Hackers Weaponize Windows Installer (MSI) Files to Deliver Malware

Cybersecurity researchers have uncovered a sophisticated malware campaign orchestrated by a threat actor group, Void Arachne.

This group has targeted Chinese-speaking users by distributing malicious Windows Installer (MSI) files.

The campaign leverages popular software and AI technologies to lure unsuspecting victims, leading to severe security breaches and potential financial losses.

Void Arachne’s campaign primarily targets the Chinese-speaking demographic, utilizing SEO poisoning and widely used messaging applications such as Telegram.

According to the TrendMicro blogs, the hacker group has disseminated malicious MSI files embedded with nudifiers and deepfake pornography-generating software, exploiting the public’s interest in AI technologies.

Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan

These compromised files are advertised as legitimate software installers, including language packs, VPNs, and AI-powered applications.

Technical Analysis

The malicious MSI files, such as letvpn.msi, use Dynamic Link Libraries (DLLs) during installation.

These DLLs facilitate various operations, including property management, task scheduling, and firewall configuration.

The MSI file creates scheduled tasks and configures firewall rules to whitelist both inbound and outbound traffic associated with the malware, ensuring uninterrupted operation.

Table 1: Sample of Files Dropped by LetsPro.msi

File Name	Size	MD5 Hash	Parent Directory
1	9996288	D82362C15DDB7206010B8FCEC7F611C5	C:\Users%USERNAME%\
792258.vbs	2405	CD95B5408531DC5342180A1BECE74757	C:\Users%USERNAME%\
LetsPRO.exe	40960	FE7AEDAB70A5A58EFB84E6CB988D67A4	C:\Users%USERNAME%\

Malicious AI Applications

Void Arachne has also promoted AI technologies that can be used for virtual kidnapping and sextortion schemes.

These include voice-altering and face-swapping AI applications advertised on Telegram channels.

The group has shared infected modifier applications that create nonconsensual deepfake pornography, often used in sextortion schemes.

Distribution Methods

Void Arachne employs multiple initial access vectors to distribute malware, including SEO poisoning and spear-phishing links.

These links are hosted on attacker-controlled websites disguised as legitimate sites, ranking high on search engines.

The group also shares malicious MSI files on Chinese-language-themed Telegram channels, increasing the chances of infection.

Table 2: Winos 4.0 External Plugins

Plugin Name in Chinese	Plugin Name in English	SHA256 Hash
删除360急速安全账号密码.dll	Delete 360 Speed Security Account Password.dll	03669424bdf8241a7ef7f8982cc3d0cf56280a5804f042961f3c6a111252ffd3
提权-EnableDebugPrivilege.dll	Elevate Privileges-EnableDebugPrivilege.dll	11a96c107b8d4254722a35ab9a4d25974819de1ce8aa212e12cae39354929d5f
体积膨胀.dll	Volume Expansion.dll	186bf42bf48dc74ef12e369ca533422ce30a85791b6732016de079192f4aac5f

Impact and Recommendations

The proliferation of these malicious MSI files poses a significant threat to organizations and individuals.

Malware can lead to system compromise, data theft, and financial losses.

Trend Micro has curated comprehensive resources to educate the community on identifying, preventing, and addressing sextortion attacks.

Victims are strongly advised to report incidents to relevant authorities, such as the Internet Crime Complaint Center (IC3).

Void Arachne’s campaign highlights the growing sophistication of cyber threats and the need for robust cybersecurity measures.

Individuals and organizations can protect themselves from such malicious campaigns by staying vigilant and adopting comprehensive security practices.

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free