Dissecting YouTube’s Malware Distribution Network

src/SUMMARY.md

@@ -64,6 +64,7 @@
     - [Discord Cache Forensics](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/discord-cache-forensics.md)
     - [Local Cloud Storage](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md)
     - [Mach O Entitlements And Ipsw Indexing](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/mach-o-entitlements-and-ipsw-indexing.md)
+    - [Msi File Analysis Customaction](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/msi-file-analysis-customaction.md)
     - [Office file analysis](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md)
     - [PDF File analysis](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md)
     - [PNG tricks](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/png-tricks.md)
@@ -84,6 +85,7 @@
   - [Web Requests](generic-methodologies-and-resources/python/web-requests.md)
   - [Bruteforce hash (few chars)](generic-methodologies-and-resources/python/bruteforce-hash-few-chars.md)
   - [Basic Python](generic-methodologies-and-resources/python/basic-python.md)
+  - [Youtube Platform Abuse Malware Distribution](generic-methodologies-and-resources/phishing-methodology/youtube-platform-abuse-malware-distribution.md)
 - [Threat Modeling](generic-methodologies-and-resources/threat-modeling.md)
 - [Blockchain & Crypto](blockchain/blockchain-and-crypto-currencies/README.md)
   - [Mutation Testing With Slither](blockchain/smart-contract-security/mutation-testing-with-slither.md)

src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/README.md

@@ -35,6 +35,11 @@ pdf-file-analysis.md
 {{#endref}}
 
 
+{{#ref}}
+msi-file-analysis-customaction.md
+{{#endref}}
+
+
 {{#ref}}
 structural-file-format-exploit-detection.md
 {{#endref}}

src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/msi-file-analysis-customaction.md

@@ -0,0 +1,92 @@
+# MSI Installer CustomAction Analysis
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+Windows Installer packages (MSI) are relational databases of tables that drive install logic. Malicious actors abuse MSI CustomActions to execute staged droppers/loaders during installation while keeping static detections low. This page shows how to quickly triage MSIs and reconstruct execution chains using lessmsi.
+
+## Quick background
+- Tables of interest:
+  - CustomAction: defines actions (DLL/EXE/script) and their command lines (Target) and sources.
+  - InstallExecuteSequence: specifies the execution order for actions.
+  - File/Component/Feature: map logical keys to on-disk filenames and install locations.
+  - Binary: embedded streams referenced by CustomActions (e.g., DLLs/EXEs run from memory or temp).
+
+## Tooling: lessmsi CLI
+Install via Chocolatey or download a release. Core commands:
+
+```powershell
+# Extract files (trailing backslash required for output dir)
+lessmsi x .\sample.msi .\out\
+
+# List any MSI table as CSV to stdout
+lessmsi l -t CustomAction .\sample.msi
+lessmsi l -t InstallExecuteSequence .\sample.msi
+lessmsi l -t File .\sample.msi
+lessmsi l -t Component .\sample.msi
+lessmsi l -t Binary .\sample.msi
+```
+
+## Triage workflow
+1) Enumerate CustomActions
+
+```powershell
+lessmsi l -t CustomAction .\sample.msi
+```
+
+- Focus on actions whose `Type` implies launching EXE/script or loading a DLL.
+- Inspect the `Target` for command lines that drop/launch staged payloads.
+
+2) Map files referenced by actions
+
+```powershell
+# Find referenced filenames and their logical keys
+lessmsi l -t File .\sample.msi | findstr /i "\.exe\|\.bat\|\.vbs"
+lessmsi l -t Component .\sample.msi > components.csv
+```
+
+- Use the `File`/`Component` mapping to locate dropped executables in the extracted `out/` tree.
+
+3) Understand execution timing
+
+```powershell
+lessmsi l -t InstallExecuteSequence .\sample.msi | sort
+```
+
+- Identify where the suspicious CustomAction runs (e.g., between `InstallInitialize` and `InstallFinalize`).
+- Look for immediate actions that execute before files are committed.
+
+4) Check embedded streams
+
+```powershell
+lessmsi l -t Binary .\sample.msi
+```
+
+- If a CustomAction `Source` points to the `Binary` table, extract the stream (via GUI or a generic MSI stream dumper) and analyze it.
+
+5) Reconstruct the loader chain
+- Many stealer campaigns use: `MSI (CustomAction) → stage-1 EXE (loader, e.g., HijackLoader) → final stealer (e.g., Rhadamanthys)`.
+- Confirm by statically inspecting the stage-1 EXE and observing network beacons after detonation.
+
+## Execution tracing tip (runtime)
+Enable verbose installation logs to observe the CustomAction being invoked:
+
+```powershell
+msiexec /i .\sample.msi /l*v install.log
+```
+
+Search for the CustomAction name in `install.log` to confirm invocation order and parameters.
+
+## Heuristics that often indicate a malicious MSI
+- Low VT score but non-trivial `CustomAction` launching an EXE from `%TEMP%`, `%APPDATA%`, or a random subfolder.
+- `Binary`-backed actions executing opaque payloads without installing legitimate products.
+- Archives ship a plausible cracked installer alongside the MSI to maintain legitimacy.
+
+See also platform-abuse delivery via YouTube and end-to-end chain examples:
+- [YouTube Platform Abuse for Malware Distribution](../../phishing-methodology/youtube-platform-abuse-malware-distribution.md)
+
+## References
+
+- [lessmsi – MSI extractor and table viewer](https://github.com/activescott/lessmsi)
+- [Dissecting YouTube’s Malware Distribution Network (Check Point Research)](https://research.checkpoint.com/2025/youtube-ghost-network/)
+
+{{#include ../../../banners/hacktricks-training.md}}

src/generic-methodologies-and-resources/phishing-methodology/README.md

@@ -616,6 +616,13 @@ Defence tips:
 - Execute crawlers with mobile‑like fingerprints and JS enabled to reveal gated content.
 - Alert on suspicious 500 responses following `POST /detect` on newly registered domains.
 
+## Platform Abuse – YouTube Malware Distribution
+Coordinated crews weaponize YouTube descriptions, pinned comments, and Community posts to drive victims to shortlinks that resolve to Google Sites/Blogspot/Telegraph pages with the archive password and final file-host mirrors. Packaging uses large, passworded archives and rapid link/C2 rotation. See:
+
+{{#ref}}
+youtube-platform-abuse-malware-distribution.md
+{{#endref}}
+
 ## References
 
 - [https://zeltser.com/domain-name-variations-in-phishing/](https://zeltser.com/domain-name-variations-in-phishing/)
@@ -625,5 +632,4 @@ Defence tips:
 - [2025 Unit 42 Global Incident Response Report – Social Engineering Edition](https://unit42.paloaltonetworks.com/2025-unit-42-global-incident-response-report-social-engineering-edition/)
 - [Silent Smishing – mobile-gated phishing infra and heuristics (Sekoia.io)](https://blog.sekoia.io/silent-smishing-the-hidden-abuse-of-cellular-router-apis/)
 
-{{#include ../../banners/hacktricks-training.md}}
-
+{{#include ../../banners/hacktricks-training.md}}

src/generic-methodologies-and-resources/phishing-methodology/youtube-platform-abuse-malware-distribution.md

@@ -0,0 +1,75 @@
+# YouTube Platform Abuse for Malware Distribution
+
+{{#include ../../banners/hacktricks-training.md}}
+
+Threat actors operate coordinated, role-based networks to weaponize YouTube features for at-scale malware delivery without exploiting CVEs. The tradecraft relies on social engineering, platform feature abuse, and packaging/hosting evasion.
+
+## Operator roles ("Ghost Network" model)
+- Video-accounts: upload lures (game cheats, software cracks), seed/refresh external links in descriptions or as pinned comments, and reply to comments to build trust.
+- Post-accounts: post in the Community tab with the shortlink and the archive password; rotate both periodically.
+- Interact-accounts: inflate ranking/legitimacy by liking and leaving positive comments.
+
+This separation gives resiliency: bans on one node do not halt distribution.
+
+## Delivery patterns on YouTube
+- Link placement: description, pinned comment, replies, or shown only during an “installation” segment inside the video. Often mirrored via Community posts.
+- Redirect chain: shortener → Google Sites/Blogspot/Telegraph (`telegra.ph`) page revealing the password (frequently `1337`) → file-sharing host (MediaFire/Dropbox/Google Drive) → final payload.
+- Social engineering: landing pages instruct the user to disable Windows Defender temporarily to prevent “false positives.”
+
+Example text commonly seen on landing pages:
+
+```
+Turn off Windows Defender temporarily
+Don't worry — the archive is clean. Defender may trigger a false alert due to the way Setup.exe works with installations.
+```
+
+## Packaging and evasion
+- Password-protected archives to block engine inspection and content preview; frequent password reuse (e.g., `1337`).
+- Oversized archives to bypass automatic scanning limits and “no-scan due to size” behaviours on file hosts.
+- Redundant mirrors (same file hosted in multiple platforms) and frequent refresh (every 3–4 days) of links, archives, and C2s to defeat reputation and signature accumulation.
+- Masquerading: archives contain a plausible cracked installer plus a staged dropper/loader.
+
+See also ZIP analysis and anti-reversing notes: [ZIPs tricks](../basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.md).
+
+Families observed: Lumma (historic), Rhadamanthys, StealC, RedLine, 0debug/Phemedrone variants; loaders include HijackLoader and NodeJS-based stages.
+
+## Loader → stealer via MSI CustomAction
+A common pattern is an MSI where a CustomAction launches a stage-1 EXE (e.g., `bw97v41m.exe`), which drops/renames to a loader (e.g., `Remote-Vector32.exe`, HijackLoader) and then fetches/loads the infostealer (e.g., Rhadamanthys).
+
+Analysts can reconstruct the chain by extracting files and inspecting MSI tables with lessmsi:
+
+```powershell
+# Extract files
+lessmsi x .\Set-Up.msi .\out\
+
+# List tables of interest
+lessmsi l -t CustomAction .\Set-Up.msi           # Actions, Type, Target command
+lessmsi l -t InstallExecuteSequence .\Set-Up.msi  # Order of execution
+lessmsi l -t File .\Set-Up.msi                    # Map file keys → filenames
+lessmsi l -t Component .\Set-Up.msi               # File/component mapping
+lessmsi l -t Binary .\Set-Up.msi                  # Embedded streams referenced by CustomAction
+```
+
+- Identify the CustomAction invoking an EXE or script and its `Target` (command line).
+- Map the referenced file from the `File`/`Component` tables to the actual dropped path in the extracted payloads.
+- Use `InstallExecuteSequence` to position when the action runs.
+
+See also detailed triage: MSI CustomAction analysis steps and table interpretation in [MSI Installer CustomAction Analysis](../basic-forensic-methodology/specific-software-file-type-tricks/msi-file-analysis-customaction.md).
+
+## Hunting and detection ideas
+- Web telemetry: shorteners resolving to `sites.google.com`, `blogspot.*`, or `telegra.ph` that then redirect to file-sharing direct-download links (e.g., Dropbox `?dl=1`, MediaFire “download.php”).
+- Monitor downloads of password-protected archives followed by users disabling Defender/AV services; flag pages instructing Defender disablement.
+- Alert on repeated large archive downloads from new accounts/domains, especially with rapid link rotation cadence (~3–4 days).
+- Egress: look for infostealer C2 patterns following an installation from consumer file hosts.
+
+## Red-team notes (platform abuse TTPs)
+- Seed and mirror links in descriptions, pinned comments, and Community posts; rotate archive and password regularly.
+- Hide the password on a Google Sites/Blogspot/Telegraph page and then point to multiple file-host mirrors for resilience.
+- Ship a legitimate-looking installer alongside a staged dropper/loader; use large, passworded archives to blunt automated analysis.
+
+## References
+
+- [Dissecting YouTube’s Malware Distribution Network (Check Point Research)](https://research.checkpoint.com/2025/youtube-ghost-network/)
+- [lessmsi – MSI extractor and table viewer](https://github.com/activescott/lessmsi)
+
+{{#include ../../banners/hacktricks-training.md}}