Hackers Weaponizing Windows shortcut files for Phishing


LNK files, a shortcut file type in Windows OS, provide easy access to programs, folders, or websites.

Created automatically during shortcut creation or manually by users, LNK files contain the target location and other information useful for threat intelligence. 

It includes details like the machine identifier where the LNK was built, volume labels, and drive serial numbers, while the .lnk extension is hidden by default in Windows, making identification rely on user awareness or command-line queries. 

Attackers exploit LNK files, a shortcut file format, to bypass detection and deliver malware like Qakbot, Rhadamanthys, Remcos, and Amadey, which are disguised as legitimate files (executables or PDFs) and trick users into clicking on them. 

 Rhadamathys LNK Phishing Campaign

This compromises the user’s system or network, and by analyzing active LNK phishing campaigns, defenders can learn attacker tactics and use tools like LECmd to extract LNK content to better understand the attack. 

Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan

Threat actors leverage LNK files in phishing campaigns to deploy malware and conduct reconnaissance, and this is done by embedding malicious scripts or commands within the LNK.

Upon user interaction, the LNK triggers these scripts, which can download malware, steal data, or gather system information. 

 LNK Recon
 LNK Recon

Examples include using LNK to download AsyncRAT or Rhadamanthys trojan, obfuscating PowerShell scripts using techniques like caret symbols, and crafting LNKs to resemble legitimate files like PDFs, which increases the success rate of tricking users into clicking the malicious LNK.  

A malicious LNK file leverages LOLBIN for files to initiate a PowerShell script that executes obfuscated commands, which decrypt encoded data within the LNK and create a decoy DOCX file alongside a malicious CAB archive. 

LNK Obfuscated Powershell
LNK Obfuscated Powershell

The PowerShell script then utilizes expand.exe to extract the CAB file, which contains a VBScript, batch files, and a legitimate unzip.exe utility. 

VBScript leverages a COM object to execute a batch file that establishes persistence via registry modification and executes additional batch files, which download malicious payloads, steal system information, and communicate with C2 servers.  

 LNK Attack Chain 
 LNK Attack Chain 

The research by Splunk describes three methods for simulating LNK phishing campaigns to test organizational defenses. The first method utilizes Atomic Red Team’s Invoke-AtomicTest to write an LNK to the startup folder that triggers a command prompt upon user login. 

The second method uses LNK Generator, which simplifies creating desktop shortcuts with various functionalities.

Examples include generating a CMD shortcut or a PowerShell script shortcut that downloads and executes an MSI package. 

The third method leverages Atomic Red Team tests to simulate a malicious LNK file embedded with a CAB file, and by examining real-world malicious LNK files, security analysts can gain insights to develop and test detection capabilities.

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free



Source link