Client-Side Exploitation: Poisoning WebDAV+URL+LNK to Deliver Malicious Payloads

WebDAV incidents simulate an offensive attack employing a WebDAV server to distribute malware to a client PC. Attackers store malicious payloads and attract users into downloading and executing them.

It then analyzes a real-world scenario involving AsyncRat/Purelogs malware to understand defense mechanisms using ANY.RUN interactive malware sandbox and discusses methods to detect such attacks, including the creation of detection rules. 

See how ANY.RUN can benefit your organization. You can get free access for your security team.

Successful connection to the attacker’s host

To simulate a client-side WebDAV exploit, they set up a Kali Linux attacker machine and a Windows target machine, then create an LNK shortcut that launches the calculator, upload it to a WebDAV server, and use a URL file as a proxy to initiate a download and execution on the target machine. 

The attack involves establishing network connectivity, creating malicious files, starting a WebDAV server, and executing the URL file on the target, successfully launching the calculator while logging a connection on the server.

Result of executing the command

An attacker uses a phishing email to deliver a malicious URL file, which links to a malicious LNK file hosted on a WebDAV server. When the user launches the URL file, the LNK downloads a malicious BAT file and executes it. 

Visualization of the execution chain 

The YARA rule identified the URL file, the YARA hunting rule detected the LNK file on disk, and the SIGMA rule recognized the specific command line used during execution. 

YARA Rule

The Suricata rule identified the network connection to the WebDAV server and by combining these detection methods, ANY.RUN effectively defends against WebDAV exploitation attacks.  

Blocking URL execution 

Defenders can block URL file execution attacks by blocking these files from running within Windows settings. Threat intelligence and analysis of detected artifacts aid in identifying the attack vector. 

Blocking URL Extension

Regular expressions on the command line or URL filters can be used to search for malicious patterns, while Suricata, a network security monitoring tool, can be employed to detect triggered rules that might indicate such attacks.

By implementing these methods, defenders can proactively prevent URL file execution attempts. 

SURICATA Rule

Researchers investigated client-side exploits that use WebDAV servers and LNK files to send malware. They made rules that looked for malicious URL/LNK files, strange activity on the command line, and connections to WebDAV servers.

Disabling LNK/URL execution in Windows settings can also be a preventative measure, which likely uses a threat analysis sandbox like ANY.RUN allows security professionals to analyze malware samples in a controlled environment. 

About ANY.RUN 

ANY.RUN’s flagship product is an interactive malware sandbox that helps security teams efficiently analyze malware. 

Every day, a community of 400,000 analysts and 3000 corporate clients use our cloud-based platform to analyze Windows and Linux threats. 

Integrate ANY.RUN Threat Intelligence in Your Organization: Contact Sales

Key advantages of ANY.RUN for businesses: 

  • Interactive analysis: Analysts can “play with the sample” in a VM to learn more about its behavior. 
  • Fast and easy configuration. Launch VMs with different configurations in a matter of seconds. 
  • Fast detection: Detects malware within roughly 40 seconds of uploading a file. 
  • Cloud-based solution eliminates setup and maintenance costs. 
  • Intuitive interface: Enables even junior SOC analysts to conduct malware analysis. 

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.