Hackers Weaponize Windows Installer (MSI) Files to Deliver Malware
Cybersecurity researchers have uncovered a sophisticated malware campaign orchestrated by a threat actor group, Void Arachne.
This group has targeted Chinese-speaking users by distributing malicious Windows Installer (MSI) files.
The campaign leverages popular software and AI technologies to lure unsuspecting victims, leading to severe security breaches and potential financial losses.
Void Arachne’s campaign primarily targets the Chinese-speaking demographic, utilizing SEO poisoning and widely used messaging applications such as Telegram.
According to the TrendMicro blogs, the hacker group has disseminated malicious MSI files embedded with nudifiers and deepfake pornography-generating software, exploiting the public’s interest in AI technologies.
Scan Your Business Email Inbox to Find Advanced Email Threats – Try AI-Powered Free Threat Scan
These compromised files are advertised as legitimate software installers, including language packs, VPNs, and AI-powered applications.
Technical Analysis
The malicious MSI files, such as letvpn.msi, use Dynamic Link Libraries (DLLs) during installation.
These DLLs facilitate various operations, including property management, task scheduling, and firewall configuration.
The MSI file creates scheduled tasks and configures firewall rules to whitelist both inbound and outbound traffic associated with the malware, ensuring uninterrupted operation.
Table 1: Sample of Files Dropped by LetsPro.msi
File NameSizeMD5 HashParent Directory19996288D82362C15DDB7206010B8FCEC7F611C5C:Users%USERNAME%792258.vbs2405CD95B5408531DC5342180A1BECE74757C:Users%USERNAME%LetsPRO.exe40960FE7AEDAB70A5A58EFB84E6CB988D67A4C:Users%USERNAME%
Malicious AI Applications
Void Arachne has also promoted AI technologies that can be used for virtual kidnapping and sextortion schemes.
These include voice-altering and face-swapping AI applications advertised on Telegram channels.
The group has shared infected modifier applications that create nonconsensual deepfake pornography, often used in sextortion schemes.
A Screenshot of the Void Arachne Telegram Channel Advertising Face-Swapping Applications
Distribution Methods
Void Arachne employs multiple initial access vectors to distribute malware, including SEO poisoning and spear-phishing links.
These links are hosted on attacker-controlled websites disguised as legitimate sites, ranking high on search engines.
The group also shares malicious MSI files on Chinese-language-themed Telegram channels, increasing the chances of infection.
An attacker-controlled website that hosts a malicious payload
Table 2: Winos 4.0 External Plugins
Plugin Name in ChinesePlugin Name in EnglishSHA256 Hash删除360急速安全账号密码.dllDelete 360 Speed Security Account Password.dll03669424bdf8241a7ef7f8982cc3d0cf56280a5804f042961f3c6a111252ffd3提权-EnableDebugPrivilege.dllElevate Privileges-EnableDebugPrivilege.dll11a96c107b8d4254722a35ab9a4d25974819de1ce8aa212e12cae39354929d5f体积膨胀.dllVolume Expansion.dll186bf42bf48dc74ef12e369ca533422ce30a85791b6732016de079192f4aac5f
Impact and Recommendations
The proliferation of these malicious MSI files poses a significant threat to organizations and individuals.
Malware can lead to system compromise, data theft, and financial losses.
Trend Micro has curated comprehensive resources to educate the community on identifying, preventing, and addressing sextortion attacks.
Victims are strongly advised to report incidents to relevant authorities, such as the Internet Crime Complaint Center (IC3).
Void Arachne’s campaign highlights the growing sophistication of cyber threats and the need for robust cybersecurity measures.
Individuals and organizations can protect themselves from such malicious campaigns by staying vigilant and adopting comprehensive security practices.
Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free
The post Hackers Weaponize Windows Installer (MSI) Files to Deliver Malware appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
About The Author
