Security News > 2023 > December > Microsoft disables MSIX protocol handler abused in malware attacks
Microsoft has again disabled the MSIX ms-appinstaller protocol handler after multiple financially motivated threat groups abused it to infect Windows users with malware.
Microsoft says the threat actors use both malicious advertisements for popular software and Microsoft Teams phishing messages to push signed malicious MSIX application packages.
"The observed threat actor activity abuses the current implementation of the ms-appinstaller protocol handler as an access vector for malware that may lead to ransomware distribution. Multiple cybercriminals are also selling a malware kit as a service that abuses the MSIX file format and ms-app installer protocol handler."
In a private Microsoft threat analytics report seen by BleepingComputer, FIN7 was also connected to attacks targeting PaperCut printing servers with Clop ransomware.
The AppX Installer spoofing vulnerability was exploited to distribute the BazarLoader malware using malicious packages hosted on Microsoft Azure, using *.web.
Microsoft previously disabled the ms-appinstaller protocol handler in February 2022 to thwart Emotet's onslaught.
News URL
Related news
- New Attack Technique Exploits Microsoft Management Console Files (source)
- 'Skeleton Key' attack unlocks the worst of AI, says Microsoft (source)
- FakeBat Loader Malware Spreads Widely Through Drive-by Download Attacks (source)
- Hackers attack HFS servers to drop malware and Monero miners (source)
- GootLoader Malware Still Active, Deploys New Versions for Enhanced Attacks (source)
- ViperSoftX Malware Disguises as eBooks on Torrents to Spread Stealthy Attacks (source)
- Windows MSHTML zero-day used in malware attacks for over a year (source)
- PHP Vulnerability Exploited to Spread Malware and Launch DDoS Attacks (source)
- New BugSleep malware implant deployed in MuddyWater attacks (source)
- Microsoft links Scattered Spider hackers to Qilin ransomware attacks (source)