Abuse of Custom Actions in Windows Installer MSI to Run Malicious JavaScript, VBScript

guest · Apr 23, 2019

Analysis: Abuse of Custom Actions in Windows Installer MSI to Run Malicious JavaScript, VBScript, and PowerShell Scripts
April 23, 2019
https://blog.trendmicro.com/trendla...s-javascript-vbscript-and-powershell-scripts/

We recently discovered malicious MSI files that download and execute other files and could bypass traditional security solutions. Malicious actors can abuse custom actions in these files to execute malicious scripts and drop malware that are either capable of initiating a system shutdown or targeting financial systems located in certain locations.

[...] Additionally, it appended a DLL that it consequently loaded to its memory. This use of DLL is for the purpose of executing the digitally signed Avira file (context_snapshot.exe). The Avira executable is then injected with the encrypted DLL (Jlib.dll) in its process and passes itself as a legitimate process.

"[...] To be able to execute malicious code in the context of a legitimate process and bypass security solutions, the malware is using one of our Avira executables out of the context of an Avira regular installation to inject malicious code into it. [...] This issue is currently under investigation, thus we will be able to provide more information in the following days.”

Another notable aspect of the malicious MSI files we analyzed is that they also pretended to be legitimate. The files were disguised as Adobe Acrobat Reader DC (as seen in Figure 7) and redirect the user to the site www[.]adobe[.]com/br/, which is in Portuguese.
Click to expand...

itman · Apr 26, 2019

Notable in this attack was that the script code was executed w/o use of wscript.exe:

Analyzing malicious MSI files

We discovered JScript/VBScript codes within several samples of malicious *.msi files. However, the parts of the script were distributed (and truncated, it seems) to other parts of the file and did not directly execute wscript.exe to run them. (Installer msiexec.exe itself, however, has its interpreter.)
Click to expand...

Also, the extremely low initial detection rate by AVs. One sample I checked on VT was only detected by three AVs; Eset and Kaspersky being two of them.

The use of legit AV installer components is also a first I believe. So, LOL abuse is not just limited to Windows .exe's.

Log in or Sign up

Abuse of Custom Actions in Windows Installer MSI to Run Malicious JavaScript, VBScript

guest Guest

itman Registered Member

Log in or Sign up

Abuse of Custom Actions in Windows Installer MSI to Run Malicious JavaScript, VBScript

guest Guest

itman Registered Member

Useful Searches