When deployed directly from a website, the page will contain a link of the form ms-appinstaller:?source=http://link-to.domain/app-name.msix. When clicked, the browser will pass the request to the ms-appinstaller protocol handler in Windows, which will invoke App Installer. This is the same type of functionality seen with other apps that register custom protocol handlers in Windows, such as when clicking a button on a web page to join a conference call and having the browser automatically open the Zoom or Microsoft Teams desktop apps.
Extensive Microsoft App Installer abuse
Attackers started abusing the ms-appinstaller URI scheme a while ago by leading users to spoofed web pages for popular software and instead delivering malware packaged as MSIX. According to Microsoft, the technique saw adoption with multiple groups, culminating with a spike in attacks during November and December 2023.
At the beginning of December, an access broker group that Microsoft tracks as Storm-0569 launched a search engine optimization campaign that distributed BATLOADER using this technique. The group poisoned search results with links to web pages that posed as the official websites for legitimate software applications such as Zoom, Tableau, TeamViewer, and AnyDesk.
“Users who search for a legitimate software application on Bing or Google may be presented with a landing page spoofing the original software provider’s landing pages that include links to malicious installers through the ms-appinstaller protocol,” Microsoft said. “Spoofing and impersonating popular legitimate software is a common social engineering tactic.”
If the rogue links are clicked, users are presented with the App Installer window, which displays an install button. If that button is clicked, the malicious MSIX package is installed along with additional PowerShell and batch scripts that deploy BATLOADER. This malware loader is then used to deploy additional implants such as the Cobalt Strike Beacon, the Rclone data exfiltration tool and the Black Basta ransomware.
Another access broker tracked as Storm-1113 that also specializes in malware distribution through search advertisements has also used this technique in mid-November 2023 to deploy a malware loader called EugenLoader by spoofing Zoom downloads. Since this group offers malware deployment as a service, EugenLoader has been used to deploy a variety of implants including Gozi, Redline stealer, IcedID, Smoke Loader, NetSupport Manager (also known as NetSupport RAT), Sectop RAT, and Lumma stealer. Another group tracked as Sangria Tempest (also known as FIN7) used EugenLoader in November to drop its infamous Carbanak malware framework which in turn deployed the Gracewire implant.