lnk file (also known as a shortcut file), which redirects to another file or command on the system. Want to learn more about persistence? Download our eBook Persistence: The Key to Cybercriminal Stealth, Strategy and Success.Ĭ:\\users\\appdata\roaming\microsoft\windows\startmenu\programs\startup\sysmon.lnk Given its simplicity and stealth, it’s a common place that attackers will place malware and malicious files that they want to stick around. This provides an easy way for legitimate programs to stick around and keep running. Since it looks just like a normal folder, all you need to do is copy and paste a file into the folder, and boom-you can persist, or stick around, between reboots. The nature of the startup directory is to hold files that automatically run when a user logs into the computer. We stumbled upon a suspicious file ( sysmon.lnk) that appeared to reside in a user’s startup directory. Let's Dive Inīefore we go too much further, here’s a visual representation of the malware we encountered. Towards the end, we also experimented with some custom scripts for de-obfuscating data and extracting configuration from the final RAT, resulting in some juicy indicators of compromise (IOCs) with 0 detections on VirusTotal (as of June 2021). After some quick initial investigation, we found that the link was executing a malicious Python script that was used to inject a remote access Trojan (RAT) onto the system.Īlong the way, we encountered a total of six consecutive payloads and some new offensive tooling which we found pretty interesting. The file was named “ sysmon.lnk” and looked a bit fishy. We recently investigated a suspicious link file persisting in a user’s startup folder. Otherwise, you never know what kind of shady creatures may be lurking in the shadows. Join us on our journey as we show just how important it is to keep your yard-both the real one with green grass and the virtual one with bytes and binaries-clean and tidy. Along the way, we found a very shady Python (and coincidentally, a friendly RAT) just waiting to strike. Hackers and snakes-oh my! What do they have in common? Both are shady characters that can hide in plain sight, just waiting for the right moment to strike.īut how do you know if you have any unwanted pests nearby? Often, you just need to go looking for them-and that’s exactly what we did.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |