Microsoft stops the MSIX protocol handler that is used by malware attacks

After several financially motivated threat groups used the MSIX ms-appinstaller protocol handler to infect Windows users with malware attacks, Microsoft disabled it once more.

In order to get around security measures that would normally shield Windows users from malware, such as the Defender SmartScreen anti-phishing and anti-malware component and built-in browser alerts warning users against downloading executable files, the attackers took advantage of the CVE-2021-43890 Windows AppX Installer spoofing vulnerability.

Microsoft claims that the threat actors distribute signed malicious MSIX application packages using phishing communications for Microsoft Teams as well as fraudulent advertising for well-known software.

“Since mid-November 2023, Microsoft Threat Intelligence has observed threat actors, including financially motivated actors like Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674, utilizing the ms-appinstaller URI scheme (App Installer) to distribute malware,” the business stated.

“The ms-app installer protocol handler’s current implementation is being abused by the observed threat actor activity as an entry point for malware that could spread ransomware. Additionally, a number of fraudsters are offering for sale a malware kit that exploits the MSIX file format and the MS-app installer protocol handler.”

Due to their involvement in the now-defunct BlackMatter and DarkSide ransomware operations, the financially motivated hacking group Sangria Tempest (also known as FIN7) has previously been connected to the REvil and Maze ransomware.

Bleeping Computer obtained a secret Microsoft threat analytics report that revealed FIN7 was also linked to ransomware attacks against PaperCut printing systems using the Clop virus.

Related Article : तो आपका कंप्यूटर कूड़ा बन जायेगा, माइक्रोसॉफ्ट विंडोज ऑपरेटिंग सिस्टम को सपोर्ट देना बंद कर देगा

Attacks by the viruses BazarLoader and Emotet

In December 2021, Emotet also employed malicious Windows AppX Installer packages disguised as Adobe PDF applications to infect Windows 10 and Windows 11 systems, as BleepingComputer discovered more than two years ago.

Additionally, malicious packages stored on Microsoft Azure utilizing *.web.core.windows.net URLs were used to spread the BazarLoader malware, taking advantage of the AppX Installer spoofing vulnerability.

In an effort to stop Emotet’s assault, Microsoft had previously deactivated the ms-appinstaller protocol handler in February 2022.

Redmond disabled the “ms-appinstaller” protocol handler earlier this month because victims of these assaults may also be the subject of ransomware.

Others claim that the update was sent out earlier this month, despite Microsoft’s claim that it was removed by default today, December 28, 2023. When and why Microsoft enabled the Windows App Installer again between February 2022 and December 2023 is unknown, though.

To prevent exploitation attempts, Microsoft advised installing the patched App Installer version 1.21.3421.0 or later today.

The business also suggested that administrators turn off the protocol by changing the Group Policy “Enable MSApp Installer Protocol” to Disabled if they are unable to deploy the most recent App Installer version right away.

How can I protect my computer from hackers?(FAQs)

Your computer can be secured against hackers in a number of ways:

1. Use strong passwords: Make complicated passwords that are hard to guess by combining digits, capital and lowercase letters, and unique characters. Avoid using the same password on several accounts or websites. In the unlikely event that a hacker manages to decipher one of your passwords, this lessens the harm to you.
2. Use a password manager: You may establish a complex and distinct password for every website without having to worry about inputting the password itself more than once thanks to password managers, which save and automatically populate your login information for other websites. The third-party password managers “Dashlane 4,” “LastPass 4.0 Premium,” “1Password,” “Sticky Password Premium,” and “LogMeOnce Ultimate” are among the highly regarded ones. Your passwords are stored in most browsers’ built-in password managers, albeit they usually aren’t encrypted.
3. Keep your software up-to-date: Ensure that the most recent security updates are installed on your operating system, web browser, and other applications. This can lessen the likelihood that hackers will take advantage of known weaknesses.
4. Use antivirus software:Set up and maintain your computer’s antivirus program. This can assist in identifying and eliminating malware that might be utilized by hackers to access your computer.
5. Be cautious of suspicious emails and links: Avoid opening attachments or clicking links in shady emails. These might be attempts at phishing, which are meant to deceive you into disclosing personal information.
6. Use a firewall: Unauthorized internet access to your computer can be prevented with the aid of a firewall. You can activate the firewall that is built into the majority of operating systems.
7. Use a VPN: Your internet traffic can be encrypted and your IP address can be hidden with a virtual private network (VPN), which helps safeguard your online privacy and security.

By following these tips, you can help protect your computer from hackers and other security threats.

How do I know if my computer has been hacked?(FAQs)

There are various indications that someone may have hacked into your computer. These are a few of the most typical ones:

1. Your computer is running slowly: It may indicate that your computer has malware on it if it is operating slower than usual.
2. Your computer crashes frequently: Your computer may have been compromised if it keeps crashing or if error messages are appearing on it.
3. You notice new programs or files on your computer: It may indicate that your computer has been hacked if you discover new apps or files that you did not download or install.
4. Your web browser behaves strangely: Your computer may have been compromised if your web browser is acting suspiciously, such as displaying pop-up advertisements or rerouting you to unknown websites.
5. Your antivirus software is disabled: Your computer may have been compromised if your antivirus program has been disabled or is malfunctioning.

You should act quickly to safeguard your data and stop additional harm if you think your computer has been hacked. Changing your passwords, updating your software, and doing a malware scan are among actions you may take.

Please Follow Me on Social Media

Following me on social media is as easy as a few clicks. Simply search for my handle or name on your preferred social media platform and hit that “Follow” or “Subscribe” button. Here are the platforms you can find me on:

• Twitter: @ShahSumsh
• Instagram: @shah.alam.shumsh
• Facebook: ShahTech
• LinkedIn: YourProfile
• YouTube: ShahTech