{"id":132866,"date":"2023-12-28T10:00:00","date_gmt":"2023-12-28T18:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=132866"},"modified":"2024-07-03T08:24:49","modified_gmt":"2024-07-03T15:24:49","slug":"financially-motivated-threat-actors-misusing-app-installer","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/12\/28\/financially-motivated-threat-actors-misusing-app-installer\/","title":{"rendered":"Financially motivated threat actors misusing App Installer"},"content":{"rendered":"\n

Since mid-November 2023, Microsoft Threat Intelligence has observed threat actors, including financially motivated actors like Storm-0569<\/a>, Storm-1113, Sangria Tempest<\/a>, and Storm-1674, utilizing the ms-appinstaller URI scheme<\/a> (App Installer) to distribute malware. In addition to ensuring that customers are protected from observed attacker activity, Microsoft investigated the use of App Installer in these attacks. In response to this activity, Microsoft has disabled the ms-appinstaller protocol handler by default.<\/p>\n\n\n\n

The observed threat actor activity abuses the current implementation of the ms-appinstaller protocol handler as an access vector for malware that may lead to ransomware distribution. Multiple cybercriminals are also selling a malware kit as a service that abuses the MSIX file format and ms-appinstaller protocol handler. These threat actors distribute signed malicious MSIX application packages using websites accessed through malicious advertisements for legitimate popular software. A second vector of phishing through Microsoft Teams is also in use by Storm-1674.<\/p>\n\n\n\n\n\n

Threat actors have likely chosen the ms-appinstaller protocol handler vector because it can bypass mechanisms designed to help keep users safe from malware, such as Microsoft Defender SmartScreen and built-in browser warnings for downloads of executable file formats.<\/p>\n\n\n\n\n\n

In this blog, we provide an analysis of activity by financially motivated threat actors abusing App Installer observed since mid-November 2023.<\/p>\n\n\n\n\n\n

Threat actors abusing App Installer since mid-November 2023<\/h2>\n\n\n\n

Microsoft Threat intelligence observed several actors\u2014including Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674\u2014using App Installer as a point of entry for human-operated ransomware activity. The observed activity includes spoofing legitimate applications, luring users into installing malicious MSIX packages posing as legitimate applications, and evading detections on the initial installation files. <\/p>\n\n\n\n

Storm-0569<\/h3>\n\n\n\n

At the beginning of December 2023, Microsoft observed Storm-0569 distributing BATLOADER through search engine optimization (SEO) poisoning with sites spoofing legitimate software downloads such as Zoom, Tableau, TeamViewer, and AnyDesk. Users who search for a legitimate software application on Bing or Google may be presented with a landing page spoofing the original software provider\u2019s landing pages that include links to malicious installers through the ms-appinstaller protocol. Spoofing and impersonating popular legitimate software is a common social engineering tactic. These software are not affected by the attacks directly, but this information can help users better spot malicious spoofing by threat actors.<\/p>\n\n\n

\"Screenshot
Figure 1. A malicious landing page spoofing Zoom accessed via malicious search engine advertisement for Zoom downloads<\/figcaption><\/figure>\n\n\n
\"Screenshot
Figure 2. Sample malicious App Installer experience. Note the Publisher is not who a user should expect to be publishing this software.<\/figcaption><\/figure>\n\n\n\n

Users who click the links to the installers are presented with the desktop App Installer experience. If the user clicks \u201cInstall\u201d in the desktop App Installer, the malicious application is installed and eventually runs additional processes and scripts that lead to malware installation.<\/p>\n\n\n\n

Storm-0569 then uses PowerShell and batch scripts that lead to the download of BATLOADER. In one observed instance, Storm-0569\u2019s BATLOADER dropped a Cobalt Strike Beacon followed by data exfiltration using the Rclone data exfiltration tools and Black Basta ransomware deployment by Storm-0506.<\/p>\n\n\n\n

Storm-0569 is an access broker that focuses on downloading post-compromise payloads, such as BATLOADER, through malvertising and phishing emails containing malicious links to download sites. The threat actor also provides malicious installers and landing page frameworks to other actors. They cover multiple infection chains that typically begin with maliciously signed Microsoft Installer (MSI) files posing as legitimate software installations or updates for applications such as TeamViewer, Zoom, and AnyDesk. Storm-0569 infection chains have led to additional dropped payloads, including IcedID, Cobalt Strike Beacon, and remote monitoring and management (RMM) tools, culminating in a handoff to ransomware operators like Storm-0846 and Storm-0506. <\/strong><\/p>\n\n\n\n

Storm-1113<\/h3>\n\n\n\n

Since mid-November 2023, Microsoft observed Storm-1113\u2019s EugenLoader delivered through search advertisements mimicking the Zoom app. Once a user accesses a compromised website, a malicious MSIX installer (EugenLoader) is downloaded on a device and used to deliver additional payloads. These payloads could include previously observed malware installs, such as Gozi, Redline stealer, IcedID, Smoke Loader, NetSupport Manager (also referred to as NetSupport RAT), Sectop RAT, and Lumma stealer.<\/p>\n\n\n\n

Storm-1113 is a threat actor that acts both as an access broker focused on malware distribution through search advertisements and as an \u201cas-a-service\u201d entity providing malicious installers and landing page frameworks. In Storm-1113 malware distribution campaigns, users are directed to landing pages mimicking well-known software that host installers, often MSI files, that lead to the installation of malicious payloads. Storm-1113 is also the developer of EugenLoader, a commodity malware first observed around November 2022<\/a>.<\/p>\n\n\n\n

Sangria Tempest<\/h3>\n\n\n\n

In mid-November 2023, Microsoft observed Sangria Tempest using Storm-1113\u2019s EugenLoader delivered through malicious MSIX package installations. Sangria Tempest then drops Carbanak, a backdoor used by the actor since 2014, that in turn delivers the Gracewire malware implant. In other cases, Sangria Tempest uses Google ads to lure users into downloading malicious MSIX application packages\u2014possibly relying on Storm-1113 infrastructure\u2014leading to the delivery of POWERTRASH, a highly obfuscated PowerShell script. POWERTRASH is then used to load NetSupport and Gracewire, a malware typically affiliated with the threat actor Lace Tempest, whom Sangria Tempest has cooperated with in past intrusions.<\/p>\n\n\n\n

Sangria Tempest (previously ELBRUS, also tracked as Carbon Spider, FIN7) is a financially motivated cybercriminal group currently focusing on conducting intrusions that often lead to data theft, followed by targeted extortion or ransomware deployment such as Clop ransomware.<\/p>\n\n\n\n

Storm-1674<\/h3>\n\n\n\n

Since the beginning of December 2023, Microsoft identified instances where Storm-1674 delivered fake landing pages through messages delivered using Teams. The landing pages spoof Microsoft services like OneDrive and SharePoint, as well as other companies. Tenants created by the threat actor are used to create meetings and send chat messages to potential victims using the meeting’s chat functionality.<\/p>\n\n\n

\"Screenshot
Figure 3. Landing page pretending to be a SharePoint site for a spoofed employment opportunity site; target users are led to this landing page via malicious URLs sent via Teams messages.<\/figcaption><\/figure>\n\n\n
\"Screenshot
Figure 4. Fake error the user receives when clicking on any of the PDFs in the SharePoint. Clicking OK invokes ms-appinstaller.<\/figcaption><\/figure>\n\n\n
\"Screenshot
Figure 5. Sample malicious App Installer experience. Note the Publisher is not who a user should expect to be publishing Adobe software.<\/figcaption><\/figure>\n\n\n
\"Screenshot
Figure 6. Malicious landing page pretending to be a networking security tool; target users are led to this landing page via malicious URLs sent via Teams messages.<\/figcaption><\/figure>\n\n\n
\"Screenshot
Figure 7. Sample JavaScript invokes ms-appinstaller handler from malicious landing page at time of user click.<\/figcaption><\/figure>\n\n\n
\"Screenshot
Figure 8. Sample malicious App Installer experience. Note the Publisher is not who a user should expect to be publishing this software.<\/figcaption><\/figure>\n\n\n\n

The user is then lured into downloading spoofed applications like the ones shown in figures 5 and 8, which will likely drop SectopRAT or DarkGate. In these cases, Storm-1674 was using malicious installers and landing page frameworks provided by Storm-1113.<\/p>\n\n\n\n

Microsoft assesses this technique was used to avoid the accept\/block screen shown in one-on-one and group chats. The Teams client now shows an accept\/block screen for meeting chats sent by an external user.<\/p>\n\n\n\n

Microsoft has taken action to mitigate the spread of malware from confirmed malicious tenants by blocking their ability to send messages thus cutting off the main method used for phishing.<\/p>\n\n\n\n

Storm-1674 is an access broker known for using tools based on the publicly available TeamsPhisher tool to distribute DarkGate malware. Storm-1674 campaigns have typically relied on phishing lures sent over Teams with malicious attachments, such as ZIP files containing a LNK file that ultimately drops DarkGate and Pikabot. In September 2023, Microsoft observed handoffs from Storm-1674 to ransomware operators that have led to Black Basta ransomware deployment.<\/p>\n\n\n\n

Recommendations<\/h2>\n\n\n\n

The ms-appinstaller URI scheme<\/a> handler has been disabled by default in App Installer build 1.21.3421.0. Refer to the Microsoft Security Response Blog<\/a> for App Installer protection tips.<\/p>\n\n\n\n

Microsoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations. <\/p>\n\n\n\n