Threat Research

Threat Analysis: MSI – Masquerading as a Software Installer

Securonix

Cybereason’s Purple Team Threat Analysis explores how Windows Installer MSI packages can be weaponized to deploy payloads, including embedded binaries and stagers that fetch commands from a C2 server. The report also analyzes related malware families (Magniber, MatanBuchus, Qbot/Qakbot), defensive detections, and practical mitigations. #MagniberRansomware #MatanBuchusLoader #Qbot #Qakbot

Keypoints

  • Masquerade as legitimate installer: malicious MSI files are disguised as well-known software updates to trick users into “updating.”
  • Execute with elevated privilege: MSI can run under LocalSystem, enabling broader system compromise.
  • MSI supports numerous exploitation patterns: COM Structured Storage lets attackers store and control multiple files and actions inside the MSI.
  • Red Team: MSI-based attacks embed a stager binary, which fetches and executes payloads from a C2 server while the MSI installation may terminate.
  • Execution flow includes phishing delivery, UAC prompts, in-memory execution, and asynchronous payload execution after MSI exits.
  • Blue Team findings show three malware families using MSI techniques (Magniber, MatanBuchus, Qbot) with distinct indicators and usage patterns.
  • Purple Team recommendations emphasize detection indicators, MSITools, and defender collaboration for hunting and response.

MITRE Techniques

  • [T1036] Masquerading – Used MSI files masquerading as legitimate installers to trick victims into updating software. “Masquerade as legitimate installer: Malicious MSI files are sometimes difficult to distinguish from legitimate installers. Threat actors will often masquerade as well-known software updates and manipulate victims into “updating” the software on their machines.”
  • [T1218.011] Signed Binary Proxy Execution: Regsvr32 – The MSI uses Regsvr32 to load and execute a DLL from the Binary Table; “regsvr32.exe will install main_dll.” and “The CustomAction Stager is set up to execute the malicious executable stored in the Binary table with elevated privileges.”
  • [T1059.005] VBScript – Embedded VBScript/JScript actions within MSI custom actions enable execution of stored payloads. “

    VBScript _C212458FE5F810E2D8287472A14C2665

  • [T1059.001] PowerShell – MatanBuchus section describes functionality to “download and execute malicious payloads, run arbitrary PowerShell commands, and conduct stealthy C2 server communications.”
  • [T1105] Ingress Tool Transfer – Payloads fetched from C2 server: “
  • The stager … fetches payload from a C2 server.”
  • [T1566.001] Phishing – Delivery via phishing email to lure victims into running the MSI: “
  • The execution flow … assumes the victim retrieves the MSI file via phishing email.

Indicators of Compromise

  • [SHA-256] Magniber/MatanBuchus/Qbot – 0e65657740d7f06acda53b7d3190f9728801b984d5bd6ccb0b865d218ae71f66, face46e6593206867da39e47001f134a00385898a36b8142a21ad54954682666, c0beb47f629a5debe0e99790d16a4d04afe786d6fb42c5ab6dfcaed84d86e7ad
  • [File name] – main.dll, notify.vbs, and 1 more file (msia8a.tmp)

Read more: https://www.cybereason.com/blog/threat-analysis-msi-masquerading-as-software-installer

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint