In this cybersecurity incident, an attacker exploited online advertising platforms to distribute a malicious installer disguised as legitimate software. By placing their phishing website at the top of search engine results, the attacker successfully lured unsuspecting users into downloading a compromised MSI (Microsoft Installer) package. One of the employees in the organization unknowingly executed this installer, triggering a security alert due to unauthorized activity on the system. The goal of this investigation is to analyze the MSI package, uncover its malicious components, and determine the full extent of the security threat.
This walkthrough will guide us through a forensic analysis of the MSI installer, examining its internal components, embedded scripts, and execution mechanisms. We will leverage Advanced Installer to deconstruct the package and inspect custom actions that may reveal signs of malicious intent. Additionally, we will analyze the installer’s interaction with external resources, identify any embedded PowerShell scripts, and trace network communications to determine whether it contacts external servers. Understanding how this malware operates will provide valuable insight into the attack's objectives, enabling us to develop effective mitigation strategies.
Throughout this analysis, we will also investigate whether the MSI installer downloads additional payloads, executes suspicious scripts, or interacts with known malicious domains. By carefully dissecting its behavior, we can identify potential Command and Control (C2) servers, extract hidden scripts, and determine whether the attack was part of a lar