Chinese Threat Actors Use MSI Files to Bypass Windows, VT Detection

  /     /     /  
Publicated : 23/11/2024   Category : security


Chinese Threat Actors Use MSI Files to Bypass Windows, VT Detection


Analysts have been picking up increased cases of malware delivery via Windows Installer files in Southeast Asia.



Chinese language hackers are taking advantage of the Windows Installer (MSI) file format to bypass standard security checks.
Hackers are known to deliver malware in the same sorts of familiar formats: executables, archive and Microsoft Office files, and so on. A
new malware loader
targeting Chinese and Korean speakers, which researchers from Cyberint have labeled UULoader, comes in the somewhat less common MSI form.
In fact, Cyberint isnt the only vendor to have spotted an
uptick in malicious MSIs from Asia
this summer. The budding trend may be in part thanks to some novel stealth tactics that are allowing threat actors to ignore its shortcomings and take advantage of its strengths.
Its not really common, [since] malicious MSI files do get flagged quite easily by static scanners, explains Cyberint security researcher Shaul Vilkomir Preisman. But if you employ a few clever, little tricks — like file header stripping, employing a sideloader, and stuff like that — itll get you through.
The unidentified but likely Chinese threat actor behind UULoader seems to be spreading it primarily in phishing emails. Theyll disguise it as an installer for a legitimate app like AnyDesk (which might indicate enterprise targeting), or as an update for an app like Google Chrome.
This should immediately trigger alarms on any Windows system, as UULoader is not signed and trusted as a legitimate app would be. To get around that, Preisman says, It employs several fairly simple static evasion mechanisms like file header stripping and the DLL sideloading, the combination of which renders it at first-seen pretty much invisible to most static scanners.
The first several bytes in any file are like a name tag, letting the operating system and applications know what type of file theyre dealing with. UULoader strips that header — MZ, in this case — from its core executable files, in order to prevent them from being classified as the kinds of files a security program might be interested in. It works, Preisman says, because in an attempt to be less prone to false positives, static scanners disregard the things that they cant classify, and wont actually do anything with them.
Why doesnt every malware do this, then? Because When you strip file headers, you need to find a way to put the file back together somehow, so it will execute on your victims machine, he notes. UULoader does that with two, single-byte files which correspond to the characters M and Z. With a simple command, the two letters are made to essentially reform a name tag post facto, and the programs can function as needed.
UULoader stacks on another couple of tricks to confuse its victim. For one thing, it runs a legitimate decoy file — for example, the real Chrome installer it purported to be in the first place. It also executes a VBScript (VBS) which registers the folder it creates as an exclusion in Microsoft Defender.
Altogether, its stealth mechanisms may explain why initial detections on VirusTotal last month yielded totally innocuous results. On first-seen, nobody detects these samples. Only after theyve been known for a while — for a couple of days, and sandboxes have actually had time to process them — do detections rise on these samples, Preisman says.
At the end of its infection chain, UULoader has been observed dropping
Gh0stRAT
, and supplementary hacking tools like Mimikatz. And because these tools are so broadly popular and applicable to various kinds of attack, the exact nature and goal of these infections is as yet unknown.
Gh0stRAT is a common commercial hacking tool in Chinese circles, where MSI usage seems to be rising.
We are seeing it mostly in Southeast Asia, Preisman reports, especially during the last month, when we saw a fairly significant uptick. We saw five, 10, maybe 20 cases in a week, and there was a significant increase — maybe double that — during last month.
Perhaps that will continue, until MSI files develop the kind of notoriety that other file types enjoy.
Nowadays, he says, most users will be a little bit more suspicious of a Word document or a PDF.
Windows Installers
arent really all that common, but theyre kind of a clever way to bundle up a piece of malware.

Last News

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Chinese Threat Actors Use MSI Files to Bypass Windows, VT Detection