Chinese hackers are exploiting the Windows Installer (MSI) file format to bypass standard security checks.

Hackers are known to distribute malware in the same familiar formats: executable files, archive and Microsoft Office files, etc. new malware loader The malware, which targets Chinese and Korean speakers and is dubbed “UULoader” by Cyberint researchers, is available in the slightly less common MSI form.

In fact, Cyberint is not the only provider offering a Increase in malicious MSIs from Asia this summer. The emerging trend may be due in part to some novel stealth tactics that allow threat actors to ignore malware’s weaknesses and exploit its strengths.

“This isn’t really common, as malicious MSI files are pretty easily detected by static scanners,” explains Cyberint security researcher Shaul Vilkomir Preisman. “But if you use a few clever little tricks – like removing file headers, using a sideloader and the like – you can get away with it.”

UULoader’s cloaking mechanisms

The unknown but presumably Chinese threat actor behind UULoader seems to distribute it primarily in phishing emails, disguising it as an installer for a legitimate app like AnyDesk (which could indicate it is enterprise-grade) or as an update for an app like Google Chrome.

This should raise immediate alarms on any Windows system, as UULoader is not signed and trusted as a legitimate app would be. To get around this, Preisman says, “It uses several fairly simple static evasion mechanisms such as stripping file headers and sideloading DLLs, the combination of which makes it virtually invisible at first glance to most static scanners.”

The first few bytes in each file are like a name tag that tells the operating system and applications what kind of file they’re dealing with. UULoader strips that header — in this case, “MZ” — from its core executables to prevent them from being classified as the kind of files a security program might be interested in. This works, Preisman says, because “static scanners, in an attempt to be less prone to false positives, ignore the things they can’t classify and actually do nothing with them.”

So why doesn’t all malware do this? Because “if you remove the file headers, you have to find a way to somehow reassemble the file so that it can be executed on the victim’s machine,” he notes. UULoader does this with two one-byte files corresponding to the characters “M” and “Z.” With a simple command, the two letters are changed to essentially form a name tag after the fact, and the programs can function as intended.

UULoader uses a few more tricks to confuse its victim. First, it runs a legitimate decoy file – for example, the real Chrome installer it originally pretended to be. It also runs a VBScript (VBS) that registers the created folder as an exception in Microsoft Defender.

Overall, its stealth mechanisms may explain why the first discoveries on VirusTotal last month yielded completely benign results. “At first glance, no one recognizes these samples. Only when they have been known for a while – a few days, and sandboxes have actually had time to process them – do they become more frequently discovered,” says Preisman.

MSIs in Southeast Asia

At the end of its infection chain, UULoader was observed Gh0stRATand complementary hacking tools such as Mimikatz. And because these tools are so widespread and can be used for different types of attacks, the exact nature and target of these infections is still unknown.

Gh0stRAT is a commercial hacking tool widely used in Chinese circles, where the use of MSI seems to be increasing.

“We’re seeing this particularly in Southeast Asia,” Preisman reports, “especially in the last month, when we saw a pretty significant increase. We were seeing five, ten, maybe twenty cases in a week, and in the last month there’s been a significant increase – maybe even double that.”

Maybe this will continue until MSI files become as popular as other file types.

“These days,” he says, “most users are a little more suspicious of a Word document or a PDF file.” Windows Installer are not really widespread, but they are a clever way to bundle malware.”