www.microsoft.com Open in urlscan Pro
2a02:26f0:1700:199::356e  Public Scan

URL: https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/
Submission: On January 08 via api from DE — Scanned from DE

Form analysis 2 forms found in the DOM

Name: searchFormGET https://www.microsoft.com/en-us/security/site-search

<form class="c-search" autocomplete="off" id="searchForm" name="searchForm" role="search" action="https://www.microsoft.com/en-us/security/site-search" method="GET" data-seautosuggest=""
  data-seautosuggestapi="https://www.microsoft.com/msstoreapiprod/api/autosuggest"
  data-m="{&quot;cN&quot;:&quot;GlobalNav_Search_cont&quot;,&quot;cT&quot;:&quot;Container&quot;,&quot;id&quot;:&quot;c3c1c9c3c1m1r1a1&quot;,&quot;sN&quot;:3,&quot;aN&quot;:&quot;c1c9c3c1m1r1a1&quot;}" aria-expanded="false"
  style="overflow-x: visible;">
  <div class="x-screen-reader" aria-live="assertive"></div>
  <input id="cli_shellHeaderSearchInput" aria-label="Search Expanded" aria-autocomplete="list" aria-expanded="false" aria-controls="universal-header-search-auto-suggest-transparent" aria-owns="universal-header-search-auto-suggest-ul" type="search"
    name="q" role="combobox" placeholder="Search Microsoft Security" data-m="{&quot;cN&quot;:&quot;SearchBox_nav&quot;,&quot;id&quot;:&quot;n1c3c1c9c3c1m1r1a1&quot;,&quot;sN&quot;:1,&quot;aN&quot;:&quot;c3c1c9c3c1m1r1a1&quot;}" data-toggle="tooltip"
    data-placement="right" title="Search Microsoft Security" data-open="false" style="overflow-x: visible;">
  <button id="search" aria-label="Search Microsoft Security" class="c-glyph" data-m="{&quot;cN&quot;:&quot;Search_nav&quot;,&quot;id&quot;:&quot;n2c3c1c9c3c1m1r1a1&quot;,&quot;sN&quot;:2,&quot;aN&quot;:&quot;c3c1c9c3c1m1r1a1&quot;}"
    data-bi-mto="true" aria-expanded="false" style="overflow-x: visible;">
    <span role="presentation" style="overflow-x: visible;">Search</span>
    <span role="tooltip" class="c-uhf-tooltip c-uhf-search-tooltip" style="overflow-x: visible;">Search Microsoft Security</span>
  </button>
  <div class="m-auto-suggest" id="universal-header-search-auto-suggest-transparent" role="group" style="overflow-x: visible;">
    <ul class="c-menu" id="universal-header-search-auto-suggest-ul" aria-label="Search Suggestions" aria-hidden="true" data-bi-dnt="true" data-bi-mto="true" data-js-auto-suggest-position="default" role="listbox" data-tel="jsll"
      data-m="{&quot;cN&quot;:&quot;search suggestions_cont&quot;,&quot;cT&quot;:&quot;Container&quot;,&quot;id&quot;:&quot;c3c3c1c9c3c1m1r1a1&quot;,&quot;sN&quot;:3,&quot;aN&quot;:&quot;c3c1c9c3c1m1r1a1&quot;}" style="overflow-x: visible;"></ul>
    <ul class="c-menu f-auto-suggest-no-results" aria-hidden="true" data-js-auto-suggest-postion="default" data-js-auto-suggest-position="default" role="listbox" style="overflow-x: visible;">
      <li class="c-menu-item" style="overflow-x: visible;"> <span tabindex="-1" style="overflow-x: visible;">No results</span></li>
    </ul>
  </div>
</form>

https://www.microsoft.com/en-us/security/blog/

<form role="search" id="searchform-1" action="https://www.microsoft.com/en-us/security/blog/" class="search-form" type="searchForm">
  <meta itemprop="target" content="https://www.microsoft.com/en-us/security/blog/?s={s}">
  <label for="searchform-1-field" class="sr-only"> Search the Microsoft security blog </label>
  <div class="bg-white dark-bg-gray-900 dark-text-white dark-border-gray-700 border border-gray-300 d-flex">
    <input itemprop="query-input" class="form-control form-control-sm border-0 flex-grow-1 h-100 py-2" type="search" id="searchform-1-field" name="s" placeholder="Search the blog" value="">
    <button class="btn btn-link-secondary m-0 py-1" type="submit">
      <span class="sr-only">Submit</span>
      <span class="svg" aria-hidden="true">
        <svg fill="none" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 12 13" width="13" height="12">
          <path d="M4.833.097a4.833 4.833 0 0 1 3.753 7.879l3.268 3.267a.5.5 0 0 1-.651.756l-.057-.049L7.88 8.683A4.833 4.833 0 1 1 4.833.097Zm0 1a3.833 3.833 0 1 0 0 7.666 3.833 3.833 0 0 0 0-7.666Z" fill="#4C4C51"></path>
        </svg> </span>
    </button>
  </div>
</form>

Text Content

We use optional cookies to improve your experience on our websites, such as
through social media connections, and to display personalized advertising based
on your online activity. If you reject optional cookies, only cookies necessary
to provide you the services will be used. You may change your selection by
clicking “Manage Cookies” at the bottom of the page. Privacy Statement
Third-Party Cookies

Accept Reject Manage cookies
Unleash AI-powered browsing with Copilot in Microsoft Edge Go beyond what you
thought was possible with your AI-companion for the web
No, thanks Try now
Skip to main content
Microsoft
Microsoft Security
Microsoft Security
Microsoft Security
 * Home
 * Solutions
    * Cloud security
    * Cloud workload protection
    * Data security
    * Frontline workers
    * Identity & network access
    * Identity threat detection & response
    * Industrial & critical infrastructure
    * Information protection & governance
    * IoT security
    * Passwordless authentication
    * Phishing
    * Ransomware
    * Risk management
    * Secure remote work
    * Small & medium business
    * XDR
    * XDR + SIEM
    * Zero Trust

 * Products
    * Product families Product families
      * Microsoft Defender
      * Microsoft Entra
      * Microsoft Intune
      * Microsoft Priva
      * Microsoft Purview
      * Microsoft Sentinel
    * Security AI Security AI
      * Microsoft Security Copilot
    * Identity & access Identity & access
      * Microsoft Entra ID (Azure Active Directory)
      * Microsoft Entra External ID
      * Microsoft Entra ID Governance
      * Microsoft Entra ID Protection
      * Microsoft Entra Internet Access
      * Microsoft Entra Private Access
      * Microsoft Entra Permissions Management
      * Microsoft Entra Verified ID
      * Microsoft Entra Workload ID
      * Microsoft Entra Domain Services
      * Azure Key Vault
    * SIEM & XDR SIEM & XDR
      * Microsoft Sentinel
      * Microsoft Defender for Cloud
      * Microsoft Defender XDR
      * Microsoft Defender for Endpoint
      * Microsoft Defender for Office 365
      * Microsoft Defender for Identity
      * Microsoft Defender for Cloud Apps
      * Microsoft Defender Vulnerability Management
      * Microsoft Defender Threat Intelligence
    * Cloud security Cloud security
      * Microsoft Defender for Cloud
      * Microsoft Defender Cloud Security Posture Mgmt
      * Microsoft Defender External Attack Surface Management
      * Azure Firewall
      * Azure Web App Firewall
      * Azure DDoS Protection
      * GitHub Advanced Security
    * Endpoint security & management Endpoint security & management
      * Microsoft Defender for Endpoint
      * Microsoft Defender XDR
      * Microsoft Intune core capabilities
      * Microsoft Intune Endpoint Privilege Management
      * Microsoft Intune Remote Help
      * Microsoft Defender for IoT
      * Microsoft Defender for Business
      * Microsoft Defender Vulnerability Management
    * Risk management & privacy Risk management & privacy
      * Microsoft Purview Insider Risk Management
      * Microsoft Purview Communication Compliance
      * Microsoft Purview eDiscovery
      * Microsoft Purview Compliance Manager
      * Microsoft Purview Audit
      * Microsoft Priva Risk Management
      * Microsoft Priva Subject Rights Requests
    * Information protection Information protection
      * Microsoft Purview Information Protection
      * Microsoft Purview Data Lifecycle Management
      * Microsoft Purview Data Loss Prevention

 * Services
    * Microsoft Security Experts
    * Microsoft Defender Experts for XDR
    * Microsoft Defender Experts for Hunting
    * Microsoft Incident Response
    * Microsoft Security Services for Modernization

 * Partners
 * Resources
    * Get started Get started
      * Cybersecurity awareness
      * Customer stories
      * Security 101
      * Product trials
      * How we protect Microsoft
    * Reports and analysis Reports and analysis
      * Industry recognition
      * Microsoft Security Insider
      * Microsoft Digital Defense Report
      * Security Response Center
    * Community Community
      * Microsoft Security Blog
      * Microsoft Security Events
      * Microsoft Tech Community
    * Documentation and training Documentation and training
      * Documentation
      * Technical Content Library
      * Training & certifications
    * Additional sites Additional sites
      * Compliance Program for Microsoft Cloud
      * Microsoft Trust Center
      * Security Engineering Portal
      * Service Trust Portal
      * Microsoft built in security

 * Contact Sales
 * More
 * Start free trial

 * All Microsoft
   
   
    * GLOBAL
      
      * Microsoft Security
      * Azure
      * Dynamics 365
      * Microsoft 365
      * Microsoft Teams
      * Windows 365
    * Tech & innovation Tech & innovation
      * Microsoft Cloud
      * AI
      * Azure Space
      * Mixed reality
      * Microsoft HoloLens
      * Microsoft Viva
      * Quantum computing
      * Sustainability
    * Industries Industries
      * Education
      * Automotive
      * Financial services
      * Government
      * Healthcare
      * Manufacturing
      * Retail
      * All industries
    * Partners Partners
      * Find a partner
      * Become a partner
      * Partner Network
      * Find an advertising partner
      * Become an advertising partner
      * Azure Marketplace
      * AppSource
    * Resources Resources
      * Blog
      * Microsoft Advertising
      * Developer Center
      * Documentation
      * Events
      * Licensing
      * Microsoft Learn
      * Microsoft Research
    * View Sitemap


Search Search Microsoft Security
 * No results

Cancel
Light Dark

 1. Blog home
 2. Threat intelligence

Search the Microsoft security blog
Submit
 * Research
 * Threat intelligence
 * Microsoft Defender
 * Social engineering / phishing

9 min read


FINANCIALLY MOTIVATED THREAT ACTORS MISUSING APP INSTALLER

 * By Microsoft Threat Intelligence

December 28, 2023
 * 
 * 
 * 

 * Microsoft Defender for Endpoint
 * Microsoft Defender for Office 365
 * Attacker techniques, tools, and infrastructure
 * Threat actors

more

Since mid-November 2023, Microsoft Threat Intelligence has observed threat
actors, including financially motivated actors like Storm-0569, Storm-1113,
Sangria Tempest, and Storm-1674, utilizing the ms-appinstaller URI scheme (App
Installer) to distribute malware. In addition to ensuring that customers are
protected from observed attacker activity, Microsoft investigated the use of App
Installer in these attacks. In response to this activity, Microsoft has disabled
the ms-appinstaller protocol handler by default.

The observed threat actor activity abuses the current implementation of the
ms-appinstaller protocol handler as an access vector for malware that may lead
to ransomware distribution. Multiple cybercriminals are also selling a malware
kit as a service that abuses the MSIX file format and ms-appinstaller protocol
handler. These threat actors distribute signed malicious MSIX application
packages using websites accessed through malicious advertisements for legitimate
popular software. A second vector of phishing through Microsoft Teams is also in
use by Storm-1674.

Threat actors have likely chosen the ms-appinstaller protocol handler vector
because it can bypass mechanisms designed to help keep users safe from malware,
such as Microsoft Defender SmartScreen and built-in browser warnings for
downloads of executable file formats.

In this blog, we provide an analysis of activity by financially motivated threat
actors abusing App Installer observed since mid-November 2023.


THREAT ACTORS ABUSING APP INSTALLER SINCE MID-NOVEMBER 2023

Microsoft Threat intelligence observed several actors—including Storm-0569,
Storm-1113, Sangria Tempest, and Storm-1674—using App Installer as a point of
entry for human-operated ransomware activity. The observed activity includes
spoofing legitimate applications, luring users into installing malicious MSIX
packages posing as legitimate applications, and evading detections on the
initial installation files. 


STORM-0569

At the beginning of December 2023, Microsoft observed Storm-0569 distributing
BATLOADER through search engine optimization (SEO) poisoning with sites spoofing
legitimate software downloads such as Zoom, Tableau, TeamViewer, and AnyDesk.
Users who search for a legitimate software application on Bing or Google may be
presented with a landing page spoofing the original software provider’s landing
pages that include links to malicious installers through the ms-appinstaller
protocol. Spoofing and impersonating popular legitimate software is a common
social engineering tactic. These software are not affected by the attacks
directly, but this information can help users better spot malicious spoofing by
threat actors.

Figure 1. A malicious landing page spoofing Zoom accessed via malicious search
engine advertisement for Zoom downloads Figure 2. Sample malicious App Installer
experience. Note the Publisher is not who a user should expect to be publishing
this software.

Users who click the links to the installers are presented with the desktop App
Installer experience. If the user clicks “Install” in the desktop App Installer,
the malicious application is installed and eventually runs additional processes
and scripts that lead to malware installation.

Storm-0569 then uses PowerShell and batch scripts that lead to the download of
BATLOADER. In one observed instance, Storm-0569’s BATLOADER dropped a Cobalt
Strike Beacon followed by data exfiltration using the Rclone data exfiltration
tools and Black Basta ransomware deployment by Storm-0506.

Storm-0569 is an access broker that focuses on downloading post-compromise
payloads, such as BATLOADER, through malvertising and phishing emails containing
malicious links to download sites. The threat actor also provides malicious
installers and landing page frameworks to other actors. They cover multiple
infection chains that typically begin with maliciously signed Microsoft
Installer (MSI) files posing as legitimate software installations or updates for
applications such as TeamViewer, Zoom, and AnyDesk. Storm-0569 infection chains
have led to additional dropped payloads, including IcedID, Cobalt Strike Beacon,
and remote monitoring and management (RMM) tools, culminating in a handoff to
ransomware operators like Storm-0846 and Storm-0506.


STORM-1113

Since mid-November 2023, Microsoft observed Storm-1113’s EugenLoader delivered
through search advertisements mimicking the Zoom app. Once a user accesses a
compromised website, a malicious MSIX installer (EugenLoader) is downloaded on a
device and used to deliver additional payloads. These payloads could include
previously observed malware installs, such as Gozi, Redline stealer, IcedID,
Smoke Loader, NetSupport Manager (also referred to as NetSupport RAT), Sectop
RAT, and Lumma stealer.

Storm-1113 is a threat actor that acts both as an access broker focused on
malware distribution through search advertisements and as an “as-a-service”
entity providing malicious installers and landing page frameworks. In Storm-1113
malware distribution campaigns, users are directed to landing pages mimicking
well-known software that host installers, often MSI files, that lead to the
installation of malicious payloads. Storm-1113 is also the developer of
EugenLoader, a commodity malware first observed around November 2022.


SANGRIA TEMPEST

In mid-November 2023, Microsoft observed Sangria Tempest using Storm-1113’s
EugenLoader delivered through malicious MSIX package installations. Sangria
Tempest then drops Carbanak, a backdoor used by the actor since 2014, that in
turn delivers the Gracewire malware implant. In other cases, Sangria Tempest
uses Google ads to lure users into downloading malicious MSIX application
packages—possibly relying on Storm-1113 infrastructure—leading to the delivery
of POWERTRASH, a highly obfuscated PowerShell script. POWERTRASH is then used to
load NetSupport and Gracewire, a malware typically affiliated with the threat
actor Lace Tempest, whom Sangria Tempest has cooperated with in past intrusions.

Sangria Tempest (previously ELBRUS, also tracked as Carbon Spider, FIN7) is a
financially motivated cybercriminal group currently focusing on conducting
intrusions that often lead to data theft, followed by targeted extortion or
ransomware deployment such as Clop ransomware.


STORM-1674

Since the beginning of December 2023, Microsoft identified instances where
Storm-1674 delivered fake landing pages through messages delivered using Teams.
The landing pages spoof Microsoft services like OneDrive and SharePoint, as well
as other companies. Tenants created by the threat actor are used to create
meetings and send chat messages to potential victims using the meeting’s chat
functionality.

Figure 3. Landing page pretending to be a SharePoint site for a spoofed
employment opportunity site; target users are led to this landing page via
malicious URLs sent via Teams messages. Figure 4. Fake error the user receives
when clicking on any of the PDFs in the SharePoint. Clicking OK invokes
ms-appinstaller. Figure 5. Sample malicious App Installer experience. Note the
Publisher is not who a user should expect to be publishing Adobe software.
Figure 6. Malicious landing page pretending to be a networking security tool;
target users are led to this landing page via malicious URLs sent via Teams
messages. Figure 7. Sample JavaScript invokes ms-appinstaller handler from
malicious landing page at time of user click. Figure 8. Sample malicious App
Installer experience. Note the Publisher is not who a user should expect to be
publishing this software.

The user is then lured into downloading spoofed applications like the ones shown
in figures 5 and 8, which will likely drop SectopRAT or DarkGate. In these
cases, Storm-1674 was using malicious installers and landing page frameworks
provided by Storm-1113.

Microsoft assesses this technique was used to avoid the accept/block screen
shown in one-on-one and group chats. The Teams client now shows an accept/block
screen for meeting chats sent by an external user.

Microsoft has taken action to mitigate the spread of malware from confirmed
malicious tenants by blocking their ability to send messages thus cutting off
the main method used for phishing.

Storm-1674 is an access broker known for using tools based on the publicly
available TeamsPhisher tool to distribute DarkGate malware. Storm-1674 campaigns
have typically relied on phishing lures sent over Teams with malicious
attachments, such as ZIP files containing a LNK file that ultimately drops
DarkGate and Pikabot. In September 2023, Microsoft observed handoffs from
Storm-1674 to ransomware operators that have led to Black Basta ransomware
deployment.


RECOMMENDATIONS

The ms-appinstaller URI scheme handler has been disabled by default in App
Installer build 1.21.3421.0. Refer to the Microsoft Security Response Blog for
App Installer protection tips.

Microsoft recommends the following mitigations to reduce the impact of this
threat. Check the recommendations card for the deployment status of monitored
mitigations. 

 * Pilot and deploy phishing-resistant authentication methods for users.
 * Implement Conditional Access authentication strength to require
   phishing-resistant authentication for employees and external users for
   critical apps.
 * Educate Microsoft Teams users to verify ‘External’ tagging on communication
   attempts from external entities, be cautious about what they share, and never
   share their account information or authorize sign-in requests over chat.
 * Apply Microsoft’s security best practices for Microsoft Teams to safeguard
   Teams users.
 * Educate users to review sign-in activity and mark suspicious sign-in attempts
   as “This wasn’t me”.
 * Encourage users to use Microsoft Edge and other web browsers that
   support Microsoft Defender SmartScreen, which identifies and blocks malicious
   websites, including phishing sites, scam sites, and sites that contain
   exploits and host malware.
 * Educate users to use the browser URL navigator to validate that upon clicking
   a link in search results they have arrived at an expected legitimate domain.
 * Educate users to verify that the software that is being installed is expected
   to be published by a legitimate publisher.
 * Configure Microsoft Defender for Office 365 to recheck links on click. Safe
   Links provides URL scanning and rewriting of inbound email messages in mail
   flow, and time-of-click verification of URLs and links in email messages,
   other Microsoft Office applications such as Teams, and other locations such
   as SharePoint Online. Safe Links scanning occurs in addition to the
   regular anti-spam and anti-malware protection in inbound email messages in
   Microsoft Exchange Online Protection (EOP). Safe Links scanning can help
   protect your organization from malicious links that are used in phishing and
   other attacks.
 * Turn on PUA protection in block mode.
 * Turn on attack surface reduction rules to prevent common attack techniques:
   * Use advanced protection against ransomwareBlock executable files from
     running unless they meet a prevalence, age, or trusted list criterion


APPENDIX


MICROSOFT DEFENDER XDR DETECTIONS 

Microsoft Defender Antivirus 

Microsoft Defender Antivirus detects threat components as the malware listed
below. Enterprise customers managing updates should select the detection build
1.403.520.0 or newer and deploy it across their environments. 

 * TrojanDownloader:Win32/CryptedLoader
 * Backdoor:PowerShell/CryptedLoader.PS

Microsoft Defender Antivirus detects associated post-compromise activity as the
following:

 * Trojan:Python/BatLoader
 * Trojan:PowerShell/BatLoader
 * Trojan:Win32/Batloader
 * TrojanDownloader:PowerShell/EugenLoader
 * Trojan:Win32/EugenLoader
 * TrojanDownloader:PowerShell/Malgent
 * Trojan:Win64/Lumma
 * Trojan:Win32/Gozi
 * Trojan:Win64/IcedID
 * Trojan:Win32/Smokeloader
 * Backdoor:MSIL/SectopRAT
 * Behavior:Win32/CobaltStrike
 * Backdoor:Win64/CobaltStrike
 * HackTool:Win64/CobaltStrike
 * Ransom:Win32/BlackBasta
 * Ransom:Linux/BlackBasta

Microsoft Defender for Endpoint 

The following Microsoft Defender for Endpoint alerts can indicate associated
threat activity:

 * An executable loaded an unexpected dll
 * A process was injected with potentially malicious code
 * Suspicious sequence of exploration activities
 * Activity that might lead to information stealer
 * Possible theft of passwords and other sensitive web browser information

The following alerts might also indicate threat activity related to this threat.
Note, however, that these alerts can be also triggered by unrelated threat
activity.

 * A file or network connection related to ransomware-linked actor Storm-0569
   detected
 * Storm-1113 threat actor detected
 * Ransomware-linked Sangria Tempest threat activity group detected
 * Potential BATLOADER activity
 * Potential IcedID activity
 * Ongoing hands-on-keyboard attacker activity detected (Cobalt Strike)
 * Human-operated attack using Cobalt Strike
 * Possible POWERTRASH loader activity
 * Carbanak backdoor detected

Microsoft Defender for Office 365

Microsoft Defender for Office 365 detects malicious activity associated with
this threat.


THREAT INTELLIGENCE REPORTS

Microsoft customers can use the following reports in Microsoft products to get
the most up-to-date information about the threat actor, malicious activity, and
techniques discussed in this blog. These reports provide the intelligence,
protection information, and recommended actions to prevent, mitigate, and
respond to associated threats found in customer environments.

Microsoft Defender Threat Intelligence

 * Actor profile: Sangria Tempest
 * Actor profile: Storm-0506
 * Tool profile: BATLOADER
 * Tool profile: Cobalt Strike
 * Tool profile: DarkGate
 * Tool profile: Black Basta ransomware
 * Tool profile: Lumma stealer
 * Tool profile: Pikabot

Microsoft 365 Defender Threat analytics 

 * Activity profile: Qakbot distributor Storm-0464 shifts to DarkGate and IcedID
 * Storm-0569: Malvertising and phishing deliver fake software installers and
   lead to ransomware
 * Actor profile: Sangria Tempest
 * IcedID’s frosty arrival can lead to data theft


HUNTING QUERIES

Microsoft Defender XDR

Use this query to review all the ms-appinstaller protocol handler invoked
network connections in your environment.

DeviceNetworkEvents
| where InitiatingProcessCommandLine == '"AppInstaller.exe"
-ServerName:App.AppX9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca'  and RemoteUrl has_any
("https://", "http://")


INDICATORS OF COMPROMISE

Storm-0569 indicators related to App Installer abuse

SHA-256

 * 48aa2393ef590bab4ff2fd1e7d95af36e5b6911348d7674347626c9aaafa255e
 * 11b71429869f29122236a44a292fde3f0269cde8eb76a52c89139f79f4b97e63
 * 7e646dfe7b7f330cb21db07b94f611eb39f604fab36e347fb884f797ba462402
 * ffb45dc14ea908b21e01e87ec18725dff560c093884005c2b71277e2de354866
 * b79633917e51da2a4401473d08719f493d61fd64a1b10fe482c12d984d791ccb

URLs

 * hxxps://scheta[.]site/api.store/ZoomInstaller.msix
 * hxxps://scheta[.]site/api.store/Setup.msix

Domain names

 * teannviewer.ithr[.]org
 * tab1eu.ithr[.]org
 * amydeks.ithr[.]org
 * zoonn.ithr[.]org
 * scheta[.]site
 * tnetworkslicense[.]ru
 * 1204knos[.]ru
 * 1204networks[.]ru
 * abobe.ithr[.]org

Storm-0506 Cobalt Strike beacon C2:

 * gertefin[.]com
 * septcntr[.]com

Storm-1113 indicators related to App Installer abuse

SHA-256

 * 44cac5bf0bab56b0840bd1c7b95f9c7f5078ff417705eeaaf5ea5a2167a81dd5

Domain names

 * info-zoomapp[.]com
 * zoonn[.]meetlng[.]group

Sangria Tempest indicators related to App Installer abuse

Domain names

 * storageplace[.]pro
 * sun1[.]space

SHA-256

 * 2ba527fb8e31cb209df8d1890a63cda9cd4433aa0b841ed8b86fa801aff4ccbd
 * 06b4aebbc3cd62e0aadd1852102645f9a00cc7eea492c0939675efba7566a6de

Storm-1674 indicators related to App Installer abuse

SHA-256

 * 2ed5660c7b768b4c2a7899d00773af60cd4396f24a2f7d643ccc1bf74a403970

Domain names:

 * nixonpeabody[.]tech-department[.]us
 * amgreetings[.]tech-department[.]us
 * cbre[.]tech-department[.]us
 * tech-department[.]us
 * kellyservices-hr[.]com
 * hubergroup[.]tech-department[.]us
 * formeld[.]tech-department[.]us
 * kellyhrservices-my[.]sharepoint[.]com
 * kellyserviceshr-my[.]sharepoint[.]com
 * kellyservicesrecruitmentdep-my[.]sharepoint[.]com
 * kellyservicesheadhunter-my[.]sharepoint[.]com
 * mckinseyhrcompany-my[.]sharepoint[.]com
 * webmicrosoftservicesystem[.]com
 * perimeter81support-my[.]sharepoint[.]com
 * cabotcorpsupport-my[.]sharepoint[.]com


REFERENCES

 * Malvertising Surges to Distribute Malware (Intel471)
 * Microsoft Security Response Blog
 * CVE-2021-43890


FURTHER READING

For the latest security research from the Microsoft Threat Intelligence
community, check out the Microsoft Threat Intelligence
Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media,
follow us on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community
about the ever-evolving threat landscape, listen to the Microsoft Threat
Intelligence
podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.


GET STARTED WITH MICROSOFT SECURITY

Microsoft is a leader in cybersecurity, and we embrace our responsibility to
make the world a safer place.

Learn more



CONNECT WITH US ON SOCIAL

 * 
 * 
 * 

What's new
 * Surface Laptop Studio 2
 * Surface Laptop Go 3
 * Surface Pro 9
 * Surface Laptop 5
 * Surface Studio 2+
 * Copilot in Windows
 * Microsoft 365
 * Windows 11 apps

Microsoft Store
 * Account profile
 * Download Center
 * Microsoft Store support
 * Returns
 * Order tracking
 * Certified Refurbished
 * Microsoft Store Promise
 * Flexible Payments

Education
 * Microsoft in education
 * Devices for education
 * Microsoft Teams for Education
 * Microsoft 365 Education
 * How to buy for your school
 * Educator training and development
 * Deals for students and parents
 * Azure for students

Business
 * Microsoft Cloud
 * Microsoft Security
 * Dynamics 365
 * Microsoft 365
 * Microsoft Power Platform
 * Microsoft Teams
 * Microsoft Industry
 * Small Business

Developer & IT
 * Azure
 * Developer Center
 * Documentation
 * Microsoft Learn
 * Microsoft Tech Community
 * Azure Marketplace
 * AppSource
 * Visual Studio

Company
 * Careers
 * About Microsoft
 * Company news
 * Privacy at Microsoft
 * Investors
 * Diversity and inclusion
 * Accessibility
 * Sustainability

English (United States) California Consumer Privacy Act (CCPA) Opt-Out Icon Your
Privacy Choices California Consumer Privacy Act (CCPA) Opt-Out Icon Your Privacy
Choices
 * Sitemap
 * Contact Microsoft
 * Privacy
 * Manage cookies
 * Terms of use
 * Trademarks
 * Safety & eco
 * Recycling
 * About our ads
 * © Microsoft 2024

Notifications