basta ransomware.
Another access broker identified as Storm-1113, which also specializes in distributing malware via search ads, also used this technique in mid-November 2023 to deploy a malware loader called EugenLoader in spoofing Zoom downloads. Since this group offers malware deployment as a service, EugenLoader has been used to deploy a variety of implants including Gozi, Redline Steer, IcedID, Smoke Loader, NetSupport Manager (also known as NetSupport RAT ), Sectop RAT and Lumma Steer. Another group tracked under the name Sangria Tempest (also known as FIN7) used EugenLoader in November to drop its infamous Carbanak malware framework, which in turn deployed the Gracewire implant.