Saturday, July 20, 2024

Hackers Weaponize Windows Installer (MSI) Files to Deliver Malware

Cybersecurity researchers have uncovered a sophisticated malware campaign orchestrated by a threat actor group, Void Arachne.

This group has targeted Chinese-speaking users by distributing malicious Windows Installer (MSI) files.

The campaign leverages popular software and AI technologies to lure unsuspecting victims, leading to severe security breaches and potential financial losses.

Void Arachne’s campaign primarily targets the Chinese-speaking demographic, utilizing SEO poisoning and widely used messaging applications such as Telegram.

According to the TrendMicro blogs, the hacker group has disseminated malicious MSI files embedded with nudifiers and deepfake pornography-generating software, exploiting the public’s interest in AI technologies.

Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan

These compromised files are advertised as legitimate software installers, including language packs, VPNs, and AI-powered applications.

Technical Analysis

The malicious MSI files, such as letvpn.msi, use Dynamic Link Libraries (DLLs) during installation.

These DLLs facilitate various operations, including property management, task scheduling, and firewall configuration.

The MSI file creates scheduled tasks and configures firewall rules to whitelist both inbound and outbound traffic associated with the malware, ensuring uninterrupted operation.

Table 1: Sample of Files Dropped by LetsPro.msi

File NameSizeMD5 HashParent Directory

Malicious AI Applications

Void Arachne has also promoted AI technologies that can be used for virtual kidnapping and sextortion schemes.

These include voice-altering and face-swapping AI applications advertised on Telegram channels.

The group has shared infected modifier applications that create nonconsensual deepfake pornography, often used in sextortion schemes.

A Screenshot of the Void Arachne Telegram Channel Advertising Face-Swapping Applications
A Screenshot of the Void Arachne Telegram Channel Advertising Face-Swapping Applications

Distribution Methods

Void Arachne employs multiple initial access vectors to distribute malware, including SEO poisoning and spear-phishing links.

These links are hosted on attacker-controlled websites disguised as legitimate sites, ranking high on search engines.

The group also shares malicious MSI files on Chinese-language-themed Telegram channels, increasing the chances of infection.

An attacker-controlled website that hosts a malicious payload
An attacker-controlled website that hosts a malicious payload

Table 2: Winos 4.0 External Plugins

Plugin Name in ChinesePlugin Name in EnglishSHA256 Hash
删除360急速安全账号密码.dllDelete 360 Speed Security Account Password.dll03669424bdf8241a7ef7f8982cc3d0cf56280a5804f042961f3c6a111252ffd3
提权-EnableDebugPrivilege.dllElevate Privileges-EnableDebugPrivilege.dll11a96c107b8d4254722a35ab9a4d25974819de1ce8aa212e12cae39354929d5f
体积膨胀.dllVolume Expansion.dll186bf42bf48dc74ef12e369ca533422ce30a85791b6732016de079192f4aac5f

Impact and Recommendations

The proliferation of these malicious MSI files poses a significant threat to organizations and individuals.

Malware can lead to system compromise, data theft, and financial losses.

Trend Micro has curated comprehensive resources to educate the community on identifying, preventing, and addressing sextortion attacks.

Victims are strongly advised to report incidents to relevant authorities, such as the Internet Crime Complaint Center (IC3).

Void Arachne’s campaign highlights the growing sophistication of cyber threats and the need for robust cybersecurity measures.

Individuals and organizations can protect themselves from such malicious campaigns by staying vigilant and adopting comprehensive security practices.

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free


Latest articles

Hackers Claiming Dettol Data Breach: 453,646 users Impacted

A significant data breach has been reported by a threat actor known as 'Hana,'...

CrowdStrike Update Triggers Widespread Windows BSOD Crashes

A recent update from cybersecurity firm CrowdStrike has caused significant disruptions for Windows users,...

Operation Spincaster Disrupts Approval Phishing Technique that Drains Victim’s Wallets

Chainalysis has launched Operation Spincaster, an initiative to disrupt approval phishing scams that have...

Octo Tempest Know for Attacking VMWare ESXi Servers Added RansomHub & Qilin to Its Arsenal

Threat actors often attack VMware ESXi servers since they accommodate many virtual machines, which...

TAG-100 Actors Using Open-Source Tools To Attack Gov & Private Orgs

Hackers exploit open-source tools to execute attacks because they are readily available, well-documented, and...

macOS Users Beware Of Weaponized Meeting App From North Korean Hackers

Meeting apps are often targeted and turned into weapons by hackers as they are...

Hackers Exploiting Legitimate RMM Tools With BugSleep Malware

Since October 2023, MuddyWater, which is an Iranian threat group linked to MOIS, has...
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles