MSI as the backdoor vehicle for persistence: The final stages of the campaign lead to persistence, using Microsoft Installer (MSI) packages as the delivery mechanism for backdoors.MSI files are an effective choice as they are not usually treated as inherently suspicious and can execute custom actions during installation. In this campaign, they are used to deploy malware that maintains access, escalates privileges, and enables remote control of infected systems.By the time the MSI component is installed, the attackers have already established a foothold using scripts and system tools, making the backdoor just one layer in a broader persistence strategy found by Microsoft. The earlier stages ensure the environment is prepared, while the installer formalizes long-term access.Microsoft also noted that the campaign incorporates privilege escalation to strengthen persistence, enabling malware to run with elevated privileges and maintain access beyond the initial user-level compromise. Recommendations included monitoring scripts and installer execution, watching for misuse of legitimate tools, and tracking suspicious activity tied to files delivered through platforms like WhatsApp.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4153092/whatsapp-malware-campaign-uses-malicious-vbs-files-to-gain-persistent-access.html
