BSides PDX 2023 - Following the metadata trail (Guilherme Venere)

[Music] so thank you for coming to this talk uh my name is gileri I work as tread research at Cisco Talos and I'm going to talk today about uh how we can use metadata in files to track and detect uh malicious actors just a little bit about me I used to work at macafee here in Portland for about 12 years I worked on the the detection team I led the detection team I worked with the product uh design uh red teaming EDR xdr everything that you can imagine in AV company so when I moved to Cisco Talos uh about a year and a half I have this detection mentality I look at something and I see I and I

think how can I detect something how can I detect this m so that's uh my main focus on on tals I work on the Outreach team which is the team inside Talos that uh talk about security uh AP groups and malicious uh software so we we are more focus on on talking about this uh this threads right and my focus in this group is this kind of M like how to detect malicious activity how the the different commodity M uh work and things like that so this talk is about that the first thing that I did when I I joined the team was uh I start to look at current state of uh the malicious activity in

the in the world right what are the the actors doing to distribute their M to to infect victims and at the time uh one thing that uh was very talked about was Microsoft deciding to uh create some security measures to avoid macro documents from working the way that the malicious actors were using them like uh uh the auto open feature the the macros that were running automatically when you when you open the document Microsoft decided to to put a break on this kind of uh thing so they implemented a few changes in the in the way that Office Works in order to prevent these macros from working uh one thing that they did was create the mark of the web uh

feature that uh keeps track of files that came from outside of your machine so if you try to open a document that came from an email or downloaded from a website for example the micros are are not executed unless you actively go there and enable the macros so at that time that I started my research I noticed that they were changing Behavior like the M that I was tracking uh mostly commodity M they were changing from uh using macros to using something else and that something else came as result of a vulnerability that was disclosed at the time uh they discovered uh some researchers discovered that if you have some files inside a zip file

that was distributed through email or downloaded from the web the mark of the web don't move to the files that were extracted from this container so the containers that uh could be used to distribute this files would prevent the the actual malicious files from taking from getting the mark of the web so uh the operating system would uh gladly open them and execute them without any any issues and one thing that they started using the time was link files so link files is a very interesting uh U file because it's a a file that is very small so it can be distributed in email or downloaded and very quick quick to download and it can

allow you to do a lot of things link to a file on a remote share execute commands with parameters and and a lot of different uh actions on the on the system and this was everything that they needed right if you you have a link file pointed our shell you can execute a lot of things from that small link file uh I started looking at a few groups at the time specifically quacko Qubo is a it was a banking M that came around 2007 2008 I started tracking D that maaf in 2009 so it's kind of my Nemesis I've been tracking quack boo since forever and that's the first thing that I looked at what's qub doing now and

they started looking they started working with link files around the end of 20121 2022 and I started looking at these link files and see how can I detect these link files what what is important there uh other other groups that uh I kept an eye on garadon uh which was targeting Ukraine that's the the start of the the war um and Bumblebee I ID otat uh this uh commodity mowers that are that were very popular at the time so when I started looking at link files I noticed something interesting uh link files they are a file object that points to another file object on the system and they have some characteristics that are created by the

apis that Windows used to create shortcuts they have um some metadata on the file that is introduced by the apis themselves it's not something that the the user actively put there or something that is actively put on the fire the apis create this information for example you have the times that they were created uh the sh was created access and things like that you have information about the folders where this shortcut is pointing to and you have information about the machines where this uh link file was created and where it was moved to because when you have a shortcut that move from one machine to the another uh that second machine might not have the

same pointers like so the the shortcut will be invalid and windows keep track of this information by changing some fuds inside the shortcut when you open on a new machine so I thought how can we use this this metadata to to detect this m right to detect this this activity because if you look at just the the target of the shortcut uh you might miss uh some things for example okay I'm detecting power shell inside a a link file but there's a lot of uh Windows processes or uh software valid software that use power shell inside link file so you cannot just detect power shell you cannot just uh detect based on parameters for example uh

command line parameter that is pass our shell and if you try to detect on uh obfuscated code you'll be hunting these guys forever because they change one bite you'll lose the detection you change another bite so it's not feasible to keep track of these link files or these malicious files in general by looking at uh the specific code that is there so I thought how can we go back a little bit and the link file itself how can we detect that so I found a a few information there uh one thing is for example the drive serial number uh Windows when you create a a shortcut uh add information about the the machine that was used to create that link file

and one of them is the drive serial number of the machine that created that link file this doesn't change when the link file move to a different uh uh machine so I have the specific information of what machine what Drive the link file was when it was created I have uh user ID of the user that created this I have the MAC address of the machine because they use the MAC address to generate uh it's a little small there but on the on the bottom there are some uh Droid information I forgot to Droid this but it's a uid uh that is generated when you create a link file and it contains a MAC address as part of this ID so the

machine that created link file I have in the MAC address that I can match to to a specific machine so keep that that in mind we'll see how this was important later and when you talk about commodity M you're talking about uh families that generate hundreds thousands of different samples every day to spond to new to new victims right you have uh qub for example that uh downloads a different hash every time that you try to connect to to their download site and you have uh emotet that spun millions of of uh samples every day they are different hashes so it's not the same hash and when you're talking about Distributing uh link files how do you generate this

link files there is no compiler to generate link files like you have for a binary for example that have a source code and then you generate the binary but the link files have uh a lot of tools that you can use so I started uh fingerprinting these tools and seeing what are the the tell tails that someone used uh a builder tool for example there is one called macrop pack that also generates uh link files there are a few other tools that are available for free that you can use and when you look at the output of the samples you can see some characteristics for example uh in some cases the the entire metadata for the link

file is wiped out there is no metadata at all you just have the argument for the the link file that point some program and nothing else so this is something that you still can use to detect like the the lack of metadata that is by default added to a link file when you created uh is something interesting to detect right so for example that rule that I I created there on on virus Toto basically looks for uh link file that had this this metadata uh wiped out I check a few feuds there that are always present when you create a link file and uh look for a Target that has a JS bat or CMD

extension this was used by quack boo after uh the research that I did here uh quack boo started wiping out the the metadata in the files because they knew that they could be tracked by this so we'll see in a bit this but this is like an example how you can use uh the metadata or the lack of metadata in a in a in a file to detect these things so this is just a uh overview of samples that I found on VT that I could map to specific families and you can see how this activity changes with time uh probably around here February March 20 22nd uh Microsoft implemented the changes on Macros so macro did not work anymore as

the the actors the Trad actors expected and you can see a steady increase on the use of Link files for malicious purposes uh one thread actor that is very that was very active at the time in using link files was quackpot uh you can see here a huge Spike around September October uh because one character of Qubo is that they have development Cycles so they had a a stop here around May uh right after the the macro stopped working they stopped for a couple months and then they came back using the link files with ISO uh as the the container and you can see a huge Spike there but uh this big uh purple line here are

actually link files that are uh that have all the the metadata wiped from them so we cannot use to map to a specific family uh but we can see that there is a huge Spike around the the first in November December and then uh this this last couple months now because disl link files they are usually the output of the uh free tools that you can use so when you have a a tool that can generate hundreds thousands of files uh in a batch you have something like that a lot of different samples with different hashes that uh appear on VT and besides the the wiped metadata there that is kind of a different from

the rest we can see that around this time frame here we have a crash in the use of uh link files does anyone know what happened at that time there are two things that happened one is that Microsoft uh fixed the bug in uh Mark of the web uh to now keep track of files that were extracted from containers so ISO zip files R files they would now uh keep the mark of the web for the files that were inside it so if a file came from the web or the email uh and it's extracted from a zip file it would have this Mark of the web and uh they also added a lot of rules to detect

uh link files coming from zip files so this basically killed at the time the the activity in terms of uh zip files the other thing that happened is that around August of that year uh someone on Twitter uh disclosed the information that one note documents uh created for one note also uh didn't keep track of the mark of the web so when Microsoft implemented the changes for ISO and zip they did implement the changes for one note right so we had uh something interesting you have uh link files not working as an intended anymore because of the market of of the web and you have a new file format that don't apply Mark of the web

so when you put this two together you have a new delivery mechanism that uh is what happened there and uh one note is interesting because it also have a lot of uh metadata on the file all these office documents they have a lot of metadata there they are not as useful as link files but they still can be used to correlate uh with a specific spefic fields or specific file types and then uh used for detection they are less uh useful for tracking but more useful for detection um and this is what happened these are again samples from virus total that are considered malicious I I put here a limit on at least 10 detections for the samples in

vot to make sure that they were really malicious because there's a lot of one files that end up in in VT but we can see that around January February March we have a huge spike in in the usage of one note uh as a delivery mechanism for M and a huge crash after that because Microsoft decided to fix the the issue for one2 they already did the for zip and and ISO files before when they did for uh one note you see that the tractors stopped using it because it was not worth their time anymore they they were not getting the results that they that they expected from this and this is one thing that was very clear with this

research is they react very fast to changes in the in the tread landscape when when there is a new patch when there's a new vulnerability disclosed they don't take long to to start using it or stopping using it or discarding the the method and go for something easier we saw that uh in the link uh information that they went back to link uh files as a delivery mechanism but wiping out all the metadata to make it more difficult to detect because when you when you create a detection you need to make sure that you're detecting malicious files right and if the file don't have much information there it's very difficult to make a difference between a malicious file and just a any

file that is on the system so even though we still have the mark of the web problem they are still able to to um use the this kind of a delivery mechanism but make it more difficult for detection so for example here is one it's very small I didn't think it was was going to be so small uh example of metadata there uh one thing that I highlighted here is this is an example of one note that was used for quack book we have a lot of information about the page itself uh one page count one image count one payload count uh the content of the page is just uh two enters uh and the image metadata so the image that is

shown on the on the page when you open it the name is in Russian and it basically say unnam it drawing but when you put these things together you have a Russian uh uh file name with uh document that don't have any text content and just one page and you put all this characteris together you can say with a like high confidence that this is something suspicious right uh there might be someone that created a one page document that will probably be detected uh if you create a detection for this but uh the the chance of detecting something malicious when you put all of this uh Cor together is is high so it's a good detection technique when you look

at this feuds in metadata and uh make these correlations so let's see now how I use this information that I show you guys to track some of these uh thread actors uh the first is garadon garadon is uh a russan uh based group that usually Target uh uh victim victims are around the globe but they mostly focus on the the Eastern Europe uh victims and by the time that uh the Russian invasion happened they started targeting uh victims in Ukraine so we at Cisco we we did a lot of work in trying to help Ukraine uh in the the cyers space and uh we try to look at gamar and see how we could uh prevent these attacks from them

right so one thing that uh that garon did at the time was they had uh fishing or Mouse pan emails uh with a document attached attached to these emails a Word document and inside the word document they had a link file so as a o object inside the the document when you click that link file inside the document it would open and execute the the partial scripts that were the the characterist of gar at the time so I took these link files from the documents and I started looking at the metadata to see how to to detect these things right and one thing that I noticed when I looked at specifically the drive serial number for the link

files that uh that we've seen coming from garadon is that they always have the same exact Drive serial number one single serial number for all the link files that were used in garadon attacks it doesn't matter where it came from all the link files that were used to attack Ukraine came from that single machine and when I looked historically at this uh at this uh Drive serial number by looking at VT looking at Old reports on garadon that had link files as a delivery mechanism I noticed that all of this also had the same serial number and I could go back to reports from 2017 on gared that had link files as delivery mechanism that had the exact

same one uh another thing that I found is that for example there was a company in 2022 that released a report on a new actor targeting Ukraine called glow sand I looked at their samples same exact serial number so I knew that it was garadon it was they were calling by another name but it was garon because there was one single machine that created all these link files and one thing that was interesting in terms of garadon is that they started using at some point um link files that had some like weird sizes like the the link file is usually small right 2K 1K and these files were like in the megabytes so uh one megabyte 800k something like that

which is very big for a link file so I looked at the file and I noticed that there was a a full digital CER certificate at the end like a a code signing certificate from a p file and I say okay but why like there is no provision in the the link file format for digitally signing a shortcut there's no such thing as digitally signing a a shortcut so I looked at the files and I noticed that if you take the same file and you put the digital signature on the file and you send to VT the detections like will drop drastically sometimes even no detection at all on the samples because of the digital certificate on

the file not just because it's garbage but because uh I guess I won't say that I've seen this before but I guess that the AVS check the certificate on the file without checking the file type and okay this is Microsoft I will not attack that and just pass the file as clean without uh actually looking at the file type at the contents and see if there is there really a reason to to have a digital certificate here so this is something that they were using there I found this because I had the rules to detect uh the the drive serial number and when I look at the files I think Hey My My My Rule is probably falsing

because I have a lot of files here that have zero detections and when I look at the files they were really gamar redom but with the digital certificates and there were some interesting correlations to that I could do besides tracking historically uh the activities of uh a group there are some correlations that I could do based on this data I started to create a database of a metadata for link files uh and just a side note I hate kibana but uh I use kibana to to store this information and and uh start to try to find correlation between this the samples and I found something interesting uh machines that were used to distribute quacko were also used uh

to not distribute sorry um I'll get there uh machines that were used to create link files that were Distributing Qubo were also used to create link files that were Distributing Bumblebee and I ID the same serial numbers uh were being used to create link files that go to one mow or to the other or what that means is that the Trad actors that were Distributing uh quack boo were probably creating payloads to distribute this other M to and this correlation between I quack Bo and Bumblebee was disclosed by the time that uh uh there was this leak uh of the County uh chat logs the county group uh which was a ransomware group at the time and they had their

chat logs uh um leaked by some disg grunted uh member and in the chat logs there was uh discussions about the developers behind quacko also being part of the management uh groups that were taking care of Bumblebee and IID so I could confirm by the the metadata in the link files that this was true like there was Qubo developers or uh qub Distributors that were creating payloads for these different families based on the link metadata that was uh that was being used at the time to distribute these families so yeah sorry uh the the images were too small there on the corner but uh this is just an example of the different uh serial numbers and the the payloads that were

trigger at the time and there there was one interesting case here you guys will not be able to see but this user here the the the parsing pad feuded in the the link file contains the the the the path where the link file was created right or where the link file was pointing to and it says here see users Lamar and uh it was interesting because I see uh link file in VT that had this C users Lamar and it was pointing to a a Rand on fire it was not nothing anything malicious but it had the same serial number squack bot and I think okay this this is weird this might be another false positive on

my rule let's keep an eye on this two days later the same user sent a bunch of files or the same it's not the the guy itself who send but someone sent a bunch of files that had the same pth using the same serial number but this time dropping iced ID so the guy that created the link files is probably this Lamar user or has a machine where this user is the the user that they have there I don't know if it's his real name but uh that user created the link files on the same machine that was used to create quacko before and was Distributing uh I ID I found the same thing for for bumblebee

like the same machine a different machine from the one that I I showed there on top was being used to distribute uh quack bot and uh Bumblebee and uh the the interesting part about the the drive serial number is that you can match to a specific machine uh so you know where this came from and and when you look at the quack boo uh specifically specifically the Qubo samples you can find information about what bot net this is part of qub has two main uh bot Nets or had two main bot Nets before the FBI took took down their infrastructure which was the presidents uh the latest one was Obama and the letters uh the the

latest one was BB but before that it was AA and TR so these are the two main bot Nets that qub had at the time and I could match specific serial numbers to specific bot net so I knew that this sample came from the Obama just based on the on the drive serial number and this is important here because I knew that the Obama uh botnet was the one Distributing bumblebee at the time so I know that this guy from the Obama bnet is the same guy that is Distributing bumblebee probably uh they have some connections there and I could track things like changes in the behavior of the the the bat net itself like the the

delivery method that they were using the changes in the the code that B that qub had in the last two years I could see that the Obama was usually the first one to implement a change followed a few weeks later by the the the letters botet so they were exchanging information they were uh like talking to each other and and and discussing what was the best method to to deliver information uh for example Obama started to wipe the metadata from their link files uh around September and then few weeks later they the the letters but net they start doing the same so this is the kind of thing that I could find with this with this

research and then we had this uh huge gap in in link bi metadata um oh yeah sorry here I was getting ahead of myself here is an example of the the data that I have I have you can see here the serial numbers these are just a couple examples I have more for for the the same botnets related to Obama and then there are the the ones related to AA mbb which was basically the same groups and I could figure out that they were the same group because the same serial number that was Distributing AA uh later started to distribute BB so I could keep track of the the actor through the the change from AA to BB by

the serial number on the machines that were using to generate link files and we can see that Obama is the the the most prolific one in generating these link files followed by uh AA and some others uh that were there because there there were like five or six machines for for each group that they used to generate these files and I had this this information on the serial numbers the the thing that I was saying is that uh after that point where one note stopped being a thing and uh link files link files uh basically they all came without any metadata so I couldn't keep track of who is who in the term in terms of uh the M families that are

connected to this I had my rules on VT and one day I found one hit on the quack boat rule I say oh that's weird like why one hit now after six seven months without any hit and when I looked at the sample it was connected to to to a different sample the sample itself had basically a Powershell uh script that was downloading an exe file via web D on Port 80 which is not common right you can see here uh or maybe you can see or not uh Explorer connecting to a IP address and then they queue Explorer and then they open the file from that same share so basically they are trying to connect to

a network share just to have Windows authenticate or whatever hash uh communication with the with the network share and then they try to download this this has two important things here one is that they are using this through Port 80 webdav is a basically a web request it's a a get on a or head on a on a specific file on a web request so this is very difficult to differentiate from a real uh web connection right and the second thing is that when you do that Windows probably try to authenticate to the the remote webd folder and by authenticating there it sends your ntlm hash so they can collect this information and it downloads the file

right so the file was downloaded and when I look at the file uh the link file you can see has the same uh serial number as we just show on the other slide and when I look at the file this was actually a run somewhere runon night it's a variant of cyclopes and they were Distributing these run on night uh to to the victims uh quack bot worked with other groups in the past but they usually don't get involved in ransomware so I was wondering why is that right why are they they um working with a rware M instead of their M now that was the time that FBI informed everybody that they had took down the the Qubo infrastructure

they started this campaign around August 4 and I think that August 20 something7 the FBI announced that they had took down the the quack infrastructure took down all the the C2 servers and and clean up all the the Qubo machines the Qubo infected machines by using a feature uh a binary from a feature from the m to download a binary that would do the clean up on the on the victim machines right so this campaign from Qubo started before the FBI took down the the infrastructure and was still running around the time that they they they took down this infrastructure so the guys behind quack bot or the got the the tractors that created these link

files also created the same link files for quack Boo in the past and they were running a campaign with a run someware uh at the same time that FBI was taking down the the other part of the infrastructure right and I thought okay so what happened when I looked at the FBI report they took down the C2 infrastructure for quock boot but all the the distribution Network that these guys have available it's still there and they were not arrested they are still there right so they they could run this this campaign without any impact from the the FBI take down but yeah of course they had a financial impact right with the the FBI takeown the FBI arrested their their

crypto uh resources the crypto coins they took down the the the serve infrastructure which is pretty complex for for Qubo so it has a financial impact for these guys and I think that they are running these campaigns uh they started with ransone uh along with the runon are along with the link file on the same fishing or same M spun campaign they had uh ramco back door so they could take control of the machine and now they are running dark gate and pikab boat which is another boat so there was some discussion uh I just published a Blog yesterday with more details on on this entire campaign and there was some discussion of whether it's the same actor or not uh maybe the

distribution Network that is being used to distribute this m is not the same as Qubo used in the past but I know for sure that the link files that they are using were created on the same machines that were used to create Qubo in the past like I I went back two three years as long as VT and and and and our Cisco database uh can can give me and there was never any other M besides this that I mention distributed by the same machine so it's not something that is widespread or any any thread group use the same machine to do that that's not the case that there is only one actor behind this machine that is now

generating this link files to distribute this this campaign this new campaign with dark gate peekabo and and run on night so it was pretty interesting to to see uh first because I could find this new campaign based on the the link metadata that uh that I had worked before and the second is that these guys were the same guys that started wiping out metadata from their files because they knew that they could be tracked by that so what happened now did they mess up and forgot about the link metadata because a lot of time has passed right since the the last or did they get stressed because of the FBI Tak down I don't know but they messed up and they

they left this information on the on the link files which enabled me to track then and connect this this new campaign with the the previous actors that uh distributed quack Bo so yeah this the the details that I was talking about the the campaign is basically the same models operand that Qubo had in the past they have an HTML uh file that use HTML smuggling to drop a zip file on the machine the zip file has uh excl L it's an Excel uh add-on extension which is basically a dll uh and this dll is the the ramose binary and a link file on the same zip uh this link file points to a web d

source that downloads the The Other M that I mentioned besides uh run on night and dark gate they are also downloading red line and meta stealer which are two information Stealers so my theory is that quack bot or the guys behind this this campaign they are trying to rebuild their victim Network they try to trying to collect uh information from victims they are trying to rebuild the the network of infected uh machines where they have control via the dark gate or remco's uh back door so they could trigger the next uh Qubo wave because we know that it's coming right I know I I loved what the FBI did I know that it's important to have these kind of actions

because you have a huge impact financially on these guys but we know that they're coming back at some point because the guys are still there and they have the source code and they can restart everything so takeaways uh the metadata in malicious files not only link files but any kind of document or even P file sometimes is important they have a lot of information that is not under Direct Control of the the person that creates the file uh sometimes Windows had this information sometimes the application that they're using had this information uh and you can use this information to try track and to detect malicious activity right don't look just at the malicious code sometimes the container for this code is

important too because it might have a lot of information on the thread actors that behind it uh the thread actors have lousy upsc as everybody else they forget things they they don't look at the the the files that they create sometimes they might have like a username or a password or information on their machines IP addresses everything that could be present there uh without their knowledge and if you look at this information you can find out more about the tractor and when you especially for the people that work with detection uh engineering if you look at this metadata and you create a a database or a way to track this this metadata for for files

you have a very good resource for detection think about uh if you need to create a y rule or if you need to create something that will uh map the the the attributes of a specific file type and keep a track of what is malicious and what is not and you have something to to use for detection too even machine learning uh y rules or whatever you you have something that is uh very good for detection and is usually uh um people usually forget about it even in the detection uh uh scene people forget that these things are there and they are very important right and like I said yeah keep track of this information

because at some point uh you might see something that you've seen in the past uh that was malicious or that that targeted you and you will be able to detect this even before something malicious happens on the machine right and I think I'm good I don't even know how long I took on this so if you guys have any questions or anything is is any of this do you have this available publicly and this information and get off or is it fairly proprietary to no I like I said I published a Blog yesterday uh on the Qubo campaign it has a link to another blog that I wrote on the link metadata research uh which is also available on the on the

Talos uh blog so Talos intelligence.com should be the the the link for the blog this information is there uh I don't know if I can if I'll be able to share this specific slides but all the information that is here is on these two blogs that are available there and we have all the ioc's and everything uh documented on the blogs how would you take the link file metadata and use it for detection like at scale across an entire Enterprise well like I said I worked for an AV company so in a in in the case of an AV uh detection for link files is very easy because they usually are small files with a a fixed structure so detecting

something in in a link file is very easy like it's quick it's something that it will not take a huge performance impact same for aara for example uh so if you have a good talk with your EV company you can ask them to to create something like that uh or any other uh way usually you need capacity to look inside the files and you need some knowledge of the file format so that will limit how you can detect this right sometimes the the product don't have the ability to look inside the content of the file like I don't know if it's still like that but some adrs they cannot look inside the content of the file it might be

difficult to detect this but uh that's what you need like it's simple it's not something that will impact too much yeah I was I was wondering do you know of any examples of non religious link files with deleted metadata curious false positive yes there are some false positives uh that rule that I showed for the quack booot detection it's actually something that generate some Fales because uh there are applications that create Link Link files too right they they might use for any uh reason but when these applications create link files if they don't use the apis as expected the file will be uh clear of uh metadata or sometimes don't have all the metadata that's that needs to be present

there and if they use a template for example to create the link files which which is also very common for the the the link creation tools like like mcro pack and things like that so there are situations where the the metadata will be wiped out uh and we need to be very careful there in this case uh given that uh antiviruses are starting to incorporate this into their attacking signatures how long do you think it will take cpot other groups to respond and come up with something new it usually don't take long like uh in terms of the the delivery meis they they are very quick in changing this depending on the the tread landscape the

the M itself takes more time to develop and so they have this cycle four months 6 months uh run and then two months uh holidays or development cycle but uh in terms of delivery mechanism they change like in a few days just a few days and it's gone uh you mentioned several times that you were able to trct them to speci spefic person they got smart

have yes that's a problem it's possible to spoof of course because you can always spoof the the content of this files I haven't seen examples of this or at least I I haven't detected in the samples that I analyze I haven't detected any attempts to poof this information but it's possible it's possible that someone will look at this research and say okay I'm going to use this now and everybody will be quack B from now on uh there's not really an easy way to detect this the same way that is there is not an easy way to detect uh any other spoofed information on on uh other fot types or other parts of the infection chain right and there

is one interesting anecdote anecdote story sorry I'm Brazilian so sometimes I I get stuck with English but uh there's an interesting story with this research is that I was looking at the gamar redon uh samples and I started collecting a lot of samples related to garadon from virus total and I got a lot of Link files they were always associated with the with the document that they use to to fish and the the bin that were downloaded later so okay okay this link file is part of the infection chain I started downloading all of them create a a rule to detect these files on virus total and got like millions of hits like oh my god

what the hell happened here so when I look at the files I notice that they were always pointing to a document like the link files were pointing to a document they were not pointing to to a command or anything like that always Point into a document and I noticed that when VT replicated the the documents from garadon on their machines they usually are very good at uh wiping out any metadata from their systems but not from link files so the link files that was collecting was the link file that is created by office when office opens the document and create like a recent documents right and that that link file had all the information about

the VT machines so I could map basically their entire send box infrastructure or whatever machines they use for sand boxing there based on the link files that were created for document so yeah there's this problem too if the link file is created dynamically by the M for example um the old filing factors USB filing factors when the filing Factor runs on your machine and you put a pen drive it creates a link file on the span Drive pointed to the m that link file will have the information from your machine not the the the attacker machine because they don't use a template they basically just create a shortcut using the windows apis right so it it needs to be very

careful you need to be very careful with how this file was created right how this file came to the machine does it come as a link file or is it created on the machine right so yeah you have to be careful in this in this sense too not just the the spoofing uh but you have to be careful with the the files that are dynamically created on the machine all right thank you everybody [Applause] [Music] and