Backdoor:PowerShell/Sebona.A!dha

The LNK file masquerades as a shortcut to a PDF file with a document-like icon to entice the user into opening what looks like a PDF file, as seen in the image below:

Example of files containing a false document icon

Once opened, the LNK file decodes the embedded base64 data and drops several files in the %temp% and %UserProfile% folders.

For instance, the LNK file might drop the following files:

• %temp%\Important.jpg (this is not an image file, but rather a base64 encoded PDF file)
• %temp%\Important.pdf (decoded clean PDF file)
• %UserProfile%\Temp.jpg with hidden attribute (base64 encoded PowerShell script)

The clean PDF file is opened to mask the launch of the malicious code. The PowerShell script is decoded and launched to establish a reverse shell connection to a C2 location, such as:

• hxxp://api-gate[.]xyz
• hxxp://pdf-online[.]top

The reverse shell is used in conjunction with Microsoft Dev Tunnels and can traverse directories, as well as upload and download files.

Here is an example of the contents of the LNK file:

Example of a malicious LNK file