Malware split attack

Shortcuts have recently become a common communication carrier used to spread malware in targeted attacks. Symantec has found many shortcut files used to penetrate the network, as described in previous blog articles. I recently stumbled upon a case where such shortcuts bypass security protection software and successfully fool the recipient to execute malware in the attachment. In this case, the malicious program is split and sent to the recipient, and a shortcut is used to form a complete malware.

The archive file attached to a malicious email contains a shortcut with a folder icon and a folder, which contains a doc file and two hidden files suffixed with. dat.

Figure 1: archive files attached to the email

Figure 2 content in the Summit-Report1 folder

For users who keep the default settings of resource manager, only two folders can be seen in the archive file. Clicking any of these two folders will jump to the directory where the doc files are stored. However, if you click the Shortcut Folder, the copy command in the folder will combine the two. dat files to generate a malicious program. Then the computer will be infected by malicious programs. Although the file structure in the attachment document can be changed, it always contains a shortcut and many multipart files.

Figure 3: The shortcut property shows a script used to combine the. dat file.

Figure 4 :~ $1. Source Code of dat

Figure 5 :~ $2. Source Code of dat

Figure 6: Combined executable file source code

Before the attack, the attacker splits the malicious program and then combines the program in the computer of the attacker. The attacker can use this policy to achieve some goals. The main purpose is to prevent malicious programs from being detected. If a malicious program is split into scattered files, it is difficult for the security protection software to determine whether these files are malicious programs. Another purpose is to prevent the gateway-based security protection software from detaching executable files. A typical gateway-type protection software can filter files based on the file type and strip executable files from the attachment of the email. This is a common practice in the it department.
Shortcuts are simple and effective. He does not need to exploit the vulnerability. The vulnerability attack consumes a large amount of resources and requires that the attacker's computer have a security vulnerability. You only need to forge shortcuts into folders or document files. Once attackers prepare malicious programs and add a line of simple scripts, the attack will take shape.
How can we prevent such attacks? Generally, there is no special reason to include the shortcut Wenjie in the email attachment. If the company thinks there is no need for shortcuts in the email attachments, let the gateway filter out the shortcuts.
Symantec marked the detected malware as a Trojan and posted details in the online log.

 

I don't know. Do readers think that the copy command has such a magical usage? So the idea and skills in penetration are very important.

From: 91ri.org