Microsoft has stated that it has disabled Home windows app installer protocol handler after a number of financially motivated hackers abused it to contaminate Home windows machines with malware. The corporate has defined how cybercriminals distributed malicious software program since mid-November 2023.
Microsoft additionally stated the vulnerability might have been exploited to ransomware distribution with packages delivered utilizing web sites accessed via malicious commercials for reliable common software program.
“Since mid-November 2023, Microsoft Risk Intelligence has noticed menace actors, together with financially motivated actors like Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674, utilising the ms-appinstaller URI scheme (App Installer) to distribute malware,” the corporate stated.
How attackers focused the flaw
Microsoft says that the attackers exploited the vulnerability to avoid safety measures that will in any other case defend Home windows customers from malware. These embrace Defender SmartScreen anti-phishing and anti-malware elements in addition to built-in browser alerts that warning customers towards executable file downloads.
At the start of December 2023, Microsoft noticed a hacking group distributed pretend software program like Zoom, Tableau, TeamViewer and AnyDesk by a way known as search engine optimisation (website positioning) poisoning, which is basically spoofing reliable software program downloads.
These choices have been introduced to customers who looked for a reliable software program software on Bing or Google. Spoofing or impersonating is a well-liked social engineering tactic to focus on customers.
Customers who click on the hyperlinks of those impersonated apps have been introduced with the desktop App Installer expertise. If the person clicks “Set up” within the desktop App Installer, the malicious software is put in and ultimately runs further processes and scripts that result in malware set up.
Learn how to defend your self
Whereas Microsoft has already disabled the protocol that was exploited, customers should at all times be vigilant on the platform that’s providing the software program to obtain. One should additionally regulate the URL and test for spelling errors on the software program. All the time obtain software program from official web sites.
Microsoft additionally stated the vulnerability might have been exploited to ransomware distribution with packages delivered utilizing web sites accessed via malicious commercials for reliable common software program.
“Since mid-November 2023, Microsoft Risk Intelligence has noticed menace actors, together with financially motivated actors like Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674, utilising the ms-appinstaller URI scheme (App Installer) to distribute malware,” the corporate stated.
How attackers focused the flaw
Microsoft says that the attackers exploited the vulnerability to avoid safety measures that will in any other case defend Home windows customers from malware. These embrace Defender SmartScreen anti-phishing and anti-malware elements in addition to built-in browser alerts that warning customers towards executable file downloads.
At the start of December 2023, Microsoft noticed a hacking group distributed pretend software program like Zoom, Tableau, TeamViewer and AnyDesk by a way known as search engine optimisation (website positioning) poisoning, which is basically spoofing reliable software program downloads.
These choices have been introduced to customers who looked for a reliable software program software on Bing or Google. Spoofing or impersonating is a well-liked social engineering tactic to focus on customers.
Customers who click on the hyperlinks of those impersonated apps have been introduced with the desktop App Installer expertise. If the person clicks “Set up” within the desktop App Installer, the malicious software is put in and ultimately runs further processes and scripts that result in malware set up.
Learn how to defend your self
Whereas Microsoft has already disabled the protocol that was exploited, customers should at all times be vigilant on the platform that’s providing the software program to obtain. One should additionally regulate the URL and test for spelling errors on the software program. All the time obtain software program from official web sites.
