Chinese Threat Actors Use MSI Files to Bypass Windows, VT Detection
Summary:
Chinese-language hackers are increasingly leveraging the Windows Installer MSI file format to bypass conventional security measures, marking a shift in how malware is delivered. Traditionally, cybercriminals have relied on familiar formats like executables, archives, and Microsoft Office files to distribute malware. However, a new malware loader called "UULoader," identified by Cyberint researchers, is now being used to target Chinese and Korean speakers via MSI files—an approach less commonly seen but proving effective. UULoader's success stems from its sophisticated stealth tactics that help it evade detection by static security scanners. One of its primary techniques is file header stripping, where it removes the "MZ" header from its core executable files. This header normally identifies the file type to the operating system and security software. By stripping this header, UULoader renders itself unclassifiable by many static scanners, which often ignore files they can't categorize to avoid false positives. The malware then reconstructs the header using two single-byte files corresponding to "M" and "Z," allowing the malicious code to execute as intended on the victim's machine.
In addition to file header stripping, UULoader employs DLL sideloading, a technique where a malicious DLL is loaded by a legitimate application. This further complicates detection as the malware piggybacks on trusted software. To cover its tracks even more, UULoader runs a legitimate decoy file—such as the genuine Chrome installer it masquerades as—to distract the user. Simultaneously, it executes a VBScript that registers the folder it creates as an exclusion in Microsoft Defender, ensuring that the malware is not flagged during scans.
Security Officer Comments:
These advanced evasion techniques explain why UULoader initially went undetected by many antivirus solutions on VirusTotal. When first introduced, the malware samples showed innocuous results, only becoming flagged after several days when sandbox environments had processed and analyzed them. This delayed detection gives the attackers a critical window to exploit their targets without interference. The use of MSI files for distributing malware, particularly in Southeast Asia, has seen a noticeable increase recently. Cyberint’s observations indicate that UULoader is primarily being spread through phishing emails, often disguised as installers for legitimate software like AnyDesk or updates for apps like Google Chrome. The malicious campaigns seem to be targeting enterprises, given the nature of the applications used as bait.
Suggested Corrections:
https://www.darkreading.com/threat-...-actors-msi-files-bypass-windows-vt-detection
Chinese-language hackers are increasingly leveraging the Windows Installer MSI file format to bypass conventional security measures, marking a shift in how malware is delivered. Traditionally, cybercriminals have relied on familiar formats like executables, archives, and Microsoft Office files to distribute malware. However, a new malware loader called "UULoader," identified by Cyberint researchers, is now being used to target Chinese and Korean speakers via MSI files—an approach less commonly seen but proving effective. UULoader's success stems from its sophisticated stealth tactics that help it evade detection by static security scanners. One of its primary techniques is file header stripping, where it removes the "MZ" header from its core executable files. This header normally identifies the file type to the operating system and security software. By stripping this header, UULoader renders itself unclassifiable by many static scanners, which often ignore files they can't categorize to avoid false positives. The malware then reconstructs the header using two single-byte files corresponding to "M" and "Z," allowing the malicious code to execute as intended on the victim's machine.
In addition to file header stripping, UULoader employs DLL sideloading, a technique where a malicious DLL is loaded by a legitimate application. This further complicates detection as the malware piggybacks on trusted software. To cover its tracks even more, UULoader runs a legitimate decoy file—such as the genuine Chrome installer it masquerades as—to distract the user. Simultaneously, it executes a VBScript that registers the folder it creates as an exclusion in Microsoft Defender, ensuring that the malware is not flagged during scans.
Security Officer Comments:
These advanced evasion techniques explain why UULoader initially went undetected by many antivirus solutions on VirusTotal. When first introduced, the malware samples showed innocuous results, only becoming flagged after several days when sandbox environments had processed and analyzed them. This delayed detection gives the attackers a critical window to exploit their targets without interference. The use of MSI files for distributing malware, particularly in Southeast Asia, has seen a noticeable increase recently. Cyberint’s observations indicate that UULoader is primarily being spread through phishing emails, often disguised as installers for legitimate software like AnyDesk or updates for apps like Google Chrome. The malicious campaigns seem to be targeting enterprises, given the nature of the applications used as bait.
Suggested Corrections:
- Email Filtering: Implement advanced email filtering solutions to detect and block phishing emails, especially those disguised as software installers
- Whitelisting MSI Files: Utilize Software Restriction Policies (SRP) or AppLocker to restrict the execution of MSI files to those that are signed and from trusted vendors. This can prevent unauthorized MSI files from executing on the system.
- Behavioral Monitoring: Deploy EDR solutions to monitor for unusual activities like file header stripping and sideloading, which are used by UULoader to evade detection.
- File Header Integrity Checks: Implement tools or scripts that can detect and alert when MSI files are missing expected headers or exhibit suspicious alterations, such as the "MZ" header stripping used by UULoader.
- Dynamic Analysis of MSI Files: Before allowing any MSI file to execute, run it in a sandbox or controlled environment to observe its behavior. This can help identify malicious files that evade static detection methods by using techniques like DLL sideloading.
https://www.darkreading.com/threat-...-actors-msi-files-bypass-windows-vt-detection