Saturday, July 20, 2024

Hackers Weaponizing Windows Shortcut Files for Phishing

LNK files, a shortcut file type in Windows OS, provide easy access to programs, folders, or websites.

Created automatically during shortcut creation or manually by users, LNK files contain the target location and other information useful for threat intelligence. 

It includes details like the machine identifier where the LNK was built, volume labels, and drive serial numbers, while the .lnk extension is hidden by default in Windows, making identification rely on user awareness or command-line queries. 

Attackers exploit LNK files, a shortcut file format, to bypass detection and deliver malware like Qakbot, Rhadamanthys, Remcos, and Amadey, which are disguised as legitimate files (executables or PDFs) and trick users into clicking on them. 

 Rhadamathys LNK Phishing Campaign
 Rhadamathys LNK Phishing Campaign

This compromises the user’s system or network, and by analyzing active LNK phishing campaigns, defenders can learn attacker tactics and use tools like LECmd to extract LNK content to better understand the attack. 

Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan

Threat actors leverage LNK files in phishing campaigns to deploy malware and conduct reconnaissance, and this is done by embedding malicious scripts or commands within the LNK.

Upon user interaction, the LNK triggers these scripts, which can download malware, steal data, or gather system information. 

 LNK Recon
 LNK Recon

Examples include using LNK to download AsyncRAT or Rhadamanthys trojan, obfuscating PowerShell scripts using techniques like caret symbols, and crafting LNKs to resemble legitimate files like PDFs, which increases the success rate of tricking users into clicking the malicious LNK.  

A malicious LNK file leverages LOLBIN for files to initiate a PowerShell script that executes obfuscated commands, which decrypt encoded data within the LNK and create a decoy DOCX file alongside a malicious CAB archive. 

LNK Obfuscated Powershell
LNK Obfuscated Powershell

The PowerShell script then utilizes expand.exe to extract the CAB file, which contains a VBScript, batch files, and a legitimate unzip.exe utility. 

VBScript leverages a COM object to execute a batch file that establishes persistence via registry modification and executes additional batch files, which download malicious payloads, steal system information, and communicate with C2 servers.  

 LNK Attack Chain 
 LNK Attack Chain 

The research by Splunk describes three methods for simulating LNK phishing campaigns to test organizational defenses. The first method utilizes Atomic Red Team’s Invoke-AtomicTest to write an LNK to the startup folder that triggers a command prompt upon user login. 

The second method uses LNK Generator, which simplifies creating desktop shortcuts with various functionalities.

Examples include generating a CMD shortcut or a PowerShell script shortcut that downloads and executes an MSI package. 

The third method leverages Atomic Red Team tests to simulate a malicious LNK file embedded with a CAB file, and by examining real-world malicious LNK files, security analysts can gain insights to develop and test detection capabilities.

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free


Latest articles

Hackers Claiming Dettol Data Breach: 453,646 users Impacted

A significant data breach has been reported by a threat actor known as 'Hana,'...

CrowdStrike Update Triggers Widespread Windows BSOD Crashes

A recent update from cybersecurity firm CrowdStrike has caused significant disruptions for Windows users,...

Operation Spincaster Disrupts Approval Phishing Technique that Drains Victim’s Wallets

Chainalysis has launched Operation Spincaster, an initiative to disrupt approval phishing scams that have...

Octo Tempest Know for Attacking VMWare ESXi Servers Added RansomHub & Qilin to Its Arsenal

Threat actors often attack VMware ESXi servers since they accommodate many virtual machines, which...

TAG-100 Actors Using Open-Source Tools To Attack Gov & Private Orgs

Hackers exploit open-source tools to execute attacks because they are readily available, well-documented, and...

macOS Users Beware Of Weaponized Meeting App From North Korean Hackers

Meeting apps are often targeted and turned into weapons by hackers as they are...

Hackers Exploiting Legitimate RMM Tools With BugSleep Malware

Since October 2023, MuddyWater, which is an Iranian threat group linked to MOIS, has...

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles