{ "Event": { "analysis": "2", "date": "2022-12-07", "extends_uuid": "", "info": "Threat Analysis: MSI - Masquerading as a Software Installer", "publish_timestamp": "1670442590", "published": true, "threat_level_id": "2", "timestamp": "1670442581", "uuid": "d917ff47-81e7-40fe-826a-b6ffecf3aa26", "Orgc": { "name": "CUDESO", "uuid": "56c42374-fdb8-4544-a218-41ffc0a8ab16" }, "Tag": [ { "colour": "#658dee", "local": "0", "name": "misp:tool=\"misp-scraper\"", "relationship_type": "" }, { "colour": "#00223b", "local": "0", "name": "osint:source-type=\"blog-post\"", "relationship_type": "" }, { "colour": "#5788bd", "local": "0", "name": "misp:event-type=\"collection\"", "relationship_type": "" }, { "colour": "#ffffff", "local": "0", "name": "tlp:white", "relationship_type": "" } ], "Attribute": [ { "category": "Other", "comment": "Blog title", "deleted": false, "disable_correlation": false, "timestamp": "1670433806", "to_ids": false, "type": "comment", "uuid": "845c780f-39e1-4347-b174-7fb6c860eeeb", "value": "Threat Analysis: MSI - Masquerading as a Software Installer" }, { "category": "External analysis", "comment": "Blog URL", "deleted": false, "disable_correlation": false, "timestamp": "1670433806", "to_ids": false, "type": "link", "uuid": "fd4e3f0b-ba5c-4274-85fd-831bddaf64ac", "value": "https://www.cybereason.com/blog/threat-analysis-msi-masquerading-as-software-installer" }, { "category": "Payload delivery", "comment": "MatanBuchus Loader", "deleted": false, "disable_correlation": false, "timestamp": "1670433959", "to_ids": true, "type": "sha256", "uuid": "3fca2a7c-6d8a-4b88-99e0-601bb3069f43", "value": "face46e6593206867da39e47001f134a00385898a36b8142a21ad54954682666" }, { "category": "Payload delivery", "comment": "Magniber Ransomware", "deleted": false, "disable_correlation": false, "timestamp": "1670433948", "to_ids": true, "type": "sha256", "uuid": "59f0beac-9de1-4b08-9da9-b871a2882f13", "value": "0e65657740d7f06acda53b7d3190f9728801b984d5bd6ccb0b865d218ae71f66" }, { "category": "Payload delivery", "comment": "Qbot / Qakbot", "deleted": false, "disable_correlation": false, "timestamp": "1670433989", "to_ids": true, "type": "sha256", "uuid": "c305c04a-9c34-4279-aae8-32ba7cbf1c17", "value": "c0beb47f629a5debe0e99790d16a4d04afe786d6fb42c5ab6dfcaed84d86e7ad" }, { "category": "Payload delivery", "comment": "dropped into the INSTALLLOCATION directory", "deleted": false, "disable_correlation": false, "timestamp": "1670434163", "to_ids": false, "type": "filename", "uuid": "d7b1b2ee-8a11-4ddc-aac3-6863d0d1ce16", "value": "notify.vbs" }, { "category": "Payload delivery", "comment": "dropped into the INSTALLLOCATION directory", "deleted": false, "disable_correlation": false, "timestamp": "1670434152", "to_ids": false, "type": "filename", "uuid": "38449e65-bdac-476c-b845-8f38e3535d2b", "value": "main.dll" } ], "EventReport": [ { "name": "Report from - https://www.cybereason.com/blog/threat-analysis-msi-masquerading-as-software-installer (1670433807)", "content": "html [if lt IE 7]> \\AppData\\Local\\SetupTest).\n\n *Output folder path for installed file(s)*\n\n From inspecting the MSI, it is evident that the malware drops a module (@[attribute](146ce0aa-a499-42dc-ad42-809ab940422c)) onto the subdirectory (SetupTest) of the local appdata directory, which executes it by calling the VBScript embedded in the Binary table. \n\n *QBot Attack Tree, as seen from the Cybereason platform*\n\n *@[tag](misp-galaxy:malpedia=\"QakBot\") MSI infection flow*\n\n ### Comparative Chart\n\n The following chart identifies key points seen in each malware\u2019s MSI behavior introduced in this chapter. \n\n Techniques in-use\n\n @[tag](misp-galaxy:ransomware=\"Magniber Ransomware\")\n\n MatanBuchus Loader\n\n @[tag](misp-galaxy:malpedia=\"QakBot\")\n\n Set installation directory to LocalAppDataFolder\n\n \u2714\ufe0f\n\n \u2714\ufe0f\n\n \u2714\ufe0f\n\n Dump files to installation directory\n\n \u2714\ufe0f\n\n \u2714\ufe0f\n\n Custom Action: Execute executable via specified command line \n\n \u2714\ufe0f\n\n Custom Action: Execute PE/script stored in Binary Table\n\n \u2714\ufe0f\n\n \u2714\ufe0f\n\n Execute dumped file in the installation directory\n\n \u2714\ufe0f\n\n \u2714\ufe0f\n\n Fake error message\n\n \u2714\ufe0f\n\n Continuous malicious execution regardless of MSI failure.\n\n \u2714\ufe0f\n\n \u2714\ufe0f\n\n *Comparative Chart*\n\n ## Purple Team\n\n This chapter focuses on key points for possibly identifying a malicious MSI, as well as a tool which can assist defenders to analyze the MSI files, which has already been leveraged in the Blue Team section. \n\n ### Suspicious Indicators\n\n There are three malicious indicators that can identify suspicious MSI files: \n\n \n 2. Mismatch between file detail and digital signature \n 4. Misleading errors\n 6. Suspicious installation path \n \n\n \n *Checkpoints*\n\n #### Mismatch in File Detail and Digital Signature\n\n MSI files often masquerade as legitimate installation software of well known applications. However, the digital signature for the MSI file does not match with the issuing author, as shown in the images below. Mismatches between the description or origin of an MSI file and the digital signature can indicate the file is actually malicious, especially when it purports to be from a well-known software vendor. \n\n @[tag](misp-galaxy:ransomware=\"Magniber Ransomware\")\n\n *Mismatch between the file information and the digital signature*\n\n MatanBuchus Loader\n\n *Mismatch between the file information and the digital signature*\n\n #### Misleading Errors\n\n Many different types of malware are known to trick victims in various ways. For malware that utilizes MSI, it is seen to output false error messages either by embedding a script or crashing the installation. The error message is designed to trick victims into thinking the software installation was not successful because the installer or their environment was not configured properly. The false error outputs can indicate malicious activity. \n\n *Possible error messages*\n\n #### Suspicious Installation Path\n\n Often, the purpose of an MSI is to install software and drop relevant applications onto a disk. However, when the root destination directory for the installation is set to the local AppData folder, this can indicate malicious behavior. Legitimate installations usually drop necessary files under C:\\Program Files or C:\\Program Files (x86).\n\n ### \n\n *Installation directory configuration*\n\n In the above image, the malware drops \u201cinstallation\u201d files into the subfolder (ProductName) of the local AppData folder (LocalAppDataFolder). \n\n ### Tools\n\n There are tools defenders can use to analyze MSI files. This section introduces some of the tools and demonstrates their usage. \n\n #### Msitools\n\n Msitools are a set of tools that allow developers to create and inspect MSI files. However, the tools can be also used by defenders to analyze malicious MSI files. There are three main Msitools that defenders can use: msiinfo, msidump, and msidiff. These tools are command-line-based, which makes them easier to automate and include in a malware analysis pipeline.\n\n #### Msiinfo\n\n Msiinfo is a command-line tool that allows users to list and extract streams or tables stored in the MSI file.\n\n As an example, an analyst investigates the relevant MSI file @[attribute](9935fe14-bbed-42a7-a4f4-4c2a5beedc6f) (@[tag](misp-galaxy:malpedia=\"QakBot\")) by executing the streams command-line option and identifies a binary stored in the Binary Table. In order to investigate @[attribute](d9e0aded-7696-4a81-95a3-bc53d04464db), the analyst can dump this binary stream by utilizing the extract command-line option. \n\n *Output streams with msiinfo* \n\n #### Msidump\n\n Msidump is also another command-line tool that dumps relevant tables as idt text and streams stored in an MSI file. The investigative method and use is similar to msiinfo. \n\n Output streams with msidump\n\n #### Msidiff\n\n Msidiff is a command-line tool that compares two MSI files by diffing each sample. For example, an analyst may compare two different installers for its validity using msidiff. To verify if the two installers are installing and dumping the same files, the analyst can use command-line option -l to list and compare the files likely to be dumped. \n\n *List of files from msidiff, from the QBot example*\n\n #### @[attribute](6c3defd3-8043-4c94-8a63-bbd55f8764a2)\n\n @[attribute](6c3defd3-8043-4c94-8a63-bbd55f8764a2) is a python script created by Didier Stevens that\u2019s mainly utilized to analyze OLE documents. Since OLE documents are COM Structured Storage, this @[tag](misp-galaxy:ransomware=\"Python\") script allows defenders to analyze the MSI file as well. \n\n @[suggestion](*@[attribute](6c3defd3-8043-4c94-8a63-bbd55f8764a2)) showing streams from @[attribute](9935fe14-bbed-42a7-a4f4-4c2a5beedc6f)*\n\n Each row consists of the following three columns: \n\n \n 2. Stream Number \n 4. Stream Size\n 6. Stream Name \n \n\n \n In most cases, when utilizing MSI file with oledump.py, the stream name is usually incomprehensible, as shown in the image above.\n\n @[suggestion](*@[attribute](6c3defd3-8043-4c94-8a63-bbd55f8764a2)) showing stream 4 detail*\n\n By specifying the stream number with \u201c-s\u201d option, the oledump.py dumps the content of the stream. In the image above, the stream 4 has file header MSCF, which is a header for a CAB file. \n\n #### ORCA\n\n ORCA is a GUI-based Windows SDK component that allows users to edit and view MSI database tables. An analyst can open the MSI file in question and navigate to each table to investigate. The GUI makes the process of investigation simpler since it is visually easier to follow. \n\n *Orca showing CustomAction table*\n\n ## Recommendations\n\n The Cybereason GSOC recommends the following actions to detect and respond to malicious MSI attacks:\n\n \n * In the Cybereason platform, enable both the Signature and Artificial @[tag](misp-galaxy:sector=\"Intelligence\") modes on the Cybereason NGAV, and enable the Detect and Prevent modes of these features.\n * Handle files originating from external sources (email, web browsing) with caution.\n * Contact a Cybereason Defender. The Cybereason MDR team provides custom hunting queries for detecting specific threats. To find out more about threat hunting and managed detection and response with the Cybereason @[tag](misp-galaxy:sector=\"Defense\") Platform, see Managed Detection and Response.\n * If you are a Cybereason customer, see the NEST for more information, including custom hunting queries for detecting this threat.\n \n Cybereason is dedicated to teaming with Defenders to end cyber attacks from endpoints to the enterprise to everywhere. Learn more about Cybereason XDR, check out our Extended Detection and Response (XDR) Toolkit, or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.\n\n ### \nAbout The Researchers\n\n Kotaro Ogino, Principal Security Analyst, Cybereason Global SOC\n\n Kotaro Ogino is a Principal Security Analyst with the Cybereason Global SOC team. He is involved in threat hunting, administration of Security Orchestration, Automation, and Response (SOAR) systems, and Extended Detection and Response (XDR). Kotaro holds a bachelor of science degree in information and computer science.\n\n Ralph Villanueva, Senior Security Analyst, Cybereason Global SOC\n\n Ralph Villanueva is a Senior Security Analyst with the Cybereason Global SOC team. He works hunting and combating emerging threats in the cybersecurity space. His interests include malware reverse engineering, digital forensics, and studying APTs. He earned his Master\u2019s Degree in Network Security from Florida International University. \n\n Robin Plumer, Security Analyst, Cybereason Global SOC\n\n Robin Plumer is a Security Analyst with the Cybereason Global SOC team. He analyzes and triages malware operations and researches new and emerging threats. He earned his Bachelor\u2019s degree in cybersecurity management from Bournemouth University, UK.\n\n IOC PopUp Modal Social Share Share CONDITIONAL Author Box Display About the Author #### Cybereason Global SOC Team\n\n The Cybereason Global SOC Team delivers 24/7 Managed Detection and Response services to customers on every continent. Led by cybersecurity experts with experience working for government, the military and multiple industry verticals, the Cybereason Global SOC Team continuously hunts for the most sophisticated and pervasive threats to support our mission to end cyberattacks on the endpoint, across the enterprise, and everywhere the battle moves.\n\n All Posts by Cybereason Global SOC Team CONDITIONAL Post Type Choices Malicious Life Post CISO Stories Webinar CONDITIONAL Transcript Related Posts ### Related Posts\n\n #### THREAT ANALYSIS REPORT: All Paths Lead to @[tag](misp-galaxy:malpedia=\"Cobalt Strike\") - IcedID, @[tag](misp-galaxy:mitre-malware=\"Emotet - S0367\") and QBot\n\n The Cybereason GSOC delivers details on three recently observed attack scenarios where fast-moving malicious actors used the malware loaders IcedID, QBot and @[tag](misp-galaxy:mitre-malware=\"Emotet - S0367\") to deploy the @[tag](misp-galaxy:malpedia=\"Cobalt Strike\") framework on the compromised systems...\n\n #### THREAT ALERT: Aggressive @[tag](misp-galaxy:banker=\"Qakbot\") Campaign and the Black Basta Ransomware Group Targeting @[tag](misp-galaxy:target-information=\"United States\") Companies\n\n This threat alert describes an aggressive new attack campaign operated by the Black Basta ransomware group. The fast-moving campaign is targeting @[tag](misp-galaxy:target-information=\"United States\") companies, and in many cases, is causing serious damage to their IT infrastructures. \n\n Sidebar #### Subscribe\n\n Never miss a blog. #### Latest from Our CEO Series\n\n #### Recent Posts\n\n What Healthcare CISOs Can Do Differently to Fight Ransomware December 7, 2022 \n\n @[attribute](845c780f-39e1-4347-b174-7fb6c860eeeb) December 5, 2022 \n\n FBI, CISA Issue Warning on @[tag](misp-galaxy:malpedia=\"Cuba Ransomware\") December 2, 2022 \n\n #### Categories\n\n \n * Research\n * Podcasts\n * Webinars\n * Resources\n * Videos\n * News\n \n All Posts END .@[attribute](da977cd5-57ad-48fa-a22a-59c936dc883f) end row end row-wrapper ### Related Posts\n\n #### THREAT ANALYSIS REPORT: All Paths Lead to @[tag](misp-galaxy:malpedia=\"Cobalt Strike\") - IcedID, @[tag](misp-galaxy:mitre-malware=\"Emotet - S0367\") and QBot\n\n The Cybereason GSOC delivers details on three recently observed attack scenarios where fast-moving malicious actors used the malware loaders IcedID, QBot and @[tag](misp-galaxy:mitre-malware=\"Emotet - S0367\") to deploy the @[tag](misp-galaxy:malpedia=\"Cobalt Strike\") framework on the compromised systems...\n\n #### THREAT ALERT: Aggressive @[tag](misp-galaxy:banker=\"Qakbot\") Campaign and the Black Basta Ransomware Group Targeting @[tag](misp-galaxy:target-information=\"United States\") Companies\n\n This threat alert describes an aggressive new attack campaign operated by the Black Basta ransomware group. The fast-moving campaign is targeting @[tag](misp-galaxy:target-information=\"United States\") companies, and in many cases, is causing serious damage to their IT infrastructures. \n\n end widget-span end row end row-wrapper NEWSLETTER ### Never miss a blog\n\n Get the latest research, expert insights, and security industry news.\n\n Subscribe
end widget-span end row end row-wrapper Want to see the Cybereason @[tag](misp-galaxy:sector=\"Defense\") Platform in action? Schedule a @[tag](misp-galaxy:ransomware=\"Demo\") X end widget-span end row end row-wrapper end body end body wrapper FOOTER end widget-span end row end row-wrapper end footer end footer wrapper Start of HubSpot Analytics Code End of HubSpot Analytics Code Generated by the HubSpot Template Builder - @[tag](misp-galaxy:tool=\"template\") version 1.03", "id": "33", "event_id": "320", "timestamp": "1670433808", "uuid": "63af994f-4277-4a11-b7b6-4f8c7125f557", "deleted": false } ] } }