The FireEye folks recently shared a fascinating article regarding a spear-phishing campaign that involved the use of ‘weaponized’ LNK files, two of which were of particular interest:
2. From the Related Samples section is another LNK file with a filename that includes the Ukranian word for "Conclusion"
It turns out there are some similarities in the metadata of the LNK files, but also some odd differences.
Basepath, shellitemIDlist: C:\Windows\System32\mshta.exe
Description: "Type: Text Document"
Commandline: Very similar, both point to same domain, although the command line in LNK 1 is base64 encoded, and in LNK 2, it isn’t
PropertyStoreDataBlock: both contain the same SID, S-1-5-21-871675894-2481818095-1561791058-1002
Volume SN: Volume serial numbers are different both systems
TrackerDataBlock: Both LNK files have different TrackerDataBlocks, including the machineID field.
In the past, similarities in LNK file metadata (machineID, volume serial number, MAC address) have been attributed to a single VM being shared. So, the question becomes, how do different LNK files include the same user SID, but different volume serial numbers, NetBIOS machine names, and MAC addresses?
The MAC address artifact, I get. I can also see how the iconfilename might be the same; personally, I’m a fan of re-using things that work. The description field is entirely optional, and the fact that they’re the same between LNK files is interesting. In and of themselves, the different values in the TrackerDataBlock (machine ID, MAC address) are not unusual, but given that the SIDs are the same, that is odd. Could it be the result of something like this? If so, that’s pretty darned specific.
Article Link: https://windowsir.blogspot.com/2019/04/lnk-files-in-wild.html