A Malware Strain Uses the Windows Installer and Self Destructs to Elude Detection

A new strain of malware detected as Trojan.BAT.TASKILL.AA, will install a cryptocurrency miner on a victim’s system uses a Windows Installer MSI file to avoid detection and security filters. It will then hide in the AppData folder which is normally hidden. It password protects some of the folders it uses to further obfuscate its purpose. It then copies some Windows files to the miner’s installation folder make the folder structure look official. It can redownload itself if deleted and it comes with a self destruct mechanism to limit analysis of the malware files. It even uses Windows Installer builder WiX as an additional anti-detection layer.



To make detection and analysis even more difficult, the malware also comes with a self-destruct mechanism. First, it creates and executes the following file: {Random Characters}.cmD

Source: [H]ardOCP – A Malware Strain Uses the Windows Installer and Self Destructs to Elude Detection

Leave a Reply