Attention: We have transitioned to a new AAD or Microsoft Entra ID from the week of May 20, 2024. In case your tenant requires admin consent, please refer to this document located at Overview of user and admin consent - Microsoft Entra ID | Microsoft Learn and grant access to App ID: 6ba09155-cb24-475b-b24f-b4e28fc74365 with graph permissions for Directory.Read.All and User.Read for continued access. While the app may appear unverified, you can confirm its legitimacy by verifying the App ID provided.
This is a detection of a malicious installer using the Universal Windows Platform (UWP) with stolen or compromised digital signature. Threat actors like the financially motivated Storm-0569 use search engine optimization (SEO) to deceive users into downloading and installing this trojan.
For information about CryptedLoader and other human-operated malware campaigns, read this blog post:
The malicious installer might be downloaded by users from SEO results. It disguises itself as legitimate software, such as AnyDesk, Tableau, TeamViewer, or Zoom.
Here’s an example of a malicious installer pretending to be the Zoom application with its digital signature information. Note that the Publisher is not who a user should expect to be publishing this software:
The payload for the malicious installer varies but it often leads to pieces of malware, such as Cobalt Strike Beacon and BlackBasta ransomware.
Prevention
Guidance for individual users
Keep your operating system and antivirus products up to date. The following steps also help to prevent such an attack:
Pay close attention to where you’re downloading an application from as it may be a spoofed website — even if it’s from the first search result.
Check the publisher to make sure it’s the expected, legitimate publisher for the application you’re trying to download.
Apply these mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations.
Initial access
Educate end users about protecting personal and business information in social media, filtering unsolicited communication, identifying lures in spear-phishing email and watering holes, and reporting of reconnaissance attempts and other suspicious activity.
Encourage users to use Microsoft Edge and other web browsers that support SmartScreen, which identifies and blocks malicious websites. Turn on network protection to block connections to malicious domains and IP addresses.
Security controls
Turn on attack surface reduction rules, including rules that block malware activity and other activities associated with human adversaries. To assess the impact of these rules, deploy them in audit mode.
