Uncovering Suspicious Download Pages Linked to App Installer Abuse

Threat actors abused Windows App Installer (ms-appinstaller) by creating fake download/landing pages mimicking Zoom and Microsoft services to distribute malicious installers that could lead to ransomware. Researchers expanded Microsoft’s IoC list through WHOIS, DNS, reverse-IP, and string-based discovery, uncovering over 1,100 connected artifacts and multiple IPs tied to C2 and malware. #AppInstaller #ms-appinstaller #Storm-0569 #Storm-1113

Keypoints

Actors abused the Windows App Installer protocol handler (ms-appinstaller) to host malicious installers via imitation landing pages for Zoom and Microsoft services.
Researchers expanded Microsoft’s initial IoC set (18 subdomains, 14 domains) and discovered 4 email-connected domains, 16 IPs, 127 IP-connected domains, 401 string-connected domains, and 596 string-connected subdomains.
Bulk WHOIS and WHOIS History analysis revealed registrars, creation dates concentrated in 2023, and registrant-country distribution across multiple countries, enabling pivoting to related domains.
DNS resolution and IP geolocation showed 16 IPs (9 US, 6 Russia, 1 UK); reverse-IP lookups produced 127 additional IP-connected domains, many hosting similar installer pages.
Threat intelligence links associated several IPs with attack, malware, phishing, and C2 activity (e.g., 185[.]196[.]8[.]246 flagged for C2).
String-based domain and subdomain discovery using search patterns (e.g., ‘-zoomapp’, ‘scheta.’, ‘nixonpeabody’) produced hundreds of related domains/subdomains used in the campaign.
Screenshot analysis confirmed many discovered domains/subdomains and IP-connected domains actively hosted malicious or phishing-style installer pages.

MITRE Techniques

[T1566.002] Phishing – Used imitation landing pages to trick users into downloading installers (‘…imitated the landing pages of popular software, such as Zoom, Microsoft OneDrive, Microsoft SharePoint, and Microsoft Teams, to lure target victims into downloading malicious installers.’)
[T1204.002] User Execution: Malicious File – Relied on users to download and run installers delivered via the App Installer protocol (‘…abusing App Installer…to lure target victims into downloading malicious installers.’)
[T1036] Masquerading – Impersonated legitimate vendor pages and brand assets to make malicious installers appear authentic (‘…imitated the landing pages of popular software…’).
[T1583.001] Acquire Infrastructure: Domains – Registered and used multiple domains/subdomains as infrastructure for hosting malicious installer pages (‘…comprising 18 subdomains and 14 domains tagged as IoCs…’).
[T1071] Command and Control – Identified IPs were associated with C2 and other malicious activity according to threat intelligence (‘185[.]196[.]8[.]246 … Command-and-control (C2) …’).
[T1102] Web Services – Leveraged third-party hosting/ISPs (e.g., Cloudflare) to serve malicious content and obscure origin (‘Cloudflare, Inc. administered six IP addresses; …’).

Indicators of Compromise

[Domain IoCs] Malicious landing pages impersonating software vendors – info-zoomapp[.]com, bitvarden-info[.]com
[IP addresses] Resolved hosts used by IoCs and flagged by threat intel – 185[.]196[.]8[.]246, 91[.]215[.]85[.]199 (and other IPs such as 172[.]67[.]147[.]29, 172[.]67[.]209[.]46)
[IP-connected domains] Domains resolving to IoC IPs hosting installer pages – biryaneehouse[.]com, cotattoo[.]com
[String-connected domains] Domains discovered via text-pattern searches indicative of the campaign – zoonn[.]meetlng[.]cn[.]com, domains starting with ‘scheta.’ and containing ‘-zoomapp’ (and 399 more)
[String-connected subdomains] Subdomains matching campaign naming patterns – entries starting with ‘nixonpeabody’ and ‘amydesk’ (and 594 more)
[WHOIS-derived] Email-connected domains discovered via WHOIS history/reverse-WHOIS – four email-connected domains tied to registration records (public email records used to pivot to thousands of registrations)

Microsoft disabled the ms-appinstaller protocol handler, after which researchers expanded Microsoft’s IoCs and performed bulk WHOIS lookups on 14 domains (three extracted from subdomains). WHOIS data revealed registrar distribution, mostly 2023 creation dates, and registrant countries across five nations; WHOIS History API searches also surfaced 12 historical email addresses (five public), which were used in reverse-WHOIS pivots to thousands of domains before filtering left four email-connected domains relevant to the campaign.

DNS resolution of the IoCs produced 16 IP addresses that were geolocated (9 U.S., 6 Russia, 1 U.K.) and administrated by multiple ISPs including Cloudflare. Reverse IP lookups indicated nine potentially dedicated IPs and yielded 127 IP-connected domains after deduplication; threat intelligence linked several IPs to C2, malware, and phishing. Screenshot analysis validated that many of these domains and IP-connected hosts served installer-style pages mimicking legitimate software.

Finally, string-based discovery (Domains & Subdomains Discovery) using patterns such as ‘-zoomapp’, ‘scheta.’, ‘tnetworks’, and subdomain prefixes like ‘nixonpeabody’ and ‘amydesk’ returned 401 string-connected domains and 596 string-connected subdomains, many hosting suspicious or phishing pages. In total, the investigation grew the initial set of 18 subdomains and 14 domains into over 1,100 connected artifacts (4 email-connected domains, 16 IPs, 127 IP-connected domains, 401 string-connected domains, 596 string-connected subdomains).