Christmas "Gift" Delivered Through SSH

Dec. 20, 2024, 5:11 p.m.

Description

A malicious file named "christmas_slab.pdf.lnk" was discovered, utilizing Windows' built-in SSH support to deliver malware. The LNK file executes ssh.exe to transfer and run a PE file from a remote server. The attack leverages the SSH/SCP protocol, taking advantage of its widespread availability on modern Windows systems. The malicious payload is downloaded from an IP address belonging to Apple's range, raising suspicions. The LNK file's command line arguments reveal the attacker's intent to bypass host key checking and execute the downloaded malware. This technique demonstrates how threat actors are adapting to use legitimate system tools for malicious purposes.

External References

https://isc.sans.edu/diary/rss/31538
https://otx.alienvault.com/pulse/67659b30aa093d84994efd9a
Tags
lnk file
ssh
2024-12-20

Date

  • Created: Dec. 20, 2024, 4:28 p.m.
  • Published: Dec. 20, 2024, 4:28 p.m.
  • Modified: Dec. 20, 2024, 5:11 p.m.

Indicators

  • 8bd210b33340ee5cdd9031370eed472fcc7cae566752e39408f699644daf8494
Download all indicators here!

Attack Patterns

  • T1059.001
  • T1547.001
  • T1204.002
  • T1105
  • T1570