The file was an MSI package (not MSIX, these are known to run malicious scripts), it is a good old OLE package. The file (SHA256:69cad2bf6d63dfc93b632cfd91b5182f14b5140da22f9a0ce82c8b459ad76c38) has a low score on VT (1/32). Attempting to install the package in a sandbox results in the error message "This package can only be run by a bootstrapper" and fails.
If you receive this error when trying to uninstall or upgrade a package using an EXE file, it may be because you are using a multilingual package with a language selection dialog (for multilingual packages) on the Languages tab. This is a known issue that occurs when your installations in different languages have different product codes.
Legacy MSI files can also trigger code execution using the Custom Action table. This malware belongs to the SectopRat family[5] (SHA256:7808f3aea222cdbec2e53b126f46195f4523e9501882b94e0cd42e30f8484f32). It connects to a C2 server (in Russia).
Persistence is implemented with a scheduled task that extracts the payload again from the "steam.jpg" JPEG image. This file contains another malware that is decrypted using the same technique. However, this time we are dealing with a redline stealer[6]. (SHA256:38c233b38ef1838666ce7204f41349d0ba9431ea4b23fdb05f915cc7a09ff7be)
To sum up, you should not trust MSI packages. Like all applications, download them only from safe places.
Comments