Tag Archive for: Installer

Microsoft Disabled App Installer Abused by Hackers


Threat actors, particularly those with financial motivations, have been observed spreading malware via the ms-appinstaller URI scheme (App Installer). As a result of this activity, Microsoft has disabled the ms-appinstaller protocol handler by default.

“The observed threat actor activity abuses the current implementation of the ms-appinstaller protocol handler as an access vector for malware that may lead to ransomware distribution,” the Microsoft Threat Intelligence team said.

The ms-appinstaller protocol handler vector is probably the one that threat actors have selected since it can bypass security measures like Microsoft Defender SmartScreen and built-in browser alerts for downloading executable file types, which are intended to protect users from malware.

Microsoft Threat Intelligence has identified App Installer as a point of entry for human-operated ransomware activities by several actors, including Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674.

Document

Free Webinar

Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.

Spoofing legitimate applications, tricking users into installing malicious MSIX packages that look like legitimate applications, and avoiding detections on the initial installation files are some of the activities that have been noticed.

Financially Motivated Threat Actors Abusing App Installer

Microsoft discovered that Storm-0569 was using search engine optimization (SEO) poisoning to spread BATLOADER by impersonating websites that offered legitimate downloads, including AnyDesk, Zoom, Tableau, and TeamViewer. 

When a user searches on Bing or Google for a legitimate software application, they could see links to malicious installers using the ms-app installer protocol on a landing page that mimics the landing pages of the actual software provider. A prominent social engineering technique involves spoofing and imitating…

Source…

‘Financially Motivated Threat Actors’ Distributing Malware via App Installer


Microsoft is warning that bad actors, including those financially motivated, are using App Installer to distribute malware.

Microsoft Threat Intelligence says bad actors have been using the ms-appinstaller URI scheme (App Installer) to distribute malware since at least mid-November 2023. Microsoft has disabled the protocol handler in an effort to combat its abuse.

The observed threat actor activity abuses the current implementation of the ms-appinstaller protocol handler as an access vector for malware that may lead to ransomware distribution. Multiple cybercriminals are also selling a malware kit as a service that abuses the MSIX file format and ms-appinstaller protocol handler. These threat actors distribute signed malicious MSIX application packages using websites accessed through malicious advertisements for legitimate popular software. A second vector of phishing through Microsoft Teams is also in use by Storm-1674.

Threat actors have likely chosen the ms-appinstaller protocol handler vector because it can bypass mechanisms designed to help keep users safe from malware, such as Microsoft Defender SmartScreen and built-in browser warnings for downloads of executable file formats.

The attacks are especially dangerous for Teams users, since the bad actors are spoofing legitimate Microsoft pages.

Since the beginning of December 2023, Microsoft identified instances where Storm-1674 delivered fake landing pages through messages delivered using Teams. The landing pages spoof Microsoft services like OneDrive and SharePoint, as well as other companies. Tenants created by the threat actor are used to create meetings and send chat messages to potential victims using the meeting’s chat functionality.

More information can be found here, including detailed analysis of the attack. In the meantime, Microsoft says organizations should educate Teams users to be able to identify and protect themselves from this exploit.

Educate Microsoft Teams users to verify ‘External’ tagging on communication attempts from external entities, be cautious about what they share, and never share their account information or authorize sign-in requests over chat.

Source…

Emotet malware infects users again after fixing broken installer


Emotet

The Emotet malware phishing campaign is up and running again after the threat actors fixed a bug preventing people from becoming infected when they opened malicious email attachments.

Emotet is a malware infection distributed through spam campaigns with malicious attachments. If a user opens the attachment, malicious macros or scripts will download the Emotet DLL and load it into memory.

Once loaded, the malware will search for and steal emails to use in future spam campaigns and drop additional payloads such as Cobalt Strike or other malware that commonly leads to ransomware attacks.

Buggy attachments broke the Emotet campaign

Last Friday, the Emotet malware distributors launched a new email campaign that included password-protected ZIP file attachments containing Windows LNK (shortcut) files pretending to be Word documents.

Current Emotet phishing email example
Current Emotet phishing email example
Source: Cofense

When a user double-clicked on the shortcut, it would execute a command that searches the shortcut file for a particular string that contains Visual Basic Script code, appends the found code to a new VBS file, and executes that VBS file, as shown below.

Emotet shortcut commands from Friday's campaign
Emotet shortcut commands from Friday’s campaign
Source: BleepingComputer

However, this command contained a bug as it used a static shortcut name of ‘Password2.doc.lnk,’ even though the actual name of the attached shortcut file is different, like ‘INVOICE 2022-04-22_1033, USA.doc’.

This caused the command to fail, as the Password2.doc.lnk file did not exist, and thus the VBS file was not created, as explained by the Emotet research group Cryptolaemus.

Cryptolaemus researcher Joseph Roosen told BleepingComptuer that Emotet shut down the new email campaign at approximately 00:00 UTC on Friday after discovering that the bug was preventing users from becoming infected.

Unfortunately, Emotet fixed the bug today…

Source…

Razer to fix Windows installer that grants admin powers if you plug in a mouse • The Register


In brief Razer is working on an updated installer after it was discovered you can gain admin privileges on Windows by plugging in one of the gaming gear maker’s mice or keyboards.

In fact, inserting any USB device that declares itself a Razer mouse or keyboard will lead to an exploitable situation.

As documented late last week by a Twitter user called j0nh4t, if you plug into a Windows 10 or 11 machine a device identified as a Razer mouse or keyboard, Microsoft’s OS will automatically download and run Razer’s installer for the manufacturer’s Synapse software, which can be used to configure the peripheral.

During the installation process, which runs at the System level, you can spawn a Powershell terminal from an Explorer window that runs with these high-level privileges. Thus, you can gain local admin access on a machine, if you can login in somehow and plug in a gadget – useful for penetration testing, at least. It is also possible to tell the installer to use a user-controlled folder to store an executable that is run on every boot, which can be hijacked by a rogue user.

The bug finder said they had no luck in getting Razer’s attention when trying to report these flaws, and after they put a zero-day exploit for the Powershell hole on Twitter, the manufacturer got in touch and offered a vulnerability bounty. A new version of the installer to address these problems is being prepared for release, we’re told. We wonder how many Windows installers have these same weaknesses.

A spokesperson for Razer told us today: “We were made aware of a situation in which our software, in a very specific use case, provides a user with broader access to their machine during the installation process.

“We have investigated the issue, are currently making changes to the installation application to limit this use case, and will release an updated…

Source…