LNK files again being used to deliver malicious PowerShell script

itman · May 26, 2017

Cybercriminals have brought back an older attack vector using LNK files to execute PowerShell scripts to download malware.

LNK files were first used back in 2013, but Trend Micro has noticed a resurgence staring in January 2017. Between January and April the company has detected almost 6,000 instances of LNK malware, identified as LNK_DLOADR by Trend Micro, although a few cases were also spotted late in 2016.

LNK files are generally used to create start menu and desktop shortcuts.

Trend Micro attributed the initial wave of attacks in January to group APT10, AKA MenuPass, POTASSIUM, Stone Panda, Red Apollo, and CVNX, that used a spearphishing campaign to execute a CMD.exe that in turn downloaded a jpeg with embedded malicious PowerShell script. By April the payload had switched to BKDR_ChChes.

And APT10 continues to mix up their attacks, although it still uses phishing as the main point of entry.

“They send a phishing email with lures that push the victim to “double click for content”, typically a DOCX or RTF file embedded with a malicious LNK. Instead of directly executing PowerShell, the LNK file will execute MSHTA.exe (a file used for opening HTML applications), which executes a Javascript or VBScript code that in turn downloads and executes the PowerShell script. The PowerShell then executes a reverse shell (like Metasploit or Cobalt Strike) to complete the compromise,” the report said.

There are a couple of quick fixes companies can implement to avoid LNK issues. Just as with WannaCry updating software is the first step. In this case users should have PowerShell version 5 installed. The responsibility falls on the individual and that is to be wary of any executable files received in an email.
Click to expand...

https://www.scmagazine.com/lnk-file...r-malicious-powershell-script/article/664399/

itman · May 26, 2017

Per the Trend Micro source article link noted above, this is a clever trick being employed:

Hidden LNK commands

In many cases, these malicious LNK files can reveal valuable information about the attacker’s development environment. To help get this information, a quick analysis is possible by viewing the properties of the file.

However, we are encountering cases where the command line argument is so long that it is no longer fully visible in the Properties > Shortcut window. When viewed, only the target application (CMD.exe, MSHTA.exe, and other non-malicious command line applications) is seen.

Our tests revealed that the maximum length for Shortcut > Properties > Target is only 260 characters. Anything longer than that will not be visible. However, the maximum length for a command line argument is 4096 characters.

The attacker actually pads several spaces or newline characters before the malicious argument. Using a parser tool reveals that it is much longer (figure 6), though it still works normally:
Click to expand...

Rmus · May 26, 2017

itman said: ↑

https://www.scmagazine.com/lnk-file...r-malicious-powershell-script/article/664399/
Click to expand...

LNK files were first used back in 2013, but Trend Micro has noticed a resurgence staring in January 2017... LNK files are generally used to create start menu and desktop shortcuts.
Click to expand...

They were used at least as far back as 2010:

Downloader-CJX Cashing In on Microsoft .LNK Flaw
http://www.avertlabs.com/research/blog/index.php/category/exploit-research/

our research team found a new variant of Downloader-CJX that extended its previous .LNK propagation strategy using social engineering with the new Exploit-CVE2010-2568 .LNK files.

Downloader-CJX is a malware family that installs .LNK files mimicking current Windows and user folders such as Music, Documents, or New Folder.
Click to expand...

Microsoft Security Bulletin MS10-046 - Critical
Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198 )
Published: August 02, 2010
https://technet.microsoft.com/en-us/library/security/ms10-046.aspx

This security update resolves a publicly disclosed vulnerability in Windows Shell. The vulnerability could allow remote code execution if the icon of a specially crafted shortcut is displayed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user.
Click to expand...

As with so many exploits patched by Microsoft, many users did not patch, so the exploit continued to be used successfully for quite a while.

scmagazine.com said:

And APT10 continues to mix up their attacks, although it still uses phishing as the main point of entry.

“They send a phishing email with lures that push the victim to “double click for content”, typically a DOCX or RTF file...
Click to expand...

“double click for content” is an old lure that goes back at least to 2009. An RTF example:

http://rsjphoto.net/computing/rtf/

scmagazine.com said:

The responsibility falls on the individual and that is to be wary of any executable files received in an email.
Click to expand...

There you go!

----
rich

itman · May 26, 2017

The difference with the current .lnk malware versus past use is those exploited vulnerabilities. The current strain of malware is using .lnk files as designed but using them to run legit processes such as mshata.exe to in turn run malware laced scripts and the like.

Nothing like using Windows to infect Windows

Rmus · May 26, 2017

itman said: ↑

The difference with the current .lnk malware versus past use is those exploited vulnerabilities. The current strain of malware is using .lnk files as designed but using them to run legit processes such as mshata.exe to in turn run malware laced scripts and the like.

Nothing like using Windows to infect Windows
Click to expand...

Yes! In one sense, though, many exploits use Windows to infect Windows - the orginal LNK exploit used a vulnerability in the Windows Shell.

Not using a legitimate file as in this case, of course... which reminds me of Conficker's later versions which used autorun to start rundll32.exe to run its malicious DLL.

----
rich

Log in or Sign up

LNK files again being used to deliver malicious PowerShell script

itman Registered Member

itman Registered Member

Rmus Exploit Analyst

itman Registered Member

Rmus Exploit Analyst

‘Purple Fox’ Fileless Malware Delivered by Rig Exploit Kit Now Abuses PowerShell

Remcos RAT campaign delivers new variant using AutoIt wrapper

The Malicious Use of Pastebin

Popular File-Sharing Service WeTransfer Used in Malicious Spam Campaigns

Adobe Worm Faker Uses LOLbins And Dynamic Techniques To Deliver Customized Payloads

Log in or Sign up

LNK files again being used to deliver malicious PowerShell script

itman Registered Member

itman Registered Member

Rmus Exploit Analyst

itman Registered Member

Rmus Exploit Analyst

‘Purple Fox’ Fileless Malware Delivered by Rig Exploit Kit Now Abuses PowerShell

Remcos RAT campaign delivers new variant using AutoIt wrapper

The Malicious Use of Pastebin

Popular File-Sharing Service WeTransfer Used in Malicious Spam Campaigns

Adobe Worm Faker Uses LOLbins And Dynamic Techniques To Deliver Customized Payloads

Useful Searches