A couple of days back I tweeted about some interesting LNK file samples I had found on Virus Total. They were interesting due to their endless Russian Doll-esque style of behaviour which involed extracting VBE script upon VBE script, patching headers and reversing bytes. As of 31 May 2020, I’ve identified eleven samples dating between 2020-03-02 to 2020-05-29 as uploaded to Virus Total. They are all consistently created from the same VMWare host using the same account, and the same base LNK template as seen by the output of LECMD:
So, I have an old domain that I haven’t used: digitalforensics.io. I could keep paying for ownership, and wait and wait for some reason to come up for me to use it. Or, I could use it now by giving it away to someone else who wants to start a digital forensics blog! So that’s what I’m going to do. The Competition Update 2020/05/18! It’s with great pleasure that I annouce I have transferred ownership of digitalforensics.
In July 2018, the Chinese-based research group 360 Technical Intelligence Center (TIC) produced a report “蓝宝菇（APT-C-12）针对性攻击技术细节揭秘” (Sapphire Mushroom (APT-C-12) Technical Details Revealed1). This report analysed a malicious LNK file allegedly used by the
In Australia, a platypus is colloquially called the ‘spare parts animal’. It’s an egg-laying mammal, with a duck bill, beaver tail and webbed feet. It’s perfectly adapted to its environment despite looking like a Frankenstien of the animal world. What does this have to do with a malicious LNK file? Well, apart from the fact I like platypuses (or is it platypi?), malware using LNK files stitch together the world between the attacker and the victim.
LNK files have a healthy life in DFIR. There is good reason: they are so awesome for analysis. Whether it be linking a user to knowledge of a file, as part of a jump list, or in their use for malicious purposes. In regards to the latter, The MITRE ATT&CK framework describes this as the specific technique: ‘shortcut modification’ (T1023) which is summarised as follows: Shortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.
Inspired by a post by John Lambert and others who contributed, I’ve put together a table of Base64 encodings for certain file signatures and script elements often encountered in malware analysis. Due to the nature of Base64 encoding, there are different possibilities of the encoding result depending on the placement of the bytes in the overall structure of the blob. Using CyberChef all the possible Base64 offsets can be determined. However, in the below tables for ease I’ve only included the fixed bytes as if the header was at the start of the blob of Base64.
Background Between August 2017 and July 2018 a suspected APT group gained access to the Singapore Health Services Private Limited (SingHealth) patient database and exfiltrated the personal details of 1.5 million patients including their names, addresses, genders, races, and dates of birth. Of this, 159,000 patients had additional medical data stolen including the Prime Minster of Singapore. On 10 January 2019, a report titled ‘Public Report of the Committee of Inquiry into the Cyber Attack on Singapore Health Services Private Limited’s patient database on or around 27 June 2018’ was released containing detailed information in regards to the hack and the subsequent incident response activities.