Microsoft Corp. has disabled a Windows feature that helps users download new applications after finding that hackers were using it to spread malware. 

The company announced the move on Thursday. The Windows feature in question, which is known as the ms-appinstaller protocol handler, was previously disabled by Microsoft early last year for similar reasons. A hacking group had used it to spread malware disguised as an Adobe Inc. application. 

Microsoft has developed several technologies to ease the task of installing new programs on Windows machines. One of those technologies is App Installer, an application setup tool built directly into the operating system. It helps users download programs stored in the popular MSIX file format.

The feature that Microsoft disabled is part of App Installer. It allows Windows users to install a program stored in the MSIX format by clicking on a download link. According to Microsoft, the decision to turn off the feature followed the discovery that hackers have been using it to distribute malware disguised as legitimate applications.

“Threat actors have likely chosen the ms-appinstaller protocol handler vector because it can bypass mechanisms designed to help keep users safe from malware, such as Microsoft Defender SmartScreen and built-in browser warnings for downloads of executable file formats,” Microsoft researchers detailed in a blog post. 

The cyberattacks began in mid-November. Microsoft determined that they were carried by four financially motivated threat actors tracked as Storm-0569, Storm-1113, Sangria Tempest and Storm-1674.

Two of the cybercrime groups, Storm-1113 and Sangria Tempest, used search engine ads to spread their malware. Users who clicked the ads were prompted to download malicious MSIX files disguised as legitimate programs. Microsoft believes that Sangria Tempest, which used the malicious ads to carry out extortion and ransomware campaigns, may have used infrastructure provided by Storm-1113 to support its hacking efforts. 

Another threat actor, Storm-0569, spread malware via malicious websites. Those websites were designed to appear in Google and Bing results when users search for legitimate business applications. According to Microsoft, the hackers’ malware was disguised as applications from Zoom Video Communications Inc., Salesforce Inc.’s Tableau unit and other enterprise software providers.

The fourth threat actor detected by the company distributed malware via Microsoft Teams messages. The messages linked to webpages that mimicked the landing pages of OneDrive, SharePoint and other popular applications. The webpages attempted to trick users into downloading malicious MSIX programs. 

To prevent future cyberattacks, Microsoft has blocked the Teams accounts used in the malware campaign. Additionally, the company disabled the code signing certifications of the malicious applications it identified as part of its research. The latter move will make it more difficult for hackers to trick users into downloading the malware.

Image: Microsoft