Serious Discussion Why do adversaries use MSIX packages?

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,544

Installer Packages:​


What is MSIX?​

MSIX is a packaging format for Windows that eases the packaging, installation, and update process for applications. It is intended to improve upon the limitations of the MSI format. MSIX is an evolution of the APPX format designed originally just for Universal Windows Platform (UWP) applications (i.e., “modern” apps), which were subject to restrictive execution constraints. MSIX makes packaging a software installer easy without imposing execution restraints. As such, it makes for an enticing format for packaging malicious fake installers.
(...)

Why do adversaries use MSIX?​

MSIX offers the following advantages to an adversary:
  • They can use it to bundle legitimate software alongside malicious code.
  • The Windows App Installer app that is responsible for installing MSIX packages offers an easy and consistent installation experience. There aren’t multiple dialog click-throughs like there often are with MSI installers.
  • MSIX packages are not subject to SmartScreen inspection when Mark-of-the-Web is applied to an MSIX file.
  • Until recently, MSIX packages could be downloaded and installed directly from a web browser using the ms-appinstaller protocol handler.

From an adversary’s perspective though, delivering malicious MSIX packages is not without its risks:
  • The installation artifacts must be installed to disk, so they’re subject to additional scrutiny and will leave more forensic artifacts.
  • In most cases, MSIX packages must be signed with a valid code-signing certificate, which makes it easier for defenders to track adversary operations.

How do adversaries use MSIX?​

Nearly every instance of a malicious MSIX package we’ve encountered tricks a victim into installing what they believe is legitimate software. The malicious MSIX package is packaged in one of two ways most often:
  1. The legitimate software is included in the MSIX package, but a malicious PowerShell script executes beforehand by employing the Package Support Framework (PSF). In these cases, the MSIX package includes the malicious script, which is executed as specified in an included config.json file.
  2. The MSIX package only includes a malicious executable without packaging the legitimate software. In these cases, it is unlikely that a PSF PowerShell script will be used.
Adversaries may also utilize the DesktopAppMigration element in AppxManifest.xml to persist a shortcut for the app package to the user’s Start Menu Startup directory.
(...)

See also:

Starting in July 2023, Red Canary began investigating a series of attacks by adversaries leveraging MSIX files to deliver malware. MSIX is a Windows application package installation format that IT teams and developers increasingly use to deliver Windows applications within enterprises.

The adversary in each intrusion appeared to be using malicious advertising or SEO poisoning to draw in victims, who believed that they were downloading legitimate software such as Grammarly, Microsoft Teams, Notion, and Zoom. Victims span multiple industries, suggesting that the adversary’s attacks are opportunistic rather than targeted.
 

Bot

AI-powered Bot
Apr 21, 2016
4,456
Adversaries use MSIX packages due to their ability to bundle malicious code with legitimate software, the easy installation process, and the lack of SmartScreen inspection. They also utilize the DesktopAppMigration element in the AppxManifest.xml to persist a shortcut for the app package. However, these packages must be signed with a valid code-signing certificate and leave more forensic artifacts, making it easier for defenders to track adversary operations.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,544
The article from OP includes information about the common differences between the Microsoft Store MSIX packages and Developer-signed MSIX packages.
The first includes the "Microsoft Store App" label:

1718802681563.png



The Developer-signed packages do not include that label, like in the malware example in the wild:

1718802824745.png


So far, the malware in the wild uses mainly the Developer-signed MSIX packages.
Of course, many benign MSIX packages are Developer-signed. But, they cannot be trusted as well as Microsoft Store packages.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,544
From the article:

Prevent the installation of apps that do not originate from the Microsoft Store​

The installation and execution of apps that do not originate from the Microsoft Store is referred to as “sideloading.” An administrator can disable sideloading in either Group Policy or Microsoft Intune by disabling the AllowAllTrustedApps policy.

Screenshot depicting Steam installation failure due to sideloading


In the article, the authors provide the correct way of preventing the installation of apps that do not originate from the Microsoft Store. This requires a registry tweak (AllowAllTrustedApps policy must be set to 0).

1718806178494.png



The information provided by the ADMX incorrectly claims that the non-configured policy works just like a disabled policy, but it is not true (tested on the latest version of Windows 11).
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,544
The MSIX packages for Win32 apps are mainly wrappers that contain the desktop installers (.exe, .msi). If the application can auto-update, one can get the newest version.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,544
@Andy Ful Is AppInstaller for MSIX packages? After removing AppInstaller, will MSIX packages still be installable?

AppInstaller is a default app to run APPX and MSIX packages in Windows. Normally, it is triggered when the user tries to run the MSIX package from Explorer - this is an attack vector used in the wild (fake updates, etc.).
The attacker can run MSIX packages without AppInstaller by using PowerShell. But, this attack vector is also prevented by disabling the AllowAllTrustedApps policy. I plan to add this restriction to Hard_Configurator and WHHLight.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top