What is

Client-Side Exploitation: Poisoning WebDAV+URL+LNK to Deliver Malicious Payloads

WebDAV incidents simulate an offensive attack employing a WebDAV server to distribute malware to a client PC. Attackers store malicious payloads and attract users into downloading and executing them.

It then analyzes a real-world scenario involving AsyncRat/Purelogs malware to understand defense mechanisms using ANY.RUN interactive malware sandbox and discusses methods to detect such attacks, including the creation of detection rules. 

See how ANY.RUN can benefit your organization. You can get free access for your security team.

Successful connection to the attacker’s host

To simulate a client-side WebDAV exploit, they set up a Kali Linux attacker machine and a Windows target machine, then create an LNK shortcut that launches the calculator, upload it to a WebDAV server, and use a URL file as a proxy to initiate a download and execution on the target machine. 

The attack involves establishing network connectivity, creating malicious files, starting a WebDAV server, and executing the URL file on the target, successfully launching the calculator while logging a connection on the server.

Result of executing the command

An attacker uses a phishing email to deliver a malicious URL file, which links to a malicious LNK file hosted on a WebDAV server. When the user launches the URL file, the LNK downloads a malicious BAT file and executes it. 

Visualization of the execution chain

The YARA rule identified the URL file, the YARA hunting rule detected the LNK file on disk, and the SIGMA rule recognized the specific command line used during execution. 

YARA Rule

The Suricata rule identified the network connection to the WebDAV server and by combining these detection methods, ANY.RUN effectively defends against WebDAV exploitation attacks.  

Blocking URL execution

Defenders can block URL file execution attacks by blocking these files from running within Windows settings. Threat intelligence and analysis of detected artifacts aid in identifying the attack vector. 

Blocking URL Extension

Regular expressions on the command line or URL filters can be used to search for malicious patterns, while Suricata, a network security monitoring tool, can be employed to detect triggered rules that might indicate such attacks.

By implementing these methods, defenders can proactively prevent URL file execution attempts. 

SURICATA Rule

Researchers investigated client-side exploits that use WebDAV servers and LNK files to send malware. They made rules that looked for malicious URL/LNK files, strange activity on the command line, and connections to WebDAV servers.

Disabling LNK/URL execution in Windows settings can also be a preventative measure, which likely uses a threat analysis sandbox like ANY.RUN allows security professionals to analyze malware samples in a controlled environment. 

About ANY.RUN

ANY.RUN’s flagship product is an interactive malware sandbox that helps security teams efficiently analyze malware. 

Every day, a community of 400,000 analysts and 3000 corporate clients use our cloud-based platform to analyze Windows and Linux threats. 

Integrate ANY.RUN Threat Intelligence in Your Organization: Contact Sales

Key advantages of ANY.RUN for businesses: 

  • Interactive analysis: Analysts can “play with the sample” in a VM to learn more about its behavior.
  • Fast and easy configuration. Launch VMs with different configurations in a matter of seconds.
  • Fast detection: Detects malware within roughly 40 seconds of uploading a file.
  • Cloud-based solution eliminates setup and maintenance costs.
  • Intuitive interface: Enables even junior SOC analysts to conduct malware analysis.

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

Kaaviya Balaji

Kaaviya is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.

Recent Posts

Hackers Claiming Dettol Data Breach: 453,646 users Impacted

A significant data breach has been reported by a threat actor known as 'Hana,' who claims to have compromised the…

2 days ago

CrowdStrike Update Triggers Widespread Windows BSOD Crashes

A recent update from cybersecurity firm CrowdStrike has caused significant disruptions for Windows users, leading to widespread reports of Blue…

2 days ago

Operation Spincaster Disrupts Approval Phishing Technique that Drains Victim’s Wallets

Chainalysis has launched Operation Spincaster, an initiative to disrupt approval phishing scams that have drained billions from victims' wallets. This…

2 days ago

Octo Tempest Know for Attacking VMWare ESXi Servers Added RansomHub & Qilin to Its Arsenal

Threat actors often attack VMware ESXi servers since they accommodate many virtual machines, which link to a variety of systems…

3 days ago

TAG-100 Actors Using Open-Source Tools To Attack Gov & Private Orgs

Hackers exploit open-source tools to execute attacks because they are readily available, well-documented, and often have extensive community support, making…

3 days ago

macOS Users Beware Of Weaponized Meeting App From North Korean Hackers

Meeting apps are often targeted and turned into weapons by hackers as they are largely employed for communication and collaboration,…

3 days ago