Detecting suspicious download sites associated with app installer abuse


Threat actors have abused App Installer, a Windows 10 feature that makes installing applications more convenient. The abuse could lead to the spread of ransomware and was likely carried out by financially motivated actors Storm-0569, Storm-1113, Sangria Tempest and Storm-1674. These malicious actors impersonated the landing pages of popular software such as Zoom, Microsoft OneDrive, Microsoft SharePoint, and Microsoft Teams to trick targeted victims into downloading malicious installers.

While Microsoft immediately responded by disabling the ms-appinstaller protocol handler by default, WhoisXML API researchers decided to look for traces of the attack in DNS.

With this in mind, our research team expanded the IoC lists published by Microsoft to include 18 subdomains and 14 domains marked as IoCs (three of which were extracted from the subdomains). The investigation led to the discovery of:

  • Four email-connected domains
  • 16 IP addresses
  • 127 IP connected domains
  • 401 domains connected by strings
  • 596 subdomains connected by strings

An example of the additional artifacts obtained from our analysis is available for download on our website.

Infrastructure analysis of app installer abuse IoCs

To understand the attack infrastructure, we conducted a bulk WHOIS search for the 14 domains marked as IoCs, three of which were extracted from the 18 subdomains found on the IoC lists. Their WHOIS records revealed the following:

  • They were administered by seven different registrars. REGRU-RU and NameCheap, Inc. each accounted for three domains; NameSilo LLC; REG.RU LLC; and PSI-USA, Inc. for two domains each; and PDR Ltd. and Eranet International Limited for one domain each.
  • Most of the domains, twelve to be exact, were created in 2023, while one domain was registered in 2022 and another in 2021.

  • Their registrations were spread across five countries. Three domains each were registered in Iceland and Germany, two each in the USA and Russia and one in Australia. No current data on the registrant's country was available for three domains.

We then subjected the domain IoCs to a screenshot analysis. We have noticed that some continue to host live content, including the sites listed below that display Zoom and Microsoft landing pages.

Screenshot of the page hosted on the IoC info-zoomapp domain[.]com

Detecting DNS connections related to the App Installer abuse IoCs

As a next step, we tracked the DNS footprints of the malicious domains and subdomains used in the campaigns.

WHOIS History API searches for the domain IoCs resulted in the discovery of 12 email addresses in their historical WHOIS records, five of which were public. By running these public email addresses through the Reverse WHOIS API, we were able to see that they appeared in the current WHOIS records of 8,434 domains. However, one email address probably belonged to a domainer, as 8,429 domains were registered using it. After removing the domains that the domain owner may own and the IoCs, we were left with four email-connected domains.

We then performed DNS lookups for the IoCs and obtained 16 IP addresses to which the 14 domains marked as IoCs and 18 subdomains resolved. When we ran an IP geolocation search on these IP addresses, we found the following:

  • They were geolocated in only three countries – nine were from the US, six from Russia and one from the UK
  • They were managed by eight ISPs – Cloudflare, Inc. managed six IP addresses; LLC Smart Ape, four; and Serving GmbH, Simple Carrier LLC, Prospero OOO, MIRholding BV, Stark Industries and BL Networks, one each.

  • The Threat Intelligence API also revealed that nine of the 16 IP addresses were associated with various threats. Some examples are listed in the table below.

    185[.]196[.]8th[.]246 attack
    Command and Control (C2)
    91[.]215[.]85[.]199 attack
    172[.]67[.]147[.]29 Generic
    172[.]67[.]209[.]46 Generic

We also performed a reverse IP lookup on the 16 IP addresses, which showed that nine were potentially dedicated. They resulted in 127 IP-connected domains after removing duplicates, the IoCs, and the email-connected domains.

We also conducted a screenshot analysis for the IP-connected domains, which revealed that many hosted install sites like the malicious resources involved in the App Installer abuse at the time of writing.

Screenshot of the page hosted on the IP-connected domain bitvarden-info[.]com
Screenshot of the page hosted on the IP-connected domain biryaneehouse[.]com
Screenshot of the page hosted on the IP-connected domain cotattoo[.]com
Screenshot of the page hosted on the IP-connected domain rextowingcarolinas[.]com

Finally, we searched for domains connected by strings using Domains & Subdomains Discovery. We used the following search parameters and text strings that resulted in the discovery of 401 domains.

  • Begins with Sheta.
  • Begins with Networks
  • Begins with 1204 and ends with .ru
  • Begins with Gertefin
  • Begins with septcn
  • Contains -zoomapp
  • Begins with Storage location
  • Begins with Sun1.
  • Begins with Tech department
  • Begins with Kellyservices
  • Begins with ithr.
  • Begins with Meet
  • Begins with webmicrosoft and contains System.

Meanwhile, subdomain searches using the text strings that appeared in the subdomain IoCs yielded 596 string-connected subdomains for these parameters:

  • Begins with Nixonpeabody
  • Begins with Greetings
  • Begins with cbre.
  • Begins with hubergroup
  • Begins with Form
  • Begins with Kelly and contains Services And Hours
  • Begins with mckinsey and contains Hours
  • Contains Support me.
  • Begins with zoonn
  • Begins with amydeks
  • Begins with Subscription.
  • Begins with amydesk

A screenshot analysis of the resources associated with strings revealed that several of them were hosting suspicious content, including a page that was flagged as phishing at the time of this writing.

Screenshot of the page hosted on the zoonn domain associated with a string[.]Meet[.]cn[.]com

We started the investigation with 18 subdomains and 14 domains (three of which were extracted from the subdomains) that were marked as IoCs for App Installer abuse that could potentially lead to ransomware installation. We discovered more than 1,100 connected artifacts, including four email-connected domains, 16 IP addresses, 127 IP-connected domains, 401 string-connected domains, and 596 string-connected subdomains.

If you would like to conduct a similar research or learn more about the products used in this research, please do not hesitate to contact us.

Disclaimer: We take a cautious approach to threat detection and strive to provide relevant information to protect you from potential dangers. As a result, it is possible that some entities identified as “threats” or “malicious” may eventually be classified as harmless upon further investigation or changes in context. We strongly recommend that additional research be conducted to confirm the information provided here.