Serious Discussion Why do adversaries use MSIX packages?

[Andy Ful]

Installer Packages:​

Installer Packages - Red Canary Threat Report

Adversaries are packaging their fake installers with Microsoft’s latest installer format, MSIX, to trick users into downloading malware.

redcanary.com

What is MSIX?​

MSIX is a packaging format for Windows that eases the packaging, installation, and update process for applications. It is intended to improve upon the limitations of the MSI format. MSIX is an evolution of the APPX format designed originally just for Universal Windows Platform (UWP) applications (i.e., “modern” apps), which were subject to restrictive execution constraints. MSIX makes packaging a software installer easy without imposing execution restraints. As such, it makes for an enticing format for packaging malicious fake installers.
(...)

Why do adversaries use MSIX?​

MSIX offers the following advantages to an adversary:

• They can use it to bundle legitimate software alongside malicious code.
• The Windows App Installer app that is responsible for installing MSIX packages offers an easy and consistent installation experience. There aren’t multiple dialog click-throughs like there often are with MSI installers.
• MSIX packages are not subject to SmartScreen inspection when Mark-of-the-Web is applied to an MSIX file.
• Until recently, MSIX packages could be downloaded and installed directly from a web browser using the ms-appinstaller protocol handler.

From an adversary’s perspective though, delivering malicious MSIX packages is not without its risks:

• The installation artifacts must be installed to disk, so they’re subject to additional scrutiny and will leave more forensic artifacts.
• In most cases, MSIX packages must be signed with a valid code-signing certificate, which makes it easier for defenders to track adversary operations.

​

How do adversaries use MSIX?​

Nearly every instance of a malicious MSIX package we’ve encountered tricks a victim into installing what they believe is legitimate software. The malicious MSIX package is packaged in one of two ways most often:

1. The legitimate software is included in the MSIX package, but a malicious PowerShell script executes beforehand by employing the Package Support Framework (PSF). In these cases, the MSIX package includes the malicious script, which is executed as specified in an included config.json file.
2. The MSIX package only includes a malicious executable without packaging the legitimate software. In these cases, it is unlikely that a PSF PowerShell script will be used.

Adversaries may also utilize the DesktopAppMigration element in AppxManifest.xml to persist a shortcut for the app package to the user’s Start Menu Startup directory.
(...)

See also:

MSIX installer malware delivery on the rise - Red Canary

Red Canary has detected multiple distinct adversaries leveraging MSIX installers to deliver a variety of malware payloads in recent months.

redcanary.com

Starting in July 2023, Red Canary began investigating a series of attacks by adversaries leveraging MSIX files to deliver malware. MSIX is a Windows application package installation format that IT teams and developers increasingly use to deliver Windows applications within enterprises.

The adversary in each intrusion appeared to be using malicious advertising or SEO poisoning to draw in victims, who believed that they were downloading legitimate software such as Grammarly, Microsoft Teams, Notion, and Zoom. Victims span multiple industries, suggesting that the adversary’s attacks are opportunistic rather than targeted.

 

[Bot]

Adversaries use MSIX packages due to their ability to bundle malicious code with legitimate software, the easy installation process, and the lack of SmartScreen inspection. They also utilize the DesktopAppMigration element in the AppxManifest.xml to persist a shortcut for the app package. However, these packages must be signed with a valid code-signing certificate and leave more forensic artifacts, making it easier for defenders to track adversary operations.

 

[Andy Ful]

The article from OP includes information about the common differences between the Microsoft Store MSIX packages and Developer-signed MSIX packages.
The first includes the "Microsoft Store App" label:

The Developer-signed packages do not include that label, like in the malware example in the wild:

So far, the malware in the wild uses mainly the Developer-signed MSIX packages.
Of course, many benign MSIX packages are Developer-signed. But, they cannot be trusted as well as Microsoft Store packages.

 

[Andy Ful]

From the article:

Prevent the installation of apps that do not originate from the Microsoft Store​

The installation and execution of apps that do not originate from the Microsoft Store is referred to as “sideloading.” An administrator can disable sideloading in either Group Policy or Microsoft Intune by disabling the AllowAllTrustedApps policy.

In the article, the authors provide the correct way of preventing the installation of apps that do not originate from the Microsoft Store. This requires a registry tweak (AllowAllTrustedApps policy must be set to 0).

The information provided by the ADMX incorrectly claims that the non-configured policy works just like a disabled policy, but it is not true (tested on the latest version of Windows 11).

 

[Ink]

I'm out of the loop, does MSIX fully replace MSI and EXE installers?

 

[Andy Ful]

I'm out of the loop, does MSIX fully replace MSI and EXE installers?

This is probably Microsoft's wish, but it will not come true soon.
The MSIX package is simply a modern app package format (for all kinds of applications).

 

[lokamoka820]

The only reason I don't prefer MSIX packages is that app's version not always the latest as the .exe packages.

 

[Andy Ful]

The MSIX packages for Win32 apps are mainly wrappers that contain the desktop installers (.exe, .msi). If the application can auto-update, one can get the newest version.

 

[rashmi]

@Andy Ful Is AppInstaller for MSIX packages? After removing AppInstaller, will MSIX packages still be installable?

 

[Andy Ful]

@Andy Ful Is AppInstaller for MSIX packages? After removing AppInstaller, will MSIX packages still be installable?

AppInstaller is a default app to run APPX and MSIX packages in Windows. Normally, it is triggered when the user tries to run the MSIX package from Explorer - this is an attack vector used in the wild (fake updates, etc.).
The attacker can run MSIX packages without AppInstaller by using PowerShell. But, this attack vector is also prevented by disabling the AllowAllTrustedApps policy. I plan to add this restriction to Hard_Configurator and WHHLight.