Home Cybersecurity Attackers Abuse MSI Packages to Execute Malicious Scripts

Attackers Abuse MSI Packages to Execute Malicious Scripts

Posted: April 26, 2019

malware-scripts-msi-packages-abusedResearchers at TrendMicro have detected malicious Microsoft Software Installation (MSI) package files capable of downloading and executing other files while circumventing traditional security measures. The report on the findings shows exactly how the MSI packages can be abused through custom actions to run malicious JavaScript, VBScript, and PowerShell scripts and drop malware onto the victim's machine.

Malware Targets Users in Brazil and Portugal

Several characteristics of the analyzed samples point to the conclusion that the main targets of the malicious MSI packages are located in Brazil and Portugal. First, some of the detected Trojan samples perform a check for the following folder names - %AppDataLocal%\Aplicativo Itau, %Program Files%\AppBrad, and %ProgramFiles%\Diebold\Warsaw. According to TrendMicro, these folders are related to financial and banking services in Brazil. Further proof is the fact that the malicious payloads also look at country codes located in hxxps://www.localizaip.com.br/api/iplocation.php. A spam email related to these MSI packages written in Portuguese attempts to trick users to download an attached .zip file named "Fatur432952-532-674.zip" containing files infected with Trojan.JS.MSAIHA.A and TrojanSpy.Win32.CASBANEIRO.XLB.

The Analyzed MSI Files Pretend to Be Legitimate

The malicious MSI packages were disguised as Adobe Acrobat Reader DC files and redirected users to Adobe's site for Brazil at www.adobe.com/br/. In addition, one of the Trojan samples - Trojan.PS1.MSAIHA.A, downloaded an encrypted .zip file that had files digitally signed by the security software company Avira amongst its contents.

Users are advised to be careful when installing unknown files or visiting links that lead to sites downloading suspicious files. Having an anti-malware security suite and updating all programs on your computer system with the latest patches will also help in keeping your computer system safe.

Loading...