Less-efficient workaround: Do a VirusTotal RetroHunt with a close-enough YARA rule, ...

npub12xh…zxeq

2024-08-29 14:27:36

in reply to nevent1q…5dfy

Less-efficient workaround:
Do a VirusTotal RetroHunt with a close-enough YARA rule, and then just manually run exiftool on them.

And then ask ChatGPT to tell me what some of them do because I'm lazy. This attacker from 4.5 years ago at least had a sense of humor. 😂
https://www.virustotal.com/gui/file/ca2723ce8388eda11d5b07e788145d9779a6d38bac2d448a89ba860e4899ab35/details

Microsoft has refused to assign a CVE to this, as they don't feel obligated to follow CNA rules. ("CNAs SHOULD assign CVE IDs to Vulnerabilities, not Fixes for Vulnerabilities. ")

MITRE has refused to assign a CVE (by way of ignoring the request), as they too apparently don't feel obligated to follow CNA rules ("... MUST direct a CNA-LR or another CNA with appropriate scope to assign as quickly as possible and no later than 72 hours after becoming aware of the first refusal.")

So have fun with this one, folks. It's been exploited ITW for years, and it definitely works. But "LNK Stomping" has no CVE because, well, draw your own conclusions...

Author Public Key

npub12xhpqz0ygq7cy87pcyhpf06tgr0yf37uv9mcnzzqeg00n70tca5q0vzxeq

Show more details

Published at

2024-08-29 14:27:36

Kind type

1 Short Text Note

Event JSON

{ "id": "00da41cb5f46c4be959111931fa0733e3d79ab00cda92409b5fe2b7ae623bd6e", "pubkey": "51ae1009e4403d821fc1c12e14bf4b40de44c7dc6177898840ca1ef9f9ebc768", "created_at": 1724941656, "kind": 1, "tags": [ [ "e", "8be781691b49844323be7791523a43cfda1b10481e513cc763b207855d275cde", "", "root", "51ae1009e4403d821fc1c12e14bf4b40de44c7dc6177898840ca1ef9f9ebc768" ], [ "proxy", "https://infosec.exchange/@wdormann/113045776391352324", "web" ], [ "e", "1f2358c80b264592a201e2acde9dd54e10675a554a4c65f9579ad8a7eb312d8d", "", "reply", "51ae1009e4403d821fc1c12e14bf4b40de44c7dc6177898840ca1ef9f9ebc768" ], [ "p", "51ae1009e4403d821fc1c12e14bf4b40de44c7dc6177898840ca1ef9f9ebc768" ], [ "imeta", "url https://media.infosec.exchange/infosec.exchange/media_attachments/files/113/045/695/866/325/784/original/ef2181fcd38ab78a.png", "m image/png" ], [ "proxy", "https://infosec.exchange/users/wdormann/statuses/113045776391352324", "activitypub" ], [ "L", "pink.momostr" ], [ "l", "pink.momostr.activitypub:https://infosec.exchange/users/wdormann/statuses/113045776391352324", "pink.momostr" ], [ "-" ] ], "content": "Less-efficient workaround:\nDo a VirusTotal RetroHunt with a close-enough YARA rule, and then just manually run exiftool on them.\n\nAnd then ask ChatGPT to tell me what some of them do because I'm lazy. This attacker from 4.5 years ago at least had a sense of humor. 😂\nhttps://www.virustotal.com/gui/file/ca2723ce8388eda11d5b07e788145d9779a6d38bac2d448a89ba860e4899ab35/details\n\nMicrosoft has refused to assign a CVE to this, as they don't feel obligated to follow CNA rules. (\"CNAs SHOULD assign CVE IDs to Vulnerabilities, not Fixes for Vulnerabilities. \")\n\nMITRE has refused to assign a CVE (by way of ignoring the request), as they too apparently don't feel obligated to follow CNA rules (\"... MUST direct a CNA-LR or another CNA with appropriate scope to assign as quickly as possible and no later than 72 hours after becoming aware of the first refusal.\")\n\nSo have fun with this one, folks. It's been exploited ITW for years, and it definitely works. But \"LNK Stomping\" has no CVE because, well, draw your own conclusions...\nhttps://media.infosec.exchange/infosec.exchange/media_attachments/files/113/045/695/866/325/784/original/ef2181fcd38ab78a.png\n", "sig": "2d6827495150226eae21bac7982686f40f1d65383f448cb51d66b276cd4710bdabc33817bf21c089c54d743ecc7b7a69b64c180c8152c5f9d7dbdac4496f3cd8" }