Sunday, November 24, 2024
Homecyber securityHackers Weaponize Windows Installer (MSI) Files to Deliver Malware

Hackers Weaponize Windows Installer (MSI) Files to Deliver Malware

Published on

Cybersecurity researchers have uncovered a sophisticated malware campaign orchestrated by a threat actor group, Void Arachne.

This group has targeted Chinese-speaking users by distributing malicious Windows Installer (MSI) files.

The campaign leverages popular software and AI technologies to lure unsuspecting victims, leading to severe security breaches and potential financial losses.

- Advertisement - SIEM as a Service

Void Arachne’s campaign primarily targets the Chinese-speaking demographic, utilizing SEO poisoning and widely used messaging applications such as Telegram.

According to the TrendMicro blogs, the hacker group has disseminated malicious MSI files embedded with nudifiers and deepfake pornography-generating software, exploiting the public’s interest in AI technologies.

Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan

These compromised files are advertised as legitimate software installers, including language packs, VPNs, and AI-powered applications.

Technical Analysis

The malicious MSI files, such as letvpn.msi, use Dynamic Link Libraries (DLLs) during installation.

These DLLs facilitate various operations, including property management, task scheduling, and firewall configuration.

The MSI file creates scheduled tasks and configures firewall rules to whitelist both inbound and outbound traffic associated with the malware, ensuring uninterrupted operation.

Table 1: Sample of Files Dropped by LetsPro.msi

File NameSizeMD5 HashParent Directory
19996288D82362C15DDB7206010B8FCEC7F611C5C:\Users%USERNAME%\
792258.vbs2405CD95B5408531DC5342180A1BECE74757C:\Users%USERNAME%\
LetsPRO.exe40960FE7AEDAB70A5A58EFB84E6CB988D67A4C:\Users%USERNAME%\

Malicious AI Applications

Void Arachne has also promoted AI technologies that can be used for virtual kidnapping and sextortion schemes.

These include voice-altering and face-swapping AI applications advertised on Telegram channels.

The group has shared infected modifier applications that create nonconsensual deepfake pornography, often used in sextortion schemes.

A Screenshot of the Void Arachne Telegram Channel Advertising Face-Swapping Applications
A Screenshot of the Void Arachne Telegram Channel Advertising Face-Swapping Applications

Distribution Methods

Void Arachne employs multiple initial access vectors to distribute malware, including SEO poisoning and spear-phishing links.

These links are hosted on attacker-controlled websites disguised as legitimate sites, ranking high on search engines.

The group also shares malicious MSI files on Chinese-language-themed Telegram channels, increasing the chances of infection.

An attacker-controlled website that hosts a malicious payload
An attacker-controlled website that hosts a malicious payload

Table 2: Winos 4.0 External Plugins

Plugin Name in ChinesePlugin Name in EnglishSHA256 Hash
删除360急速安全账号密码.dllDelete 360 Speed Security Account Password.dll03669424bdf8241a7ef7f8982cc3d0cf56280a5804f042961f3c6a111252ffd3
提权-EnableDebugPrivilege.dllElevate Privileges-EnableDebugPrivilege.dll11a96c107b8d4254722a35ab9a4d25974819de1ce8aa212e12cae39354929d5f
体积膨胀.dllVolume Expansion.dll186bf42bf48dc74ef12e369ca533422ce30a85791b6732016de079192f4aac5f

Impact and Recommendations

The proliferation of these malicious MSI files poses a significant threat to organizations and individuals.

Malware can lead to system compromise, data theft, and financial losses.

Trend Micro has curated comprehensive resources to educate the community on identifying, preventing, and addressing sextortion attacks.

Victims are strongly advised to report incidents to relevant authorities, such as the Internet Crime Complaint Center (IC3).

Void Arachne’s campaign highlights the growing sophistication of cyber threats and the need for robust cybersecurity measures.

Individuals and organizations can protect themselves from such malicious campaigns by staying vigilant and adopting comprehensive security practices.

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Nearest Neighbor Attacks: Russian APT Hack The Target By Exploiting Nearby Wi-Fi Networks

Recent research has revealed that a Russian advanced persistent threat (APT) group, tracked as...

240+ Domains Used By PhaaS Platform ONNX Seized by Microsoft

Microsoft's Digital Crimes Unit (DCU) has disrupted a significant phishing-as-a-service (PhaaS) operation run by...

Russian TAG-110 Hacked 60+ Users With HTML Loaded & Python Backdoor

The Russian threat group TAG-110, linked to BlueDelta (APT28), is actively targeting organizations in...

Earth Kasha Upgraded Their Arsenal With New Tactics To Attack Organizations

Earth Kasha, a threat actor linked to APT10, has expanded its targeting scope to...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Nearest Neighbor Attacks: Russian APT Hack The Target By Exploiting Nearby Wi-Fi Networks

Recent research has revealed that a Russian advanced persistent threat (APT) group, tracked as...

240+ Domains Used By PhaaS Platform ONNX Seized by Microsoft

Microsoft's Digital Crimes Unit (DCU) has disrupted a significant phishing-as-a-service (PhaaS) operation run by...

Russian TAG-110 Hacked 60+ Users With HTML Loaded & Python Backdoor

The Russian threat group TAG-110, linked to BlueDelta (APT28), is actively targeting organizations in...