After taking a nice long break from both work and #100DaysOfYara lets resume with a rule to detect .url shortcut files that link to a batch script.
Researchers reported that Qakbot distributed .url files last week:
Here's the yara rule I wrote for detecting suspicious shortcut files!
rule sus_url_shortcut_bat {
meta:
author = "Colin Cowie"
description = "Detects shortcut url files"
reference = "https://isc.sans.edu/diary/29592"
strings:
$shortcut = "[InternetShortcut]" // matches abc
$url = "URL="
$bat = ".bat"
condition:
$shortcut at 0
and all of them
and filesize<1KB
}
Retrohunting with this rule found a wide variety of results!
Some of the results are legitment files used for product registriation such as:
There were however a lot of malicious results that made use of the DiscordCDN such as this fake crack script that trolls the victim:
