A Malware Strain Uses the Windows Installer and Self Destructs to Elude Detection

Posted by cageymaru 4:34 PM (CST)

Thursday November 08, 2018

A new strain of malware detected as Coinminer.Win32.MALXMR.TIAOODAM, will install a cryptocurrency miner on a victim's system uses a Windows Installer MSI file to avoid detection and security filters. It will then hide in the AppData folder which is normally hidden. It password protects some of the folders it uses to further obfuscate its purpose. It then copies some Windows files to the miner's installation folder make the folder structure look official. It can redownload itself if deleted and it comes with a self destruct mechanism to limit analysis of the malware files. It even uses Windows Installer builder WiX as an additional anti-detection layer.

To make detection and analysis even more difficult, the malware also comes with a self-destruct mechanism. First, it creates and executes the following file: {Random Characters}.cmD <- self-delete command-line script. It then deletes every file under its installation directory and removes any trace of installation in the system.