Microsoft has said that it has disabled Windows app installer protocol handler after multiple financially motivated hackers abused it to infect Windows machines with malware. The company has explained how cybercriminals distributed malicious software since mid-November 2023.
Microsoft also said the vulnerability could have been exploited to ransomware distribution with packages delivered using websites accessed through malicious advertisements for legitimate popular software.
“Since mid-November 2023, Microsoft Threat Intelligence has observed threat actors, including financially motivated actors like Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674, utilising the ms-appinstaller URI scheme (App Installer) to distribute malware,” the company said.
How attackers targeted the flaw
Microsoft says that the attackers exploited the vulnerability to circumvent security measures that would otherwise protect Windows users from malware. These include Defender SmartScreen anti-phishing and anti-malware components as well as built-in browser alerts that caution users against executable file downloads.
At the beginning of December 2023, Microsoft observed a hacking group distributed fake software like Zoom, Tableau, TeamViewer and AnyDesk by a method called search engine optimisation (SEO) poisoning, which is essentially spoofing legitimate software downloads.
These options were presented to users who searched for a legitimate software application on Bing or Google. Spoofing or impersonating is a popular social engineering tactic to target users.
Users who click the links of these impersonated apps were presented with the desktop App Installer experience. If the user clicks “Install” in the desktop App Installer, the malicious application is installed and eventually runs additional processes and scripts that lead to malware installation.
How to protect yourself
While Microsoft has already disabled the protocol that was exploited, users must always be vigilant on the platform that is offering the software to download. One must also keep an eye on the URL and check for spelling mistakes on the software. Always download software from official websites.
Microsoft also said the vulnerability could have been exploited to ransomware distribution with packages delivered using websites accessed through malicious advertisements for legitimate popular software.
“Since mid-November 2023, Microsoft Threat Intelligence has observed threat actors, including financially motivated actors like Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674, utilising the ms-appinstaller URI scheme (App Installer) to distribute malware,” the company said.
How attackers targeted the flaw
Microsoft says that the attackers exploited the vulnerability to circumvent security measures that would otherwise protect Windows users from malware. These include Defender SmartScreen anti-phishing and anti-malware components as well as built-in browser alerts that caution users against executable file downloads.
At the beginning of December 2023, Microsoft observed a hacking group distributed fake software like Zoom, Tableau, TeamViewer and AnyDesk by a method called search engine optimisation (SEO) poisoning, which is essentially spoofing legitimate software downloads.
These options were presented to users who searched for a legitimate software application on Bing or Google. Spoofing or impersonating is a popular social engineering tactic to target users.
Users who click the links of these impersonated apps were presented with the desktop App Installer experience. If the user clicks “Install” in the desktop App Installer, the malicious application is installed and eventually runs additional processes and scripts that lead to malware installation.
How to protect yourself
While Microsoft has already disabled the protocol that was exploited, users must always be vigilant on the platform that is offering the software to download. One must also keep an eye on the URL and check for spelling mistakes on the software. Always download software from official websites.
Denial of responsibility! Swift Telecast is an automatic aggregator of the all world’s media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials, please contact us by email – swifttelecast.com. The content will be deleted within 24 hours.