Attackers Abuse MSI Packages to Execute Malicious Scripts
Researchers at TrendMicro have detected malicious Microsoft Software Installation (MSI) package files capable of downloading and executing other files while circumventing traditional security measures. The report on the findings shows exactly how the MSI packages can be abused through custom actions to run malicious JavaScript, VBScript, and PowerShell scripts and drop malware onto the victim's machine.
Malware Targets Users in Brazil and Portugal
Several characteristics of the analyzed samples point to the conclusion that the main targets of the malicious MSI packages are located in Brazil and Portugal. First, some of the detected Trojan samples perform a check for the following folder names - %AppDataLocal%\Aplicativo Itau, %Program Files%\AppBrad, and %ProgramFiles%\Diebold\Warsaw. According to TrendMicro, these folders are related to financial and banking services in Brazil. Further proof is the fact that the malicious payloads also look at country codes located in hxxps://www.localizaip.com.br/api/iplocation.php. A spam email related to these MSI packages written in Portuguese attempts to trick users to download an attached .zip file named "Fatur432952-532-674.zip" containing files infected with Trojan.JS.MSAIHA.A and TrojanSpy.Win32.CASBANEIRO.XLB.
The Analyzed MSI Files Pretend to Be Legitimate
The malicious MSI packages were disguised as Adobe Acrobat Reader DC files and redirected users to Adobe's site for Brazil at www.adobe.com/br/. In addition, one of the Trojan samples - Trojan.PS1.MSAIHA.A, downloaded an encrypted .zip file that had files digitally signed by the security software company Avira amongst its contents.
Users are advised to be careful when installing unknown files or visiting links that lead to sites downloading suspicious files. Having an anti-malware security suite and updating all programs on your computer system with the latest patches will also help in keeping your computer system safe.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.