Security News > 2022 > February

Microsoft last week announced that it's temporarily disabling the MSIX ms-appinstaller protocol handler in Windows following evidence that a security vulnerability in the installer component was exploited by threat actors to deliver malware such as Emotet, TrickBot, and Bazaloader. Ms-appinstaller, specifically, is designed to help users install a Windows app by simply clicking a link on a website.

Distribute an App Installer bundle that presented itself as a Trusted App, much like an app from the curated Microsoft Store. In contrast, the App Installer popup that verifies the digital signature of the App Bundle you're downloading explicitly identifies the software itself as a Trusted App, even though it allows the signer of the app to include entirely bogus vendor data in the app bundle, and then helpfully displays that fraudulent "Identification" directly beneath to the "Trusted App" designator.

ForcedEntry - the exploit of a zero-click iMessage zero day that circumvented Apple's then-brand-new BlastDoor security feature starting a year ago - was picked apart not just by NSO Group with its Pegasus spyware but also by a newly uncovered, smaller smartphone-hacking toolmaker named QuaDream. Two sources also said that QuaDream and NSO Group came up with the iPhone exploit techniques on their own, separately - as opposed to collaborating.

Microsoft announced today that it will make it difficult to enable VBA macros downloaded from the Internet in several Microsoft Office apps starting in early April, effectively killing a popular distribution method for malware. Using VBA macros embedded in malicious Office documents is a very popular method to push a wide range of malware families in phishing attacks, including Emotet, TrickBot, Qbot, and Dridex.

Microsoft announced today that it will make it difficult to enable VBA macros downloaded from the Internet in several Microsoft Office apps starting in early April, effectively killing a popular distribution method for malware. Using VBA macros embedded in malicious Office documents is a very popular method to push a wide range of malware families in phishing attacks, including Emotet, TrickBot, Qbot, and Dridex.

Roaming Mantis mobile smishing campaign spreads, gets updated features. The mobile malware campaign known as Roaming Mantis largely left the news cycle after making a splash in 2018, but Kaspersky is reporting that some new life has been breathed into the campaign in the form of new features and new targets: This time it's set its sights on France and Germany.

Google is adding a new defensive layer to protect enterprise workloads running in Google Cloud. It's called Virtual Machine Threat Detection, and will help select Security Command Center customers detect cryptomining malware inside their virtual machines.

The Roaming Mantis Android malware campaign has buzzed into Europe, quickly infesting France in particular, where there have been 66,789 downloads of the group's specific remote access trojan as of January. The campaign pushes the Android RAT known as Wroba onto victim devices.

Czech cybersecurity software firm Avast has released a decryption utility to help TargetCompany ransomware victims recover their files for free. The TargetCompany ransomware decryptor works by cracking the password after comparing an encrypted file with its original unencrypted version.

Google has announced the public preview of a new Virtual Machine Threat Detection system that can detect cryptocurrency miners and other malware without the need for software agents. A significant problem for developers and enterprises using cloud-based virtual machines is the constant targeting of threat actors who breach servers to install cryptominers.