Microsoft has deactivated the ms-appinstaller tool used to simplify the installation of Windows applications due to hackers exploiting it to distribute malware loaders. Criminal hackers have been using the tool since mid-November to deploy loader malware through malicious advertisements and phishing messages. The ms-appinstaller allowed attackers to bypass anti-malware safety mechanisms and built-in browser warnings. The tool also contained a vulnerability that Microsoft first mitigated in December 2021 but apparently deactivated the fix in April, allowing attackers to exploit it again. Microsoft has identified multiple groups exploiting the flaw, including Storm-0569, Storm-1113, Storm-1674, and Sangria Tempest. These groups have been using the ms-appinstaller to install loader malware and facilitate further infections. Microsoft has disabled the ms-appinstaller protocol handler, requiring Windows administrators to download a software package and run its application installer instead. The change has had a significant impact on enterprise use.
In summary, Microsoft has disabled the ms-appinstaller tool after hackers exploited it to distribute malware loaders. Attackers used malicious advertisements and phishing messages to propagate signed, malicious MSIX application packages. The ms-appinstaller allowed them to evade anti-malware safety mechanisms and browser warnings. The tool also had a vulnerability that Microsoft first mitigated but then deactivated the fix, enabling attackers to exploit it again. Multiple groups, including Storm-0569, Storm-1113, Storm-1674, and Sangria Tempest, have been exploiting the flaw to install loader malware and facilitate further infections. As a result, Microsoft disabled the ms-appinstaller protocol handler, impacting enterprise use.