30 January 2024: don't take the shortcut

Thank you for reading this newsletter. If someone forwarded this newsletter to you, that is very kind of them and don't forget to thank them for it. You can subscribe here to receive future newsletters directly into your inbox.

Feedback and suggestions are always welcome!

Martijn
martijn@lapsedordinary.net

Don't take the shortcut

Security company SentinelOne analyzed a recent targeted malware campaign by a North Korean threat actor (linked to the country's government), whose targets include media organizations. It refers to the threat actor by the name Scarcruft, but the same actor is also known by other names, such as APT37 or Reaper.

The targeting of media — in this case, presumably media writing about North Korea-related issues — made me read the analysis with more interest. Aside from that, it provides a good opportunity to look into one common way of malware delivery.

The malware here was delivered via emails with a zip attachment which, so the email claimed, includes information about a meeting on human rights. The zip attachment contained seven files, including one PowerPoint file and six Hangul Word Processor files, a popular Korean word processor. These files are all benign and might give the impression there is nothing wrong with the attachment.

However, the other two files are .lnk files. Those are the ones to be concerned about.

You may not know .lnk files, but you have certainly seen them before: they are shortcut files for Windows (which always hides the .lnk extension). They can be used to open, say, your favorite browser from your Desktop, without having to copy the browser program there: you just add a shortcut to the program on your desktop. 

They can do a little more than just run a program though: they can run a program with arguments, so you could, for example, create a shortcut on your desktop that opens your favorite browser in private mode and loads your favorite web page.

It is this feature of .lnk files that is commonly abused to deliver malware. Essentially, such files run legitimate Windows programs that, through arguments, can be used to download and run content from the Internet.

Malicious .lnk files tend to use a lot of obfuscation in an attempt to evade antivirus detection, which frustrates manual analysis. If you want to understand what such a file does, by far the easiest thing to do is use a public malware sandbox. Triage is my personal favorite, but there are other equally good options available.

If you do really want to go for manual analysis, there is Eric Zimmerman’s LECmd tool. It runs on Windows and you should really only run it inside a virtual machine (and then disable Microsoft Defender). For Mac or Linux there are some scripts available online, but the strings command should probably work too.

One thing that is a common feature of many such threats (including the recent Scarcruft campaign) is that aside from installing malware, the .lnk file also opens a benign document, so the user who inadvertently opens the file won’t suspect anything malicious happened. That is, assuming antivirus won’t block it. It probably will, but that is not something you should count on.

So what is someone worried about these kinds of files to do? Not opening .lnk files sent by email is good advice — I can’t think of a good reason why someone would need to receive such files through email — but it’s hardly practical: how is someone supposed to remember which file extensions are safe?

The same is true for the commonly given advice not to open attachments from strangers: for some people, including some people who are at high risk of security threats, part of their job involves occasionally opening such emails.

There is unfortunately no simple solution, though the usual advice of keeping your operating system up to date and running antivirus software certainly helps.

Other than that, if you are really worried, consider running a virtual machine (such as Ubuntu in VirtualBox) to open email attachments in. It's not technically difficult to set up, but also not a trivial workflow to get used to. But for high-risk individuals, complicated workflows are unfortunately hard to avoid.

What else?

Another malicious .lnk file was analyzed by security company Cyble. The decoy file in this case is a document about applying for asylum in the United States, so it is possible that refugees were a target of the campaign. (Cyble doesn't write about the targeting; it is quite likely they don't know who the targets are and just found the malware in a public repository like VirusTotal.) The malware downloaded in this case is called 'Metastealer' which, as the name suggests, steals information from infected devices.

Engage Media has an article about military checkpoints in Myanmar, where those passing are often required to show the contents of their phone. There has been a lot of discussion in the digital security community on devices being checked at the border and the technologies that may be used to read data from locked phones, but for many people, including those in Myanmar, the real threat is that of a military officer going through one's social media accounts.

There's not a lot of good news coming from X/Twitter these days, but one piece of good news is that iOS users in the US can now protect their account using passkeys. Passkeys use the security of your device, such as a phone, and the authentication (such as a fingerprint) you have set on it to sign into online services. If you want to try out passkeys, passkeys.io lets you do so without having to set it up for any of your real accounts.

Micah Lee, director of information security at The Intercept, wrote a book for journalists and other researcher who want to analyze hacked or leaked data. I have yet to read the book, but heard good things about it. You can buy it at No Starch or access it for free on a dedicated website. As a teaser, you can hear Micah being interviewed on Vice's Motherboard podcast all, and read a written review with him at The Markup.

Non-security things

A book I enjoyed: I don't know any book of fiction that mentions the finger command, other than The Idiot by Elif Batuman and its follow-up, Either Or, which I read late last year. I went to university at roughly the same time as the books' narrator Selin did. I too regularly used the finger command to see when someone had last been online. And like Selin, I too was a little bit confused about other human beings, but a lot less capable than Selin is at expressing that confusion. The relatability makes me love both books, yet also made me a little sad that I didn't have such books to read when I was a student. But then, Batuman wrote both books long after she was a student so maybe we both benefit from the wisdom of being older.

A song I liked: In Athens in November, I finally got to see the Magnetic Fields play live. It was a good concert. Not brilliant, perhaps, but sometimes what matters most is the mere fact of seeing one's favorite songs performed live. Such as All My Little Words (Spotify - YouTube - YouTube live in Athens), the song that once introduced me to the word unboyfriendable. And though sadly the original vocalist has since passed away, it was still wonderful to see it performed right in front of my eyes.