.. /.Appref-ms

Executable
Native
Phishing
Double Click

Author:

mr.d0x

Description:

APPREF-MS or Application reference files are similar to APPLICATION files that utilize Microsoft's ClickOnce technology. They can be used to download malware from a remote web server.

OS:

Windows

Recommendation:

Block the execution from unknown publishers or fully block the download and execution of APPREF-MS files.

Resources:

https://i.blackhat.com/USA-19/Wednesday/us-19-Burke-ClickOnce-And-Youre-In-When-Appref-Ms-Abuse-Is-Operating-As-Intended.pdf

File Samples:

Contributions: