This minuscule 4 KB file can allow an attacker to take over your Windows system

The title sounds dramatic, right? Is this clickbait? No, it isn’t. Bear with me while I make my case to justify the title.

So, what’s this dangerous minuscule file the title talks about?

Actually, we all have seen this file on our Windows desktops when they are deployed for legitimate use cases. This type of file is commonly dropped by an installer when you install new applications on your Windows system. Some of you might have almost guessed it by now, I am talking about the Windows Shortcut file.

So, what’s up with this file. It seems to be benign. We have interacted with shortcut files for years without ever worrying about the risk of a system compromise. For the uninitiated, Windows shortcut files are special files with a hidden .lnk extension that point to another file or executable within the filesystem. If you are Linux user, think symlinks. If you are coming from the Mac world, think aliases.

Now, let’s get to the crux of the matter.

A simple LNK file does nothing but invokes the file it points to. However, if you dig further into the LNK file rabbit hole, that is, if you right-click the file and check its properties, you should see the Target property. For a usual LNK file, this Target property just contains the path of the target file.

Why is it considered dangerous?

The dangerous aspect about the Target property is that it also accepts command-line arguments. So what? What can go wrong because of this? Let me explain. The capability to pass command line arguments to LNK means that this worthless little file can now be used to operate like a Windows Batch file. Yea, you read that right. It can be used to trick a user into executing arbitrary commands on their system.

For example, setting the target parameter to cmd.exe /c ping -t 127.0.0.1 will allow you to run a ping scan on localhost that is initiated from a benign looking Windows shortcut:

Hold on, the fun does not end here. Ideally, when you create a shortcut, the default icon shown on the shortcut is the icon of the underlying file it points to. So, if you create a file pointing the cmd as we did above, the icon on the shortcut shows a cmd icon. Aah, that is a dead giveaway, isn’t it? Any security aware user would not click on that file.

But, hold your horses. Windows has this amazing feature for a shortcut called Change Icon.

So, you can choose from any of the built-in Windows icons or browse and add your own.

Take a look at this short video showing a ping scan being executed from a shortcut file which, based on its icon, was supposed to open a text document:

To add to this ordeal, Windows hides the .lnk file extension by default. Even when “Hide extensions for known file types” is unchecked in User options. So, an attacker can simply name the file “Important Doc”, give it a Word Doc icon and the user would never know what they are going to execute under the hood. Except, if they are smart enough to note the little shortcut arrow on the bottom left corner of the file. But, it’s not out of the ordinary to see that icon, so users would generally trust these files.

Yea, let that sink in for a while before we move ahead!!!

How does this affect your users?

We never educated our users to safeguard themselves from threats like these. It would be much easier for an attacker to convince a user to open a seemingly innocent text file instead of an executable. Just imagine this, instead of running an innocuous ping scan like we did above, an attacker can have a user run execute a shortcut that downloads and installs malware on the user’s system.

This is exactly the trick being used by malware operators today to trick users into running malicious code on their system. Malware operators realized the potential of the LNK file soon enough and this is now an active delivery mechanism seen in many recent malware attacks.

Malware Actively Exploiting Windows LNK features

Example 1: EMOTET

The infection chain seen in recent EMOTET infections starts with an LNK file delivered to users over email:

The EMOTET infection chain works as follows:

1. The LNK file delivered to the user is supposed to execute a shell command that downloads a VB Script file (vbs).
2. This vbs file is then executed to download the main malicious DLL
3. Finally, the malicious DLL is executed to infect the system.

Example 2: ICEDID

ICEDID used a slightly similar infection chain, but it uses Powershell commands instead of shell commands:

1. LNK file runs a powershell command which downloads a hta file (Link to hta wiki: https://en.wikipedia.org/wiki/HTML_Application)
2. Now, HTA files form a whole separate story we can cover in a different article. But, what we need to understand in this infection chain is that the HTA file is used to run another Powershell command which downloads the malware executable.
3. This malware executable is then executed to infect the system

Example 3: Qakbot

Qakbot also uses LNK at it’s point of entry and then downloads the malicious DLL.

1. LNK runs a powershell command to download the malicious DLL.
2. This DLL is then executed effectively infecting the underlying system.

Example 4: DUCKTAIL

Recent DUCKTAIL samples too show a similar modus operandi of infecting systems. It all starts with a seemingly innocuous LNK file.

So, cyber criminals are already banking on the LNK infection chain. It is time for you to level up your defences agains this novel attack technique.

Further details about the detailed modus operandi of the above malware can be found here:

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rise-of-lnk-shortcut-files-malware/

https://www.deepinstinct.com/blog/ducktail-threat-operation-re-emerges-with-new-lnk-powershell-and-other-custom-tactics-to-avoid-detection

What can you do:

1. Educate your users: Obviously
2. Block Delivery of LNK attachments: Again, obviously. I have never once seen a legitimate use case for a user to receive an LNK file in their mailbox. So, why not just block these attachments at the email server or spam firewall level. If you are using Gsuite or Office 365, here are some helpful links for administrators on how you can do this: GSuite Office365
3. Block Download of LNK attachments: There is no legitimate need for users to even download LNK files, so download of these files should be blocked at the Internet gateway level or via browser policy
4. Question your EDR or Antivirus vendors how they are protecting against such attacks.

Closing Comments:

I feel that the battle between malware creators and defenders acts out like a game of Chess. Except, that the malware creators have an unobstructed view of all the pieces of the defenders, however, criminals have the leverage to introduce new pieces in the game and create new rules for this ever-evolving game. Defenders can only adapt to the new rules and design defences to counter the criminal’s moves until they see a new piece with new rules.

原文始发于Amey Anekar：This minuscule 4 KB file can allow an attacker to take over your Windows system