AhnLab ASEC detected malware distributed through breached legitimate websites using LNK files that prompt users to run them, illustrating a distribution chain that involves HTML and VBScript executed via mshta and PowerShell. The article also covers how AhnLab EDR analyzes this behavior, including file decompression, registry autorun, and data exfiltration steps, with guidance on detection and IOC considerations. #LNKFiles #mshta #PowerShell #VBScript #CERTUTIL #DriveByCompromise #AhnLabEDR
Keypoints
- Malware is distributed through breached legitimate websites, used as distribution platforms.
- LNK files disguised as benign data prompt users to download and execute payloads.
- The LNK runs an HTML script via mshta, which then executes an obfuscated VBScript.
- The LNK file is read with PowerShell, dropping a CAB file that is decompressed and executed via expand.
- The dropped BAT script collects system information, registers at startup, and attempts data exfiltration or further downloads (via certutil).
- AhnLab EDR provides behavioral detections and visuals of infiltration/exfiltration paths to aid defense, noting that legitimate websites’ URLs are not exposed as IOCs.
MITRE Techniques
- [T1189] Drive-by Compromise – Breaches legitimate websites to distribute malware; “The attacker uses non-PE files since unlike PE files, non-PE files are relatively easy to modify.”
- [T1204.002] User Execution: Malicious File – The files prompt users to download and execute them; “The files prompt users to download and execute them.”
- [T1059.001] PowerShell – The LNK file is read through the PowerShell process and the CAB file is dropped and executed via expand; “The lines’ major features are reading the LNK file through the PowerShell process and dropping the CAB file embedded within the LNK file to decompress and execute the CAB file through the expand process.”
- [T1059.005] Visual Basic – HTML script runs an obfuscated VBScript; “The HTML script in turn runs an obfuscated VBS script.”
- [T1105] Ingress Tool Transfer – Downloads additional files and decodes/executed via certutil; “downloading additional files, decoding and executing the downloaded file through certutil, and so on.”
- [T1547.001] Registry Run Keys / Startup Folder – Registers itself to the autorun registry; “registering itself to the autorun registry.”
- [T1027] Obfuscated/Compressed Files and Information – Obfuscated script within non-PE files; “non-PE files … obfuscated VBS script.”
- [T1059.003] Windows Command Shell – BAT script executes and performs multiple actions (e.g., decompression, information collection); “malicious features of the BAT script include executing another script decompressed from the CAB file, collecting system information, registering itself to the autorun registry, and sending data.”
Indicators of Compromise
- [File name] In context – Pomerium Project Related Inquiry Data.txt.lnk, Data Regarding Application for Changes Before the 2023 Iris Agreement.txt.lnk, and 4 more
- [Hash] SHA-256 – 04d9c782702add665a2a984dfa317d49, 453e8a0d9b6ca73d58d4742ddb18a736, 8f3dcf4056be4d7c8adbaf7072533a0d, c2aee3f6017295410f1d92807fc4ea0d
Read more: https://asec.ahnlab.com/en/58919/