Yeah, this is yet another effort by us trying to bypass antivirus! We are using MSI abuse for this evasion technique.

The most common format for installing any application designed for Windows is either “EXE” or “MSI.” The concepts of stub and packer can be applied to both of them. For EXE files, writing a stub and its extractor is not a tea of anyone’s cup. MSI, that might not be the case.

I discovered this technique while I was doing the malware analysis and reverse engineering of Rozena.

We are using WiX for this purpose. Below is the execution workflow.

evasion workflow

Firstly, the user will execute the MSI file for the installation of the app. The MSI file has 4 embedded objects within it, i.e., the script that does the operations, a carrier file (in this case, we are using PicoCrypt as an example), 7zip, and at last the encrypted archive.

We are using LockBit ransomware as our payload. The below directory contains the entire output generated using lockbit builder.

lockbit malicious files

Let us check the number of detections it has on Virustotal.

lockbit vt

Below is the source code created to build our MSI using WiX,

msi builder setup

We place the infected.exe in the mal folder, (this is the actual LockBit Ransomware).

infected file in mal folder

The product.wxs is the WiX script that defines the name and information of the MSI file. It also contains references to all the objects that will be embedded. At last, a custom action is defined to run the bat script immediately after the installation of the content in MSI is done.

product.wxs script

The script.bat contains commands to extract the infected file from the archive and execute it along with executing the embedded carrier file.

script exec

The archive.bat just creates the encrypted archive.

archive.bat script

When we run the archive.bat file, we see an infected.7z being created.

infected.7z created

The build.bat generates the final MSI file.

msi builder

After the script execution, we can see the product.msi is created using WiX.

msi malicious created

Let us check the detection of this newly created MSI file.

msi malicious vt

Pretty interesting to see that it was detected by 22 engines as malicious. But none of the detection rules includes a LockBit signature.

Let Rock n roll

After execution of the MSI file, it loads the carrier file i.e. PicoCrypt.

fake file exec

lockbit exec at backend

We finally see the LockBit logo on files on the Desktop.

We meet next time dissecting another sample or coming up with an evasion technique until then Ciao ciao.