I was reading a pretty interesting write-up from Seqrite regarding, in part, the use of pseudo-polyglot documents. In this case, delivery occurred via ZIP archive that contains an LNK file and a PNG file. The PNG file is pseudo-polyglot file in question; the binary contents contain a series of commands to be executed via ftp.exe, followed by what appears to be a PDF document. The attack is initiated when the target user double clicks the LNK file; I’ll leave the rest of the description to the author. I will say that I’m not used to the author’s writing style, so it took me a bit of effort to get used to it, and to get a better view of what the author was trying to share.
However, what did interest me more was that the threat actor’s efforts included an LNK, something that had to be created on the threat actor’s infrastructure before it was included in the archive. As such, from an intel perspective, LNK files are “free money”, and something I’ve talked about here in this blog more than a few times.
Using the hash provided in the write-up, I was able to find a sample to download and parse myself. The LNK file itself had very little actual metadata beyond what was shared in the write-up, but that was still very interesting to me.
Take a look at the full set of metadata:
guid {00021401-0000-0000-c000-000000000046}
shitemidlist My Computer/C:\/Windows/system32/cmd.exe
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: