Malspam campaign delivers LokiBot by abusing Windows Installer
Malspam campaign delivers LokiBot by abusing Windows Installer

A recently observed malspam-based phishing campaign is exploiting a remote code execution vulnerability in Microsoft Office to infect victims with LokiBot malware via the Windows Installer service, Trend Micro has reported.

Trend Micro has previously detailed other attacks leveraging CVE-2017-11882, a memory corruption vulnerability in Office's Equation Editor, which was patched last November. But in a rather unique twist, this time the campaign takes advantage of the Windows Installer program msiexec.exe.

In a Feb. 8 blog post, Trend Micro researchers Martin Co and Gilbert Sison report that the phishing emails associated with this attack use a lure that asks the recipient to confirm receipt of a payment. While much of the content is written in English, there is also a warning, in Korean, that advises recipients to check if their PCs are infected with a virus or malicious code. For this reason, Trend Micro believes Korean-speakers are the intended target.

The attached document, saved under the name Payment copy.Doc, purports to be a payment confirmation document, but opening it actually delivers the exploit, which is used to download a Windows Installer package labeled zus.msivia. This package then drops either an obfuscated MSIL (Microsoft Intermediate Language) or Delphi binary. In turn, the binary uses a hallowed out instance of itself to produce the final payload, Loki, which is known for stealing passwords and cryptocurrency wallets.

Trend Micro researchers believe that the unusual tactic of using Windows Installer may be a way to evade detection by security software that looks for more traditional installation methods.

“Security software has become proficient at monitoring possible downloader processes such as Wscript, Powershell, Mshta.exe, Winword.exe, and other similar executables that have become increasingly popular methods of installing malicious payload,” report Co and Sison. “Due to their widespread use, it became easy to stop the arrival of threats via these software. However, the use of msiexec.exe to download a malicious MSI package is not something we typically see in most malware.”

With that said, however, “we cannot definitively say if these samples are being delivered via the method described,” the researchers add.

Other malware families, including Andromeda, have previous abused Windows Installer, the researchers note, but they modify the program or its processes in some capacity. But in this instance, Installer is left untouched and is used exactly as it's programmed to – only for a malicious purpose.

This latest attack is also an outlier because Microsoft Installer packages more typically are “abused for malicious purposes to install Potentially Unwanted Applications... This is a new direction for malware creators,” the report states.

Aside from taking the usual email security precautions, users can protect themselves from this particular threat by disabling or restricting Windows Installer.