The protocol was supposed to make life easier for users. But it also made it easier for cybercriminals… The publisher Microsoft finally announced at the end of December the deactivation by default of MS-AppInstaller, a protocol which allowed a Windows application to be installed in one click from a web page.
As the Redmond firm deplores, this protocol has unfortunately been misused by several groups of cybercriminals since at least mid-November 2023. Microsoft experts have thus spotted the sale on black markets of a malicious kit based on this flaw.
Bypassing protections
The MS-AppInstaller protocol was of particular interest to cybercriminals. It made it possible to bypass, Microsoft notes, the protection mechanisms put in place, such as that of Defender Smart Screen, this Edge browser service alerting users about the download of an executable file.
For example, cybercriminals had imitated download pages of famous software such as AnyDesk, Tableau, TeamViewer or Zoom. Launching the installation of the fake software actually opened the way, via a loader, to malware, notably that of the Black Basta ransomware.
Likewise, Microsoft experts have spotted the use of the flaw for the purposes of installing stealer, spyware, or Trojan horses, by initial access brokers or digital extortion specialists.
Download before installation
To encourage victims to click on the fake installation links, cybercriminals finally used Teams to open meetings before sending fraudulent messages to those present.
With MS-AppInstaller disabled by default, the user will now have to download the application before installing the software. It is generally recommended to only install software from the publisher’s website or a certified application store.
Two years ago, Microsoft already had to plug a vulnerability in Windows AppX Installer. The publisher was then concerned about the maneuvers of cybercriminals aiming to go through the installation program to install malware such as Emotet, Trickbot or Bazaloader.