As with anything Windows, eventually attackers were going to look at it and find a way to abuse it. In November 2021 this is exactly what happened. Emails began floating around the internet that contained the usual spam urgency. Some alleged that the recipient was under investigation for misconduct and invited them to open the complaint for review (these were observed by researchers at Sophos). The problem was that the link was not a link to a pdf or to a normal company share. It was a link to run the web installer for a malicious app bundle. “ms-appinstaller://”.
The link, once clicked, took the target to a page that presented them with what looked like a benign app. In the case of the pdf spam emails it was to an Adobe PDF reader. The page looks shockingly real and even has the “trusted app” checkmark on it.
This is because attackers had found a loophole in the way apps are bundled. They found that by creating a fake company (or impersonating or breaching an existing one) they could get a trusted signing key for their apps. From there is was easy to set the app bundle to show as a different company (the company name is just a text string in the bundle) and then push this out via spam emails. By using the ms-appinstaller URL they could invoke the Appinstaller.exe process inside Windows. This bypassed the browser and potential protections there.
Since attackers could package what they wanted inside the bundle, including unsigned code, it was a great method for injecting malware via what appeared to be a trusted platform. Granted there was and is still the very real possibility that the malicious app would be caught by anti-malware agents present on the system, but it is still a great way to shovel malware out to people.
The payload for the originally identified attack appears to be one that turns the targeted system into a zombie for later exploit or malware payload. This is not an unusual practice and allows the threat actor that is part of the IAG (Initial Access Group) to see access to others. From there they can leverage for a large number of malicious purposes.
Sophos has a list of recommendations that might at first seem a bit aggressive. These include using a web filter to block common app extensions and even blocking the ms-appinstaller URL prefix. This would effectively impact anyone leveraging these items for their app delivery method. However, Microsoft themselves are now recommending this in addition to actively blocking the MSIX ms-appinstaller protocol handler. Nothing like hearing from the developer that they know this is an issue. Hopefully when/if they do re-enable this protocol handler, they will have identified an actual fix and not a just a bandage for the problem. Attackers are nothing if not persistent and now that they know there ia way to do this, a simple patch is not going to stop them.