Chinese hackers are abusing the Windows Installer (MSI) file format to bypass standard security checks.

Hackers are known to distribute malware in the same well-known formats: executables, archives, Microsoft Office files, and so on. new malware loader The malware, which targets Chinese and Korean speakers and has been dubbed “UULoader” by Cyberint researchers, comes in the slightly less common MSI form factor.

In fact, Cyberint is not the only supplier that increase in malicious MSIs from Asia this summer. The emerging trend may be due in part to a number of new stealth tactics that allow threat actors to ignore its shortcomings and capitalize on its strengths.

“It’s not really common, (since) malicious MSI files are pretty easily flagged by static scanners,” Cyberint security researcher Shaul Vilkomir Preisman explains. “But if you use some clever little tricks — like stripping file headers, using a sideloader, things like that — you can get through it.”

The stealth mechanisms of UULoader

The unknown but likely Chinese threat actor behind UULoader seems to be distributing it primarily through phishing emails, disguising it as an installer for a legitimate app like AnyDesk (which could indicate enterprise targeting), or as an update for an app like Google Chrome.

This should immediately raise red flags on any Windows system, as UULoader is not signed and trusted like a legitimate app would be. To get around that, Preisman says, “it uses several fairly simple static evasion mechanisms such as file header stripping and DLL sideloading, the combination of which makes it virtually invisible to most static scanners at first glance.”

The first few bytes of a file are like a nametag, telling the operating system and applications what kind of file they’re dealing with. UULoader removes that header — “MZ” in this case — from core executable files, preventing them from being classified as the kind of files a security program might be interested in. It works, Preisman says, because “in an effort to be less susceptible to false positives, static scanners ignore the things they can’t classify, and essentially do nothing with them.”

So why doesn’t every malware do this? Because “when you strip file headers, you have to find a way to somehow reassemble the file so that it will run on your victim’s machine,” he notes. UULoader does that with two single-byte files that correspond to the characters “M” and “Z.” With a simple command, the two letters are essentially made to retrofit a name tag, and the programs can function as needed.

UULoader piles on a few more tricks to confuse its victim. First, it executes a legitimate decoy file — for example, the real Chrome installer it claimed to be in the first place. It also executes a VBScript (VBS) that registers the folder it creates as an exclusion in Microsoft Defender.

All in all, the stealth mechanisms could explain why the first detections on VirusTotal last month returned completely harmless results. “The first time they’re seen, nobody detects these samples. It’s only after they’ve been around for a while — a few days, and sandboxes have actually had time to process them — that detections on these samples start to go up,” Preisman says.

MSIs in Southeast Asia

At the end of the infection chain, UULoader was observed Gh0stRATand additional hacking tools such as Mimikatz. And because these tools are so widely popular and applicable to different types of attacks, the exact nature and purpose of these infections is still unknown.

Gh0stRAT is a widely used commercial hacking tool in Chinese circles, where MSI usage appears to be increasing.

“We’re seeing it particularly in Southeast Asia,” Preisman reports, “particularly in the last month, where we’ve seen quite a significant increase. We’ve seen five, 10, maybe 20 cases in a week, and there’s been a significant increase — maybe double that — in the last month.”

Perhaps it will remain that way until MSI files gain the same prominence as other file types.

“These days,” he says, “most users are a little more suspicious of a Word document or a PDF. Windows installers are not really common, but they are a clever way to bundle malware.”