kapela86 10 Posted November 6, 2018 Share Posted November 6, 2018 Few days ago one user was infected with some unknown virus (probably from e-mail attachment), I noticed it because ERA reported everyday at morning that it detected PowerShell/TrojanDownloader.Agent.AZG and I went there to investigate. What surprised me was that there was iexplorer.lnk file in user's startup folder and it pointed to I checked that reg path, it contains this: I decoded it to this: I'm glad that ESET detected download attempt everytime it started, but it probably could detect that lnk file. virus.zip code.rar Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,130 Posted November 6, 2018 ESET Moderators Share Posted November 6, 2018 Hello @kapela86, great analysis, thumbs up! I have forwarded it to the lab to check it and possible add to the detection. Regards, P.R. Link to comment Share on other sites More sharing options...
itman 1,659 Posted November 6, 2018 Share Posted November 6, 2018 Must say this one is a bit unique in the combination of using a .lnk file from the startup folder pointing to Powershell to run something from the registry. Normally .lnk malware attacks are e-mail based: https://blog.trendmicro.com/trendlabs-security-intelligence/rising-trend-attackers-using-lnk-files-download-malware/ The first concern would be it appears that malware was able to create this registry key, HKCU\Software\Classes\mssccfile, which needs to be addressed. Also if PowerShell was set to "Constrained Language" mode, the attack would have failed since PowerShell is calling a .Net subassembly which would not be allowed in this Language mode. Link to comment Share on other sites More sharing options...
kapela86 10 Posted November 6, 2018 Author Share Posted November 6, 2018 5 minutes ago, itman said: The first concern would be it appears that malware was able to create this registry key, HKCU\Software\Classes\mssccfile, which needs to be addressed. Well it's in HKEY_CURRENT_USER so current user has rights to edit it and any malware run from that account can also do it. And thanks for pointing out about "Constrained Language " mode, I will look into it. Link to comment Share on other sites More sharing options...
itman 1,659 Posted November 6, 2018 Share Posted November 6, 2018 1 minute ago, kapela86 said: Well it's in HKEY_CURRENT_USER so current user has rights to edit it and any malware run from that account can also do it. What I meant was the key needs to be removed. It doesn't exist on my Win 10 x(64) 1803 build. Link to comment Share on other sites More sharing options...
kapela86 10 Posted November 6, 2018 Author Share Posted November 6, 2018 Just now, itman said: What I meant was the key needs to be removed. It doesn't exist on my Win 10 x(64) 1803 build. Yeah I removed it, but there would be no harm leaving it as it is harmless on its own, it was obvious it's not a standard system key, I even gogled mssccfile, only 1 result was found Link to comment Share on other sites More sharing options...
itman 1,659 Posted November 6, 2018 Share Posted November 6, 2018 (edited) 4 hours ago, kapela86 said: Yeah I removed it, but there would be no harm leaving it as it is harmless on its own, it was obvious it's not a standard system key, I even gogled mssccfile, only 1 result was found As far as I am aware, a .lnk file cannot be run directly from a startup directory. For example, .lnk files are present in the Windows Accessories directory, etc. From this Sentinel article: Quote Methods for Using Windows Shortcut File or .LNK Windows shortcut files are not only valued for deception capabilities, but also for the flexibility in delivering malicious payloads. .LNK can be used to: Run CodeIn the case of Stuxnet (CVE-2010-2568 and MS10-046), the .LNK files were used to start running the Stuxnet code. The only requirement was that the icon simply appeared, whether from an infected USB drive, a network share, malicious website, or packaged into a document. Even without clicking on the icon, it was able to deliver the malware’s payload. https://www.sentinelone.com/blog/windows-shortcut-file-lnk-sneaking-malware/ It does not state icons on the desktop for example. So it would be informative to know just how this .lnk file was executed. Edited November 6, 2018 by itman Link to comment Share on other sites More sharing options...
itman 1,659 Posted November 6, 2018 Share Posted November 6, 2018 (edited) This might be how the .lnk file ran at startup: Quote 3: StartupAutorun If the resource 105 begins with the dword value “3”, a LNK file will be created in the Start Menu. The resource will also provide a description for the shortcut file, the path for the target and the filename for the LNK. The IShellLink interface is used to create the shell link. https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf Edited November 6, 2018 by itman Link to comment Share on other sites More sharing options...
kapela86 10 Posted November 7, 2018 Author Share Posted November 7, 2018 (edited) 13 hours ago, itman said: As far as I am aware, a .lnk file cannot be run directly from a startup directory Sure they can, it's standard Windows design dating back Windows 98 if not older. If you put lnk files in C:\Users\you\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ they will launch at user login Edited November 7, 2018 by kapela86 Link to comment Share on other sites More sharing options...
itman 1,659 Posted November 7, 2018 Share Posted November 7, 2018 (edited) 7 hours ago, kapela86 said: you put lnk files in C:\Users\you\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ they will launch at user login This directory requires admin privileges to write to. Eset's historical stance has been this is sufficient protection. If you have Eset Endpoint, a HIPS rule to prevent *.lnk file creation in the directory could be created. Unfortunately, like HIPS wildcard capability still doesn't exist in the retail versions to do the same; despite repeated user requests for it over the years. Edited November 7, 2018 by itman Link to comment Share on other sites More sharing options...
kapela86 10 Posted November 7, 2018 Author Share Posted November 7, 2018 11 minutes ago, itman said: This directory requires admin privileges to write to. No it doesn't. 12 minutes ago, itman said: If you have Eset Endpoint... Yes we have Endpoint Security, I will try to experiment with HIPS. I meant to do it anyway to block running vbs files. Link to comment Share on other sites More sharing options...
itman 1,659 Posted November 7, 2018 Share Posted November 7, 2018 Just now, kapela86 said: No it doesn't. It does on my Win 10 x(64) 1803 build. Link to comment Share on other sites More sharing options...
kapela86 10 Posted November 7, 2018 Author Share Posted November 7, 2018 (edited) 13 minutes ago, itman said: It does on my Win 10 x(64) 1803 build. And it doesn't on mine, also Win 10 x64 1803 Pro connected to Active Directory, tested with an account that is only standard user. I will test this later at home on Win 7 x64 Home Premium and 10 x64 1803 Home Edited November 7, 2018 by kapela86 Link to comment Share on other sites More sharing options...
itman 1,659 Posted November 7, 2018 Share Posted November 7, 2018 1 hour ago, kapela86 said: And it doesn't on mine, also Win 10 x64 1803 Pro connected to Active Directory, tested with an account that is only standard user. I will test this later at home on Win 7 x64 Home Premium and 10 x64 1803 Home I stand corrected. You can write to that directory w/o issue; at least with limited admin privileges. For some reason, I got a admin popup when testing which might be due to the Eset HIPS rule I created to monitor write activity to the directory. Link to comment Share on other sites More sharing options...
Recommended Posts