diff --git a/src/SUMMARY.md b/src/SUMMARY.md index 323d407ed86..c25aeb5acf4 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -64,6 +64,7 @@ - [Discord Cache Forensics](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/discord-cache-forensics.md) - [Local Cloud Storage](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md) - [Mach O Entitlements And Ipsw Indexing](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/mach-o-entitlements-and-ipsw-indexing.md) + - [Msi File Analysis Customaction](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/msi-file-analysis-customaction.md) - [Office file analysis](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md) - [PDF File analysis](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md) - [PNG tricks](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/png-tricks.md) @@ -84,6 +85,7 @@ - [Web Requests](generic-methodologies-and-resources/python/web-requests.md) - [Bruteforce hash (few chars)](generic-methodologies-and-resources/python/bruteforce-hash-few-chars.md) - [Basic Python](generic-methodologies-and-resources/python/basic-python.md) + - [Youtube Platform Abuse Malware Distribution](generic-methodologies-and-resources/phishing-methodology/youtube-platform-abuse-malware-distribution.md) - [Threat Modeling](generic-methodologies-and-resources/threat-modeling.md) - [Blockchain & Crypto](blockchain/blockchain-and-crypto-currencies/README.md) - [Mutation Testing With Slither](blockchain/smart-contract-security/mutation-testing-with-slither.md) diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/README.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/README.md index 72690f3a067..ac3f153d823 100644 --- a/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/README.md +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/README.md @@ -35,6 +35,11 @@ pdf-file-analysis.md {{#endref}} +{{#ref}} +msi-file-analysis-customaction.md +{{#endref}} + + {{#ref}} structural-file-format-exploit-detection.md {{#endref}} diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/msi-file-analysis-customaction.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/msi-file-analysis-customaction.md new file mode 100644 index 00000000000..269e4c3ee1a --- /dev/null +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/msi-file-analysis-customaction.md @@ -0,0 +1,92 @@ +# MSI Installer CustomAction Analysis + +{{#include ../../../banners/hacktricks-training.md}} + +Windows Installer packages (MSI) are relational databases of tables that drive install logic. Malicious actors abuse MSI CustomActions to execute staged droppers/loaders during installation while keeping static detections low. This page shows how to quickly triage MSIs and reconstruct execution chains using lessmsi. + +## Quick background +- Tables of interest: + - CustomAction: defines actions (DLL/EXE/script) and their command lines (Target) and sources. + - InstallExecuteSequence: specifies the execution order for actions. + - File/Component/Feature: map logical keys to on-disk filenames and install locations. + - Binary: embedded streams referenced by CustomActions (e.g., DLLs/EXEs run from memory or temp). + +## Tooling: lessmsi CLI +Install via Chocolatey or download a release. Core commands: + +```powershell +# Extract files (trailing backslash required for output dir) +lessmsi x .\sample.msi .\out\ + +# List any MSI table as CSV to stdout +lessmsi l -t CustomAction .\sample.msi +lessmsi l -t InstallExecuteSequence .\sample.msi +lessmsi l -t File .\sample.msi +lessmsi l -t Component .\sample.msi +lessmsi l -t Binary .\sample.msi +``` + +## Triage workflow +1) Enumerate CustomActions + +```powershell +lessmsi l -t CustomAction .\sample.msi +``` + +- Focus on actions whose `Type` implies launching EXE/script or loading a DLL. +- Inspect the `Target` for command lines that drop/launch staged payloads. + +2) Map files referenced by actions + +```powershell +# Find referenced filenames and their logical keys +lessmsi l -t File .\sample.msi | findstr /i "\.exe\|\.bat\|\.vbs" +lessmsi l -t Component .\sample.msi > components.csv +``` + +- Use the `File`/`Component` mapping to locate dropped executables in the extracted `out/` tree. + +3) Understand execution timing + +```powershell +lessmsi l -t InstallExecuteSequence .\sample.msi | sort +``` + +- Identify where the suspicious CustomAction runs (e.g., between `InstallInitialize` and `InstallFinalize`). +- Look for immediate actions that execute before files are committed. + +4) Check embedded streams + +```powershell +lessmsi l -t Binary .\sample.msi +``` + +- If a CustomAction `Source` points to the `Binary` table, extract the stream (via GUI or a generic MSI stream dumper) and analyze it. + +5) Reconstruct the loader chain +- Many stealer campaigns use: `MSI (CustomAction) → stage-1 EXE (loader, e.g., HijackLoader) → final stealer (e.g., Rhadamanthys)`. +- Confirm by statically inspecting the stage-1 EXE and observing network beacons after detonation. + +## Execution tracing tip (runtime) +Enable verbose installation logs to observe the CustomAction being invoked: + +```powershell +msiexec /i .\sample.msi /l*v install.log +``` + +Search for the CustomAction name in `install.log` to confirm invocation order and parameters. + +## Heuristics that often indicate a malicious MSI +- Low VT score but non-trivial `CustomAction` launching an EXE from `%TEMP%`, `%APPDATA%`, or a random subfolder. +- `Binary`-backed actions executing opaque payloads without installing legitimate products. +- Archives ship a plausible cracked installer alongside the MSI to maintain legitimacy. + +See also platform-abuse delivery via YouTube and end-to-end chain examples: +- [YouTube Platform Abuse for Malware Distribution](../../phishing-methodology/youtube-platform-abuse-malware-distribution.md) + +## References + +- [lessmsi – MSI extractor and table viewer](https://github.com/activescott/lessmsi) +- [Dissecting YouTube’s Malware Distribution Network (Check Point Research)](https://research.checkpoint.com/2025/youtube-ghost-network/) + +{{#include ../../../banners/hacktricks-training.md}} \ No newline at end of file diff --git a/src/generic-methodologies-and-resources/phishing-methodology/README.md b/src/generic-methodologies-and-resources/phishing-methodology/README.md index 5aef3874ba4..1c00c194839 100644 --- a/src/generic-methodologies-and-resources/phishing-methodology/README.md +++ b/src/generic-methodologies-and-resources/phishing-methodology/README.md @@ -616,6 +616,13 @@ Defence tips: - Execute crawlers with mobile‑like fingerprints and JS enabled to reveal gated content. - Alert on suspicious 500 responses following `POST /detect` on newly registered domains. +## Platform Abuse – YouTube Malware Distribution +Coordinated crews weaponize YouTube descriptions, pinned comments, and Community posts to drive victims to shortlinks that resolve to Google Sites/Blogspot/Telegraph pages with the archive password and final file-host mirrors. Packaging uses large, passworded archives and rapid link/C2 rotation. See: + +{{#ref}} +youtube-platform-abuse-malware-distribution.md +{{#endref}} + ## References - [https://zeltser.com/domain-name-variations-in-phishing/](https://zeltser.com/domain-name-variations-in-phishing/) @@ -625,5 +632,4 @@ Defence tips: - [2025 Unit 42 Global Incident Response Report – Social Engineering Edition](https://unit42.paloaltonetworks.com/2025-unit-42-global-incident-response-report-social-engineering-edition/) - [Silent Smishing – mobile-gated phishing infra and heuristics (Sekoia.io)](https://blog.sekoia.io/silent-smishing-the-hidden-abuse-of-cellular-router-apis/) -{{#include ../../banners/hacktricks-training.md}} - +{{#include ../../banners/hacktricks-training.md}} \ No newline at end of file diff --git a/src/generic-methodologies-and-resources/phishing-methodology/youtube-platform-abuse-malware-distribution.md b/src/generic-methodologies-and-resources/phishing-methodology/youtube-platform-abuse-malware-distribution.md new file mode 100644 index 00000000000..e4c3b543ea2 --- /dev/null +++ b/src/generic-methodologies-and-resources/phishing-methodology/youtube-platform-abuse-malware-distribution.md @@ -0,0 +1,75 @@ +# YouTube Platform Abuse for Malware Distribution + +{{#include ../../banners/hacktricks-training.md}} + +Threat actors operate coordinated, role-based networks to weaponize YouTube features for at-scale malware delivery without exploiting CVEs. The tradecraft relies on social engineering, platform feature abuse, and packaging/hosting evasion. + +## Operator roles ("Ghost Network" model) +- Video-accounts: upload lures (game cheats, software cracks), seed/refresh external links in descriptions or as pinned comments, and reply to comments to build trust. +- Post-accounts: post in the Community tab with the shortlink and the archive password; rotate both periodically. +- Interact-accounts: inflate ranking/legitimacy by liking and leaving positive comments. + +This separation gives resiliency: bans on one node do not halt distribution. + +## Delivery patterns on YouTube +- Link placement: description, pinned comment, replies, or shown only during an “installation” segment inside the video. Often mirrored via Community posts. +- Redirect chain: shortener → Google Sites/Blogspot/Telegraph (`telegra.ph`) page revealing the password (frequently `1337`) → file-sharing host (MediaFire/Dropbox/Google Drive) → final payload. +- Social engineering: landing pages instruct the user to disable Windows Defender temporarily to prevent “false positives.” + +Example text commonly seen on landing pages: + +``` +Turn off Windows Defender temporarily +Don't worry — the archive is clean. Defender may trigger a false alert due to the way Setup.exe works with installations. +``` + +## Packaging and evasion +- Password-protected archives to block engine inspection and content preview; frequent password reuse (e.g., `1337`). +- Oversized archives to bypass automatic scanning limits and “no-scan due to size” behaviours on file hosts. +- Redundant mirrors (same file hosted in multiple platforms) and frequent refresh (every 3–4 days) of links, archives, and C2s to defeat reputation and signature accumulation. +- Masquerading: archives contain a plausible cracked installer plus a staged dropper/loader. + +See also ZIP analysis and anti-reversing notes: [ZIPs tricks](../basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.md). + +Families observed: Lumma (historic), Rhadamanthys, StealC, RedLine, 0debug/Phemedrone variants; loaders include HijackLoader and NodeJS-based stages. + +## Loader → stealer via MSI CustomAction +A common pattern is an MSI where a CustomAction launches a stage-1 EXE (e.g., `bw97v41m.exe`), which drops/renames to a loader (e.g., `Remote-Vector32.exe`, HijackLoader) and then fetches/loads the infostealer (e.g., Rhadamanthys). + +Analysts can reconstruct the chain by extracting files and inspecting MSI tables with lessmsi: + +```powershell +# Extract files +lessmsi x .\Set-Up.msi .\out\ + +# List tables of interest +lessmsi l -t CustomAction .\Set-Up.msi # Actions, Type, Target command +lessmsi l -t InstallExecuteSequence .\Set-Up.msi # Order of execution +lessmsi l -t File .\Set-Up.msi # Map file keys → filenames +lessmsi l -t Component .\Set-Up.msi # File/component mapping +lessmsi l -t Binary .\Set-Up.msi # Embedded streams referenced by CustomAction +``` + +- Identify the CustomAction invoking an EXE or script and its `Target` (command line). +- Map the referenced file from the `File`/`Component` tables to the actual dropped path in the extracted payloads. +- Use `InstallExecuteSequence` to position when the action runs. + +See also detailed triage: MSI CustomAction analysis steps and table interpretation in [MSI Installer CustomAction Analysis](../basic-forensic-methodology/specific-software-file-type-tricks/msi-file-analysis-customaction.md). + +## Hunting and detection ideas +- Web telemetry: shorteners resolving to `sites.google.com`, `blogspot.*`, or `telegra.ph` that then redirect to file-sharing direct-download links (e.g., Dropbox `?dl=1`, MediaFire “download.php”). +- Monitor downloads of password-protected archives followed by users disabling Defender/AV services; flag pages instructing Defender disablement. +- Alert on repeated large archive downloads from new accounts/domains, especially with rapid link rotation cadence (~3–4 days). +- Egress: look for infostealer C2 patterns following an installation from consumer file hosts. + +## Red-team notes (platform abuse TTPs) +- Seed and mirror links in descriptions, pinned comments, and Community posts; rotate archive and password regularly. +- Hide the password on a Google Sites/Blogspot/Telegraph page and then point to multiple file-host mirrors for resilience. +- Ship a legitimate-looking installer alongside a staged dropper/loader; use large, passworded archives to blunt automated analysis. + +## References + +- [Dissecting YouTube’s Malware Distribution Network (Check Point Research)](https://research.checkpoint.com/2025/youtube-ghost-network/) +- [lessmsi – MSI extractor and table viewer](https://github.com/activescott/lessmsi) + +{{#include ../../banners/hacktricks-training.md}} \ No newline at end of file