How will the new rules for installing apps affect ordinary Windows users?
Microsoft announced on December 28 that it has disabled a feature designed to make it easier to install apps on Windows, after it was discovered that groups of hackers motivated by financial gain were widely using it to spread malware.
The ms-appinstaller protocol allowed users to install apps on their devices, bypassing some steps. Cybercriminals used it, among other things, to install bootable malware.
"The attackers probably chose the ms-appinstaller protocol because it can bypass mechanisms designed to protect users from malware, such as Microsoft Defender SmartScreen and built-in browser warnings about downloading executable file formats," Microsoft said.
Disabling the protocol means that Windows applications will no longer be able to install directly from the server to the target device. Instead, users will have to first download the required software package, and then manually run the application installer.
Microsoft links activity that abuses the ms-appinstaller protocol to groups that it tracks under the names Storm-0569, Storm-1113, Storm-1674, and Sangria Tempest. The "Storm" tag refers to groups with an unknown origin for the company. Sangria Tempest, a long-established group of cybercriminals, is also known as FIN7 by cybersecurity researchers and was previously linked by specialists to the Clop ransomware group.
In November and December, hackers were found to "spoof legitimate applications and lure users to install malicious MSIX packages by passing them off as legitimate applications and evading detection in the original installation files," Microsoft said.
The cybercriminals goal was to install bootable malware that allows further infections, including common data extraction tools such as IcedID, or ransomware such as Black Basta.
This incident clearly demonstrates how sophisticated cybercriminals methods can be in exploiting technology vulnerabilities to spread malware and gain financial benefits. Unfortunately, even such useful tools as the ms-appinstaller protocol can be used for evil.
It is commendable that Microsoft quickly responded to this threat by disabling the vulnerable feature. However, this case once again highlights the importance of constant vigilance and improvement of cybersecurity measures on the part of both technology developers and end users.
Microsoft announced on December 28 that it has disabled a feature designed to make it easier to install apps on Windows, after it was discovered that groups of hackers motivated by financial gain were widely using it to spread malware.
The ms-appinstaller protocol allowed users to install apps on their devices, bypassing some steps. Cybercriminals used it, among other things, to install bootable malware.
"The attackers probably chose the ms-appinstaller protocol because it can bypass mechanisms designed to protect users from malware, such as Microsoft Defender SmartScreen and built-in browser warnings about downloading executable file formats," Microsoft said.
Disabling the protocol means that Windows applications will no longer be able to install directly from the server to the target device. Instead, users will have to first download the required software package, and then manually run the application installer.
Microsoft links activity that abuses the ms-appinstaller protocol to groups that it tracks under the names Storm-0569, Storm-1113, Storm-1674, and Sangria Tempest. The "Storm" tag refers to groups with an unknown origin for the company. Sangria Tempest, a long-established group of cybercriminals, is also known as FIN7 by cybersecurity researchers and was previously linked by specialists to the Clop ransomware group.
In November and December, hackers were found to "spoof legitimate applications and lure users to install malicious MSIX packages by passing them off as legitimate applications and evading detection in the original installation files," Microsoft said.
The cybercriminals goal was to install bootable malware that allows further infections, including common data extraction tools such as IcedID, or ransomware such as Black Basta.
This incident clearly demonstrates how sophisticated cybercriminals methods can be in exploiting technology vulnerabilities to spread malware and gain financial benefits. Unfortunately, even such useful tools as the ms-appinstaller protocol can be used for evil.
It is commendable that Microsoft quickly responded to this threat by disabling the vulnerable feature. However, this case once again highlights the importance of constant vigilance and improvement of cybersecurity measures on the part of both technology developers and end users.
