What is a LNK file?
An LNK file, or Windows shortcut file, has been used in the Windows operating system for a very long time. A LNK file is simply a metadata resource file used by the Windows shell which is utilised and points to open and execute any other file, executable (.exe), folder, or application. The file format indicates that these LNK files contain a specific signature, 0x4C (4C 00 00 00) at offset 0 within the file/stream, which is used to identify LNK files.
It contains information about the object to which it points, including the object's type, location, and filename. You can create a shortcut to a file, executable (.exe), folder, or application by right-clicking that object and selecting Create shortcut. It provides quick access to a file or an application without requiring the user to navigate the program's full path.
You've probably manually created a shortcut to a programme or a document at some point. It comes as no surprise that when you do that, you are actually creating an LNK file. But did you know that Windows also automatically creates these files on a very frequent basis? For example, when you open a document, be it local or remote, a LNK file is automatically created. In fact, LNK files are also automatically created under numerous other circumstances.
Poising LNK files to spread Malware
Cybercriminals are constantly searching for new ways to circumvent security measures. The more covert the malware is, the harder it is to detect and remove it.
Because LNK files offer a convenient alternative to opening a file, threat actors can use them to create and execute malicious scripts. Malicious actors leverage this tactic to insert hard-to-detect malware into shortcut files (LNK files), manipulating a reliable application into becoming a perilous threat.
One of the methods an attacker can use to create script-based threats is through the use of PowerShell, because LNK files offer a convenient alternative to opening a file.
PowerShell is a robust command-line and shell scripting language developed by Microsoft. Because PowerShell runs unobtrusively in the background, it provides a perfect opportunity for hackers to insert malicious code. Many hackers have taken advantage of this by executing PowerShell scripts in LNK files.
How Cybercriminals Use LNK Files for Malicious Purposes?
Let’s say there's a shortcut on the system for a notepad program, as shown below:
That shortcut file can be poisoned and can be used to potentially be used to gain persistent access to the system. Let's edit the shortcut's target to this simple PowerShell. The PowerShell script simply opens a calc.exe application:
c:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c "invoke-item c:\windows\system32\notepad.exe;invoke-item c:\windows\system32\calc.exe;" |
The screenshot below shows the bad actor editing the target of a LNK file with a malicious PowerShell script which will open a calc.exe application.
The image below illustrates that when the victim launches the notepad containing the malicious PowerShell script in the target, it also launches a programme of our choice - a calc.exe in this case.
For a brief moment, we can see the command prompt. However, it can be easily hidden by changing the Run option of the shortcut to Minimized:
The screenshot below illustrates us changing the run option to "Minimize".
Running the file again with the Minimized option selected does not show the command prompt:
With this Proof of Concept, the malicious actor can execute any PowerShell command through any LNK file, which could potentially lead to a complete compromise of the system.
Comments