Beware of Malicious .URL Files: A New Attack Vector
Another interesting file type leveraged by adversaries for gaining initial access. I'm talking about .url files.
The attackers employ malicious.url files that imitate the CVE-2024-43451 vulnerability behavior. The files invoke WebDAV requests, alerting attackers when the file is downloaded. Even though the.url files do not directly exploit the vulnerability, they download the next-stage payload when clicked. The payloads are spread via legitimate platforms such as Google Drive, Dropbox, Bitbucket, and GitHub. The malware downloaded contains a .NET RAT variant and the last payload, Remcos RAT, which allows remote access and information theft. The campaigns have impacted more than 1,600 victims, targeting primarily government and private institutions in Colombia.
The adversary uses such files in a series of ongoing campaigns targeting Colombian institutions and government entities. If we look at file names, we can notice that many of them have double or even triple extension (DOCUMENTO_PDF_CON_INFORMACIÓN_PRUEBA_COVID_19.pdf.zip (1).url).
Use this logic to detect them | where Filename has_all ('pdf','url)