Recently, we discovered CVE-2017-11882 being exploited again in an attack that uses an uncommon method of installation—via the Windows Installer service in Microsoft Windows operating systems.
Post from: Trendlabs Security Intelligence Blog - by Trend Micro
Attack Using Windows Installer msiexec.exe leads to LokiBot