Hackers Weaponizing Windows Shortcut Files for Phishing

LNK files, a shortcut file type in Windows OS, provide easy access to programs, folders, or websites.

Created automatically during shortcut creation or manually by users, LNK files contain the target location and other information useful for threat intelligence. 

It includes details like the machine identifier where the LNK was built, volume labels, and drive serial numbers, while the .lnk extension is hidden by default in Windows, making identification rely on user awareness or command-line queries. 

Attackers exploit LNK files, a shortcut file format, to bypass detection and deliver malware like Qakbot, Rhadamanthys, Remcos, and Amadey, which are disguised as legitimate files (executables or PDFs) and trick users into clicking on them. 

Rhadamathys LNK Phishing Campaign

This compromises the user’s system or network, and by analyzing active LNK phishing campaigns, defenders can learn attacker tactics and use tools like LECmd to extract LNK content to better understand the attack. 

Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan

Threat actors leverage LNK files in phishing campaigns to deploy malware and conduct reconnaissance, and this is done by embedding malicious scripts or commands within the LNK.

Upon user interaction, the LNK triggers these scripts, which can download malware, steal data, or gather system information. 

LNK Recon

Examples include using LNK to download AsyncRAT or Rhadamanthys trojan, obfuscating PowerShell scripts using techniques like caret symbols, and crafting LNKs to resemble legitimate files like PDFs, which increases the success rate of tricking users into clicking the malicious LNK.  

A malicious LNK file leverages LOLBIN for files to initiate a PowerShell script that executes obfuscated commands, which decrypt encoded data within the LNK and create a decoy DOCX file alongside a malicious CAB archive. 

LNK Obfuscated Powershell

The PowerShell script then utilizes expand.exe to extract the CAB file, which contains a VBScript, batch files, and a legitimate unzip.exe utility. 

VBScript leverages a COM object to execute a batch file that establishes persistence via registry modification and executes additional batch files, which download malicious payloads, steal system information, and communicate with C2 servers.  

LNK Attack Chain

The research by Splunk describes three methods for simulating LNK phishing campaigns to test organizational defenses. The first method utilizes Atomic Red Team’s Invoke-AtomicTest to write an LNK to the startup folder that triggers a command prompt upon user login. 

The second method uses LNK Generator, which simplifies creating desktop shortcuts with various functionalities.

Examples include generating a CMD shortcut or a PowerShell script shortcut that downloads and executes an MSI package. 

The third method leverages Atomic Red Team tests to simulate a malicious LNK file embedded with a CAB file, and by examining real-world malicious LNK files, security analysts can gain insights to develop and test detection capabilities.

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free

Aman Mishra

Recent Posts

Node.js systeminformation Package Vulnerability Exposes Millions of Systems to RCE Attacks

A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing millions…

6 hours ago

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer through…

1 day ago

BellaCiao, A new .NET Malware With Advanced Sophisticated Techniques

An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the initial…

1 day ago

Malicious Apps On Amazon Appstore Records Screen And Interecpt OTP Verifications

A seemingly benign health app, "BMI CalculationVsn," was found on the Amazon App Store, which…

1 day ago

Lazarus Hackers Using New VNC Based Malware To Attack Organizations Worldwide

The Lazarus Group has recently employed a sophisticated attack, dubbed "Operation DreamJob," to target employees…

1 day ago

New Python NodeStealer Attacking Facebook Business To Steal Login Credentials

NodeStealer, initially a JavaScript-based malware, has evolved into a more sophisticated Python-based threat that targets…

1 day ago