No Result
View All Result
Global Finances Daily
  • Alternative Investments
  • Crypto
  • Financial Markets
  • Investments
  • Lifestyle
  • Protection
  • Retirement
  • Savings
  • Work & Careers
No Result
View All Result
  • Alternative Investments
  • Crypto
  • Financial Markets
  • Investments
  • Lifestyle
  • Protection
  • Retirement
  • Savings
  • Work & Careers
  • Login
Global Finances Daily
No Result
View All Result
Home Protection

Chinese Threat Actors Use MSI Files to Bypass Windows, VT Detection

August 22, 2024
in Protection
0
Chinese Threat Actors Use MSI Files to Bypass Windows, VT Detection


Chinese language hackers are taking advantage of the Windows Installer (MSI) file format to bypass standard security checks.

Hackers are known to deliver malware in the same sorts of familiar formats: executables, archive and Microsoft Office files, and so on. A new malware loader targeting Chinese and Korean speakers, which researchers from Cyberint have labeled “UULoader,” comes in the somewhat less common MSI form.

In fact, Cyberint isn’t the only vendor to have spotted an uptick in malicious MSIs from Asia this summer. The budding trend may be in part thanks to some novel stealth tactics that are allowing threat actors to ignore its shortcomings and take advantage of its strengths.

“It’s not really common, [since] malicious MSI files do get flagged quite easily by static scanners,” explains Cyberint security researcher Shaul Vilkomir Preisman. “But if you employ a few clever, little tricks — like file header stripping, employing a sideloader, and stuff like that — it’ll get you through.”

UULoader’s Stealth Mechanisms

The unidentified but likely Chinese threat actor behind UULoader seems to be spreading it primarily in phishing emails. They’ll disguise it as an installer for a legitimate app like AnyDesk (which might indicate enterprise targeting), or as an update for an app like Google Chrome.

This should immediately trigger alarms on any Windows system, as UULoader is not signed and trusted as a legitimate app would be. To get around that, Preisman says, “It employs several fairly simple static evasion mechanisms like file header stripping and the DLL sideloading, the combination of which renders it at first-seen pretty much invisible to most static scanners.”

The first several bytes in any file are like a name tag, letting the operating system and applications know what type of file they’re dealing with. UULoader strips that header — “MZ,” in this case — from its core executable files, in order to prevent them from being classified as the kinds of files a security program might be interested in. It works, Preisman says, because “in an attempt to be less prone to false positives, static scanners disregard the things that they can’t classify, and won’t actually do anything with them.”

Why doesn’t every malware do this, then? Because “When you strip file headers, you need to find a way to put the file back together somehow, so it will execute on your victim’s machine,” he notes. UULoader does that with two, single-byte files which correspond to the characters “M” and “Z.” With a simple command, the two letters are made to essentially reform a name tag post facto, and the programs can function as needed.

UULoader stacks on another couple of tricks to confuse its victim. For one thing, it runs a legitimate decoy file — for example, the real Chrome installer it purported to be in the first place. It also executes a VBScript (VBS) which registers the folder it creates as an exclusion in Microsoft Defender.

Altogether, its stealth mechanisms may explain why initial detections on VirusTotal last month yielded totally innocuous results. “On first-seen, nobody detects these samples. Only after they’ve been known for a while — for a couple of days, and sandboxes have actually had time to process them — do detections rise on these samples,” Preisman says.

MSIs in Southeast Asia

At the end of its infection chain, UULoader has been observed dropping Gh0stRAT, and supplementary hacking tools like Mimikatz. And because these tools are so broadly popular and applicable to various kinds of attack, the exact nature and goal of these infections is as yet unknown.

Gh0stRAT is a common commercial hacking tool in Chinese circles, where MSI usage seems to be rising.

“We are seeing it mostly in Southeast Asia,” Preisman reports, “especially during the last month, when we saw a fairly significant uptick. We saw five, 10, maybe 20 cases in a week, and there was a significant increase — maybe double that — during last month.”

Perhaps that will continue, until MSI files develop the kind of notoriety that other file types enjoy.

“Nowadays,” he says, “most users will be a little bit more suspicious of a Word document or a PDF. Windows Installers aren’t really all that common, but they’re kind of a clever way to bundle up a piece of malware.”



Editorial Team

Editorial Team

Related Posts

The GoPro Max2 Is $200 Off Right Now
Protection

The GoPro Max2 Is $200 Off Right Now

July 9, 2026
This Quick Fix Takes Care of Your iPhone Screen's Brightness Bug
Protection

This Quick Fix Takes Care of Your iPhone Screen’s Brightness Bug

July 9, 2026
How to Actually 'Regulate' Your Nervous System
Protection

How to Actually ‘Regulate’ Your Nervous System

July 9, 2026
10 New Features Coming to Apple Messages in iOS 27
Protection

10 New Features Coming to Apple Messages in iOS 27

July 9, 2026
The Samsung 180Hz Odyssey G5 Gaming Monitor Is $100 Off Right Now
Protection

The Samsung 180Hz Odyssey G5 Gaming Monitor Is $100 Off Right Now

July 9, 2026
Meta Now Lets Anyone Generate AI Images With Your Instagram Posts, but You Can Stop It
Protection

Meta Now Lets Anyone Generate AI Images With Your Instagram Posts, but You Can Stop It

July 9, 2026
Load More
Next Post
Equities See Cautious Trade Before Fed, BOJ Events: Markets Wrap

Equities See Cautious Trade Before Fed, BOJ Events: Markets Wrap

Popular News

  • Trump administration Harvard lawsuit: impact on applicants

    Trump administration Harvard lawsuit: impact on applicants

    0 shares
    Share 0 Tweet 0
  • Ray Dalio says Bitcoin blocks central banks

    0 shares
    Share 0 Tweet 0
  • Cathie Wood snaps up $38m Tesla dip after Musk stock rout

    0 shares
    Share 0 Tweet 0
  • Venezuelan Government Increases USDT Usage Due to Dollar Scarcity

    0 shares
    Share 0 Tweet 0
  • Kalshi hit with temporary Michigan ban over sports event contracts

    0 shares
    Share 0 Tweet 0

Latest News

The GoPro Max2 Is $200 Off Right Now

The GoPro Max2 Is $200 Off Right Now

July 9, 2026
0

We may earn a commission from links on this page. Deal pricing and availability subject to change after time of...

Bank of Korea defends bank-first stablecoin plan amid bill deadlock - 1

Bank of Korea defends bank-first stablecoin plan amid bill deadlock

July 9, 2026
0

The Bank of Korea has reaffirmed that won-denominated stablecoins should initially be issued through bank-led consortiums, reinforcing its position as...

Taiwan Just Launched a 2-Year Digital Nomad Visa—Here's Who Qualifies

Taiwan Just Launched a 2-Year Digital Nomad Visa—Here’s Who Qualifies

July 9, 2026
0

For travelers looking to relocate to East Asia, the island nation of Taiwan stands apart for its diverse array of...

Stocks making the biggest moves midday: MU, PSKY, MARA, PEP

Stocks making the biggest moves midday: MU, PSKY, MARA, PEP

July 9, 2026
0

Check out the companies making the biggest moves midday: Micron Technology — The memory chipmaker rose more than 7% after...

Global Finances Daily

Welcome to Global Finances Daily, your go-to source for all things finance. Our mission is to provide our readers with valuable information and insights to help them achieve their financial goals and secure their financial future.

Subscribe

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Use
  • Editorial Process

© 2025 All Rights Reserved - Global Finances Daily.

No Result
View All Result
  • Alternative Investments
  • Crypto
  • Financial Markets
  • Investments
  • Lifestyle
  • Protection
  • Retirement
  • Savings
  • Work & Careers

© 2025 All Rights Reserved - Global Finances Daily.

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In
This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy and Cookie Policy.