Cisco Talos analyzed LNK file metadata to track threat actors like Qakbot, Gamaredon, Bumblebee, and IcedID, showing how metadata can reveal campaign connections. As macros were blocked and actors shifted to LNK-based attachments, the article demonstrates how LNK fields such as MAC timestamps and DriveSerialNumber aid attribution and defense.
#Qakbot #Gamaredon #Bumblebee #IcedID
#Qakbot #Gamaredon #Bumblebee #IcedID
Keypoints
- Threat actors moved away from macros to LNK-based attachments as an initial access method after Microsoft’s macro changes.
- LNK metadata (MAC timestamps, DriveSerialNumber, MachineID, DROID GUID, DROID Birth GUID, SID, and Metadata Store) can identify the creator machine, target path, and potential moves of the file between systems.
- A variety of public tools (e.g., LNK Parser, LeCMD, LnkParse3) and LNK builders (MLNK Builder, Quantum Builder, Macropack, SharPersist, etc.) are used to generate or analyze LNK files, with some tools wiping metadata.
- Payloads associated with LNK delivery include SharPersist, Quantum Builder, Meterpreter, and others; Meterpreter often hides the payload by exploiting malformed LNKs.
-
- Digisigs (embedded digital signatures) like “Microsoft Operations Puerto Rico1” appear in some samples to bypass AV detections, illustrating defense-evasion attempts.
- LNK metadata relationships help reveal connections among actors (e.g., Bumblebee with IcedID and Qakbot) and even between campaigns and families.
MITRE Techniques
- [T1204.002] User Execution – Malicious File – LNK files used as initial access to download and execute payloads. ‘LNK files used as their initial access method to download and execute payloads.’
- [T1105] Ingress Tool Transfer – Downloading a payload from a remote server after opening an LNK, e.g., ‘download and execute a binary from hxxp://88.198.148[.]231/u.exe.’
- [T1023] Shortcut Modification – The LNK structure stores information about the target object and can indicate if a LNK file was moved to a different system after creation. ‘The LNK structure stores information about the target object… There are different values for the Volume identifier… The last section of the File identifier is generated based on the MAC address…’
- [T1036] Masquerading – Embedded digisig (e.g., “Microsoft Operations Puerto Rico1”) is used to confuse AV scanners; the paper notes there is no provision in LNK for a digisig, suggesting it is garbage data to bypass detections. ‘there is no provision in the LNK file format for a digisig, which means the digisig is probably present only as garbage data to confuse AV scanners’
- [T1082] System Information Discovery – LNK metadata reveals machine identifiers (Drive Serial Number, MachineID, MAC timestamps, SID), helping attribution. ‘A FILETIME structure that specifies the MAC time of the LNK target in UTC… DriveSerialNumber… MachineID (16 bytes)… SID’
- [T1070] Indicator Removal on Host – Tools and builders wipe metadata from LNK files to hinder detection. ‘most of them wipe out most metadata from the file’
Indicators of Compromise
- [Hash] 8fda14f91e27afec5c1b1f71d708775c9b6e2af31e8331bbf26751bc0583dc7e – AA campaign Qakbot-related sample; metadata-rich LNK tied to June/July 2022 activity
- [Hash] 2f9da7145056a4217552a5a536ceb8365e853fbd04d28ae2d494afb20e9c021f – AA campaign Qakbot-related sample; metadata-rich LNK tied to June/July 2022 activity
- [Drive Serial Number] 0x2848e8a8 – Drive serial linked to AA campaign LNK samples
- [Drive Serial Number] 300D-05E9 – Drive serial linked to Bumblebee/Qakbot correlations
- [IP] 88.198.148.231 – Remote host used in a beacb sample to download a payload
- [Digisig] Embedded digital signature name “Microsoft Operations Puerto Rico1” – Used to evade detection in some Gamaredon-related LNKs
Read more: https://blog.talosintelligence.com/following-the-lnk-metadata-trail/