Microsoft announced Thursday of disable againby default, the ms-appinstaller (MSIX) protocol manager following its abuse by various cyber criminals for malware distribution.

Why Microsoft disables the MSIX installation protocol

“The observed behavior of cybercriminals abuses the current implementation of the ms-appinstaller protocol handler as an entry vector for malware that could lead to ransomware distribution,” Microsoft's Threat Intelligence team said.

It also noted that several cyber criminals are offering a malware kit for sale as a service that exploits the MSIX file format and the ms-appinstaller protocol handler, so the changes took effect in App Installer version 1.21.3421.0 or higher.

The attacks take the form of signed malicious MSIX application packages that they are distributed via Microsoft Teams or malicious advertisements for legitimate software popular on search engines like Google.

At least four financially motivated hacker groups have been observed exploiting the App Installer service since November 2023, using it as an entry point for subsequent human ransomware activity:

Storm-0569 an early access broker that propagates BATLOADER through search engine optimization (SEO) poisoning with sites spoofing Zoom, Tableau, TeamViewer, and AnyDesk, and uses malware to deploy Cobalt Strike and hand over access to Storm -0506 for Black Basta ransomware distribution.

an early access broker that propagates BATLOADER through search engine optimization (SEO) poisoning with sites spoofing Zoom, Tableau, TeamViewer, and AnyDesk, and uses malware to deploy Cobalt Strike and hand over access to Storm -0506 for Black Basta ransomware distribution. Storm-1113 an initial access intermediary that uses fake MSIX installers masquerading as Zoom to distribute EugenLoader (aka FakeBat), which serves as a conduit for a variety of stealing malware and remote access trojans.

an initial access intermediary that uses fake MSIX installers masquerading as Zoom to distribute EugenLoader (aka FakeBat), which serves as a conduit for a variety of stealing malware and remote access trojans. Sangria Tempest (aka Carbon Spider and FIN7) , which uses Storm-1113's EugenLoader to release Carbanak which, in turn, deploys an implant called Gracewire. Alternatively, the group relied on Google ads to lure users into downloading malicious MSIX application packages from fraudulent landing pages to distribute POWERTRASH, which is then used to load NetSupport RAT and Gracewire.

, which uses Storm-1113's EugenLoader to release Carbanak which, in turn, deploys an implant called Gracewire. Alternatively, the group relied on Google ads to lure users into downloading malicious MSIX application packages from fraudulent landing pages to distribute POWERTRASH, which is then used to load NetSupport RAT and Gracewire. Storm-1674an initial login intermediary that sends fake landing pages disguised as Microsoft OneDrive and SharePoint through Teams messages using the TeamsPhisher tool, soliciting recipients to open PDF files that, when clicked, prompt them to update Adobe Acrobat Reader to download an MSIX installer malicious virus that contains SectopRAT or DarkGate payloads.

Microsoft described Storm-1113 as an entity that also does “as-a-service,” providing malicious installers and landing page structures that mimic known software to cyber criminals such as Sangria Tempest and Storm-1674.

In October 2023, Elastic Security Labs released a detailed report regarding another campaign in which Windows MSIX application package files for Google Chrome, Microsoft Edge, Brave, Grammarly, and Cisco Webex were used to distribute a malware loader called GHOSTPULSE .

This isn't the first time Microsoft has disabled the MSIX ms-appinstaller protocol handler in Windows; moreover in February 2022, the tech giant has taken the same measure to prevent cybercriminals from using it to deliver Emotet, TrickBot and Bazaloader.

“Cybercriminals have likely chosen the ms-appinstaller protocol handler vector because it can bypass mechanisms designed to keep users safe from malwaresuch as Microsoft Defender SmartScreen and built-in browser alerts for downloading executable file formats“Microsoft said.