National Cyber Warfare Foundation (NCWF) Forums


Client-Side Exploitation: Poisoning WebDAV+URL+LNK to Deliver Malicious Payloads


0 user ratings
2024-04-11 10:40:17
milo
Red Team (CNA)

 - archive -- 

WebDAV incidents simulate an offensive attack employing a WebDAV server to distribute malware to a client PC. Attackers store malicious payloads and attract users into downloading and executing them. It then analyzes a real-world scenario involving AsyncRat/Purelogs malware to understand defense mechanisms using ANY.RUN interactive malware sandbox and discusses methods to detect such attacks, including […]


The post Client-Side Exploitation: Poisoning WebDAV+URL+LNK to Deliver Malicious Payloads appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.



WebDAV incidents simulate an offensive attack employing a WebDAV server to distribute malware to a client PC. Attackers store malicious payloads and attract users into downloading and executing them.





It then analyzes a real-world scenario involving AsyncRat/Purelogs malware to understand defense mechanisms using ANY.RUN interactive malware sandbox and discusses methods to detect such attacks, including the creation of detection rules. 





See how ANY.RUN can benefit your organization. You can get free access for your security team.





Successful connection to the attacker’s host




To simulate a client-side WebDAV exploit, they set up a Kali Linux attacker machine and a Windows target machine, then create an LNK shortcut that launches the calculator, upload it to a WebDAV server, and use a URL file as a proxy to initiate a download and execution on the target machine. 









The attack involves establishing network connectivity, creating malicious files, starting a WebDAV server, and executing the URL file on the target, successfully launching the calculator while logging a connection on the server.





Result of executing the command




An attacker uses a phishing email to deliver a malicious URL file, which links to a malicious LNK file hosted on a WebDAV server. When the user launches the URL file, the LNK downloads a malicious BAT file and executes it. 





Visualization of the execution chain 




The YARA rule identified the URL file, the YARA hunting rule detected the LNK file on disk, and the SIGMA rule recognized the specific command line used during execution. 





YARA Rule




The Suricata rule identified the network connection to the WebDAV server and by combining these detection methods, ANY.RUN effectively defends against WebDAV exploitation attacks.  





Blocking URL execution 





Defenders can block URL file execution attacks by blocking these files from running within Windows settings. Threat intelligence and analysis of detected artifacts aid in identifying the attack vector. 





Blocking URL Extension




Regular expressions on the command line or URL filters can be used to search for malicious patterns, while Suricata, a network security monitoring tool, can be employed to detect triggered rules that might indicate such attacks.





By implementing these methods, defenders can proactively prevent URL file execution attempts. 





SURICATA Rule




Researchers investigated client-side exploits that use WebDAV servers and LNK files to send malware. They made rules that looked for malicious URL/LNK files, strange activity on the command line, and connections to WebDAV servers.





Disabling LNK/URL execution in Windows settings can also be a preventative measure, which likely uses a threat analysis sandbox like ANY.RUN allows security professionals to analyze malware samples in a controlled environment. 





About ANY.RUN 





ANY.RUN’s flagship product is an interactive malware sandbox that helps security teams efficiently analyze malware. 





Every day, a community of 400,000 analysts and 3000 corporate clients use our cloud-based platform to analyze Windows and Linux threats. 





Integrate ANY.RUN Threat Intelligence in Your Organization: Contact Sales





Key advantages of ANY.RUN for businesses: 






  • Interactive analysis: Analysts can “play with the sample” in a VM to learn more about its behavior. 




  • Fast and easy configuration. Launch VMs with different configurations in a matter of seconds. 




  • Fast detection: Detects malware within roughly 40 seconds of uploading a file. 




  • Cloud-based solution eliminates setup and maintenance costs. 




  • Intuitive interface: Enables even junior SOC analysts to conduct malware analysis. 





Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.


The post Client-Side Exploitation: Poisoning WebDAV+URL+LNK to Deliver Malicious Payloads appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.



Source: gbHackers
Source Link: https://gbhackers.com/poisoning-webdavurllnk/


Comments
new comment
Nobody has commented yet. Will you be the first?
 
Forum
Red Team (CNA)



Copyright 2012 through 2024 - National Cyber Warfare Foundation - All rights reserved worldwide.