Chinese Threat Actors Use MSI Files to Bypass Windows, VT Detection

Chinese language hackers are taking advantage of the Windows Installer (MSI) file format to bypass standard security checks.

Hackers are known to deliver malware in the same sorts of familiar formats: executables, archive and Microsoft Office files, and so on. A new malware loader targeting Chinese and Korean speakers, which researchers from Cyberint have labeled "UULoader," comes in the somewhat less common MSI form.

In fact, Cyberint isn't the only vendor to have spotted an uptick in malicious MSIs from Asia this summer. The budding trend may be in part thanks to some novel stealth tactics that are allowing threat actors to ignore its shortcomings and take advantage of its strengths.

"It's not really common, [since] malicious MSI files do get flagged quite easily by static scanners," explains Cyberint security researcher Shaul Vilkomir Preisman. "But if you employ a few clever, little tricks — like file header stripping, employing a sideloader, and stuff like that — it'll get you through."

UULoader's Stealth Mechanisms

The unidentified but likely Chinese threat actor behind UULoader seems to be spreading it primarily in phishing emails. They'll disguise it as an installer for a legitimate app like AnyDesk (which might indicate enterprise targeting), or as an update for an app like Google Chrome.

This should immediately trigger alarms on any Windows system, as UULoader is not signed and trusted as a legitimate app would be. To get around that, Preisman says, "It employs several fairly simple static evasion mechanisms like file header stripping and the DLL sideloading, the combination of which renders it at first-seen pretty much invisible to most static scanners."

The first several bytes in any file are like a name tag, letting the operating system and applications know what type of file they're dealing with. UULoader strips that header — "MZ," in this case — from its core executable files, in order to prevent them from being classified as the kinds of files a security program might be interested in. It works, Preisman says, because "in an attempt to be less prone to false positives, static scanners disregard the things that they can't classify, and won't actually do anything with them."

Why doesn't every malware do this, then? Because "When you strip file headers, you need to find a way to put the file back together somehow, so it will execute on your victim's machine," he notes. UULoader does that with two, single-byte files which correspond to the characters "M" and "Z." With a simple command, the two letters are made to essentially reform a name tag post facto, and the programs can function as needed.

UULoader stacks on another couple of tricks to confuse its victim. For one thing, it runs a legitimate decoy file — for example, the real Chrome installer it purported to be in the first place. It also executes a VBScript (VBS) which registers the folder it creates as an exclusion in Microsoft Defender.

Altogether, its stealth mechanisms may explain why initial detections on VirusTotal last month yielded totally innocuous results. "On first-seen, nobody detects these samples. Only after they've been known for a while — for a couple of days, and sandboxes have actually had time to process them — do detections rise on these samples," Preisman says.

MSIs in Southeast Asia

At the end of its infection chain, UULoader has been observed dropping Gh0stRAT, and supplementary hacking tools like Mimikatz. And because these tools are so broadly popular and applicable to various kinds of attack, the exact nature and goal of these infections is as yet unknown.

Gh0stRAT is a common commercial hacking tool in Chinese circles, where MSI usage seems to be rising.

"We are seeing it mostly in Southeast Asia," Preisman reports, "especially during the last month, when we saw a fairly significant uptick. We saw five, 10, maybe 20 cases in a week, and there was a significant increase — maybe double that — during last month."

Perhaps that will continue, until MSI files develop the kind of notoriety that other file types enjoy.

"Nowadays," he says, "most users will be a little bit more suspicious of a Word document or a PDF. Windows Installers aren't really all that common, but they're kind of a clever way to bundle up a piece of malware."