For todays yara rule I wanted to write a detection for suspicious .LNK files that leverage the Windows CMD file format (.cmd).
I used a lnk file observed with IcedID malware earlier today.
Belkasoft's blog post Forensic Analysis of LNK Files was used to learn about .LNK file headers
Here's the Yara rule I created for detecting suspicious .LNK files:
rule sus_lnk_files {
meta:
author = "Colin Cowie"
description = "Yara rule to detect suspicious .LNK files used by IcedID and other malware families"
reference = "SHA1: 92ba4c948890d67927afa26727474e563e6d1bdf"
strings:
$lnk_header = { 4C 00 00 00 }
$shell = "shell32.dll" ascii wide
$cmd = "cmd.exe" ascii wide
$cmd_file = ".cmd" ascii wide
condition:
all of them
and $lnk_header at 0
and filesize<5KB
}
Retrohunting on VirusTotal with this rule returned some really positive results! It seemed like most of the results were either Qakbot or IcedID such as:
- Qakbot from 2023-01-04: SCANED_XE2521.img
- LNK file: SCANED_XE2521.LNK
- IcedID from 2022-12-02 IRS_Form_12-01-12.iso
- LNK file: Documents.lnk