Beware of Weaponized MSI Installer Mimic as WhatsApp Delivers Modified XWorm RAT

Cybersecurity professionals across East and Southeast Asia are facing a sophisticated new threat as China-linked attackers deploy a weaponized MSI installer disguised as a legitimate WhatsApp setup package.

This malicious campaign represents a significant escalation in social engineering tactics, leveraging the popularity and trust associated with the widely-used messaging platform to infiltrate corporate and personal systems.

The attack demonstrates advanced technical sophistication through its multi-layered approach to malware deployment and system compromise.

The threat actors have crafted an elaborate attack chain that begins with the distribution of trojanized MSI installers, carefully designed to mimic authentic WhatsApp installation packages.

Broadcom analysts identified this campaign as particularly concerning due to its targeted nature and the advanced techniques employed to evade traditional security measures.

The malware employs encrypted shellcode embedded within seemingly innocuous image files, making initial detection significantly more challenging for conventional antivirus solutions.

Once executed, the malicious installer deploys PowerShell scripts that establish persistence through scheduled tasks, ensuring the malware maintains its foothold on infected systems even after reboots.

The final payload represents a heavily modified version of the XWorm Remote Access Trojan, enhanced with specialized functions designed to detect Telegram installations on compromised systems.

This modification suggests the attackers are specifically interested in monitoring communications platforms, potentially for espionage or further social engineering attacks.

The campaign’s technical sophistication extends to its communication infrastructure, where infected systems report back to command-and-control servers through Telegram-based mechanisms, effectively using legitimate messaging platforms to mask malicious traffic.

Advanced Infection Mechanism and Evasion Techniques

The malware’s infection mechanism demonstrates remarkable technical complexity through its use of encrypted shellcode loaders embedded within image files.

This technique, known as steganography, allows the malicious code to hide in plain sight by concealing executable content within the pixel data of seemingly harmless images.

The shellcode loaders are designed to extract and execute the encrypted payload only when specific conditions are met, making dynamic analysis more difficult for security researchers.

Symantec’s protection systems have identified multiple detection signatures including Trojan.Gen.MBT and various heuristic identifiers such as Heur.AdvML.A series, indicating the malware‘s sophisticated evasion capabilities.

Are you from SOC/DFIR Teams! - Interact with malware in the sandbox and find related IOCs. - Request 14-day free trial