By Aleksandar Milenkoski & Jim Walter
explorer.exe) is the top initial living-off-the-land binary (LOLbin) in the chain of LOLbins that threat actors abuse to execute malware through malicious Windows shortcuts (LNK files).
LNKfiles from VirusTotal revealed Windows Explorer at the top of the list (with 87.2% prevalence), followed by
LNKfiles are currently immensely popular among threat actors for malware deployment and persistence.
LNKfiles in the cybercrime web space since May 2022, with many new features for evasion and stealth.
LNKfiles in a configurable and convenient manner. Given the popularity of
LNKfiles among threat actors, there is an increasing demand for such tools on the cybercrime market.
LNKfiles advertise the tool and the value of
LNKfiles to threat actors by claiming that Office macros “are for the most part dead” [as a medium for deploying malware], referring to Microsoft’s recent decision to disable by default Office macro execution in the context of documents that originate from untrusted sources.
This article discusses Windows shortcuts (LNK files) as a medium to deploy malware and/or establish persistence. In the initial stages of an attack, threat actors are gravitating more towards the use of malicious shortcuts that deploy malware by executing code in the context of so-called living-off-the-land binaries (LOLbins) – legitimate executables that are readily available on Windows systems, such as
mshta.exe – to bypass detection. Threat actors conveniently build malicious
LNK files with Windows system capabilities or tools specifically designed for that purpose, and then distribute the files to victims, usually through phishing emails.
Because of these advantages, threat actors are widely abusing shortcuts. Since Microsoft’s announcement that Office applications will by default disable the execution of Office macros in the context of documents that originate from untrusted sources, there has been a significant uptick in malicious actors using alternative mediums for deploying malware, such as malicious Windows Apps and shortcuts (LNK files). We covered malicious Windows Apps in a previous article. In this article, we focus on malicious shortcuts and provide:
LNKfile samples from VirusTotal that are representative of the current malicious shortcut landscape.
Given the popularity of
LNK files among threat actors, the dynamics of the cybercrime market for tools has quickly adjusted to serve the demand for tools that build malicious
LNK files in a configurable and convenient manner. We spotlight in this section the mLNK and QuantumBuilder tools for building malicious
LNK files. We observed that these tools have recently received updates and are currently being intensively advertised in the cybercrime web space.
The mLNK tool – released by NativeOne, a tool vendor on the cybercrime scene – is known for its configurability and ease of use. NativeOne released the newest version of the tool, version 4.2, in June 2022. We observed an intensive advertising campaign for the new mLNK version on cybercrime forums and market places.
The new mLNK version brings new features that enable building
LNK files that can evade Windows detection mechanisms, such as Microsoft Defender SmartScreen. The public release of mLNK currently sells for a basic price of $100 per month. NativeOne also sells a private release of mLNK 4.2 for $125.00, which bundles more evasion mechanisms than the $25.00 cheaper public release of the tool.
Similar to mLNK, the QuantumBuilder tool is configurable and easy to use, enabling threat actors to conveniently create malicious
LNK files. In May 2022, we started observing an advertising campaign for a new QuantumBuilder version in the cybercrime web space, consistent with other reports.
The actors behind the QuantumBuilder tool distinguish between public, VIP, and private users, and sell the tool for a basic price of €189. The following figure depicts the price list of QuantumBuilder as advertised online, including the advantages of becoming a VIP or private QuantumBuilder user.
It is interesting to note that the actors behind QuantumBuilder advertise the tool by claiming that Office macros as a medium for deploying malware “are for the most part dead”, referring to Microsoft’s decision to disable by default Office macro execution in the context of documents that originate from untrusted sources.
A number of widespread attack campaigns that involve malicious shortcuts are active at the time of writing this article:
LNKfiles since the second quarter of 2022. These malware families are capable of deploying additional malware on compromised systems, including destructive ransomware. In addition, the Threat Analysis Group (TAG) at Google has observed Exotic Lily, an initial access broker (IAB) for ransomware actors, distributing malicious
LNKfiles to infect systems.
LNKfiles since September 2021. These attacks specifically involve infected USB media, containing malicious
LNKfiles through targeted phishing emails. The malicious
LNKfiles deploy the GammaLoad.PS1_v2 malware on compromised systems. There are also other Ukraine-themed malicious
LNKfiles currently in circulation. In addition, the GlowSand attack campaign includes malicious
LNKfiles that download payloads from attacker-controlled endpoints that respond only to requests from systems with Ukrainian IP addresses.
In this section, we characterize malicious shortcuts by analyzing the filesystem path to the shortcut target and the command line arguments that the system specifies at shortcut target activation. We take a snapshot of the current malicious shortcut landscape based on VirusTotal as a mass repository of representative malicious
LNK file samples. We analyzed 27510
LNK file samples submitted to VirusTotal between July 14th, 2021 and July 14th, 2022. All samples were considered malicious by at least 30 vendors. 68.89% of the
LNK file samples were submitted in 2022, and the remaining 31.11% in 2021.
We provide current insights about execution chains that originate from malicious shortcuts to assist threat detection and hunting efforts. The section How Does Windows Execute Shortcuts? below provides background information on Windows shortcuts and the system activities that take place when a user executes a shortcut.
The following image depicts the targets of the malicious shortcuts we analyzed – the executables that the shortcuts execute at target activation – and their prevalence in the set of malicious shortcuts (expressed in percentages, rounded to three decimal places).
The shortcut targets are LOLbins and/or enable the execution of attacker-specified code and/or executables. We observed the following targets at the top of the list:
cmd.exe, the Windows command interpreter, which enables the execution of Windows commands and arbitrary executables.
rundll32.exe, which enables the execution of arbitrary code in a Windows DLL.
wscript.exe, a Windows script execution environment, which enables the execution of arbitrary script code.
powershell.exe, the command interpreter of the PowerShell scripting engine.
Malicious shortcuts activate
cmd.exe as the shortcut target to execute one or multiple Windows commands (typically implemented as executables that reside in the
%SystemRoot%\System32 folder), and/or attacker-provided files:
.exe(.exe files) and of Windows executable file format.
.exefiles) and of any file format, including the Windows executable format.
Malicious shortcuts execute multiple Windows commands and/or attacker-provided files through
cmd.exe by specifying them as part of command statements that are chained with the
& symbol. The chained command statements are part of the command line arguments of the shortcut target
The malicious shortcuts we analyzed execute a variety of Windows commands through
We categorize the commands as follows:
The majority of the filenames of the attacker-provided
.exe files that the malicious shortcuts we analyzed execute through
cmd.exe are random – 99.914% of the filenames are random and only 0.086% are non-random (comprehensible), such as
We grouped the malicious shortcuts that execute attacker-provided
.exe files through
cmd.exe into clusters according to the filenames of the
.exe files. We observed that the
.exe files with non-random filenames are executed by a small number of shortcut clusters with large population sizes, with an average of 1177 shortcuts. On the contrary, the
.exe files with random filenames are executed by a large number of shortcut clusters with very small population sizes, the majority of which with no more than 3 shortcuts. This shows that defenders should consider highly suspicious shortcuts that execute
.exe files with random filenames, while staying on top of
.exe file naming trends in the threat landscape for better detection coverage.
We observed a very diverse set of 253 different filename extensions of the attacker-provided non-
.exe files that the malicious shortcuts we analyzed execute through
Considering filename extensions only, the malicious shortcuts executed:
We observed that the filename extensions of the vast majority of the apparent data files, such as
.avi, spoof filename extensions of executable or script files, such as
.vbs, to masquerade executable or script files as files of other formats.
For approximately 0.5% of the malicious shortcuts we analyzed, the combined length of the filesystem path to the shortcut target and the command line arguments that the system specifies at target activation is greater than 260 characters. Visual inspection of the Properties > Shortcut > Target field of an
LNK file in the Explorer utility, which displays the path to the shortcut target and any command line arguments, does not reveal anything beyond 260 characters. Attackers are known to abuse this for obfuscation – they craft
LNK files such that command line arguments are padded with characters, such as newline or space, so that the combined length of the path to the shortcut target and the command line arguments significantly exceeds 260 characters.
We observed character padding mostly in shortcuts that targeted
powershell.exe. In addition, we observed string concatenation and the use of the caret (
^) symbol for target and/or command line argument obfuscation in approximately 2.5% of the samples.
The user interface of the Windows operating system, a component referred to as the Windows Shell, manages and conceptually represents as objects entities that users interact with. Objects include entities that reside on the filesystem, such as files and folders, as well as other entities, such as networked computers. The Windows Shell structures these objects into a namespace – the Shell namespace.
When a user creates a shortcut to another object (also referred to as the shortcut target) using the Create shortcut command, the Windows Shell creates a Shell Link object and an
LNK file – a file with the
.lnk filename extension. An
LNK file is in the binary Shell Link file format and stores information that Windows needs to access (activate) the shortcut target in data structures. This information includes:
LNKfile (in the
RELATIVE_PATHstructure) and the absolute path (in the
LNKfile in icon view (in the
The figure below depicts the content of the malicious
LNK file that we named
malLNK.lnk (SHA-1 hash value: 5b241d50f1a662d69c96d824d7567d4503379c37). We displayed the content of
malLNK.lnk using the
LECmd LNK file parsing tool.
The shortcut target of
C:\Windows\System32\cmd.exe and the command line argument is:
/c "%SystemRoot%\explorer.exe %cd%新建文件夹 & attrib -s -h %cd%qCAQlUf.exe & xcopy /F /S /Q /H /R /Y %cd%qCAQlUf.exe %temp%\rplKl\ & attrib +s +h %cd%qCAQlUf.exe & start %temp%\rplKl\qCAQlUf.exe & exit"
In summary, the activated shortcut target uses the Explorer utility to execute an executable, manipulates the
Hidden attributes of executables, copies an executable, and executes the copied executable.
The following figure depicts a simplified overview of the activities that the Windows operating system conducts to activate a shortcut target through an
LNK file. We take
malLNK.lnk as a running example.
Windows handles shortcut target activation using implementations of the IContextMenu::InvokeCommand Windows Shell method. This function takes a single parameter of type
CMINVOKECOMMANDINFO or CMINVOKECOMMANDINFOEX. The
CMINVOKECOMMANDINFO(EX) data structure stores information about the command that the Windows Shell executes when a user triggers the execution of
IContextMenu::InvokeCommand. In the context of shortcuts, the command is the shortcut target with any command line arguments.
The information that
CMINVOKECOMMANDINFO(EX) stores includes the working directory at command execution (the
lpDirectory(W) structure fields) and command parameters (the
lpParameters(W) structure fields). In contrast to
CMINVOKECOMMANDINFOEX allows for Unicode structure field values.
When a user double-clicks
malLNK.lnk (label ), the system executes the
CDefFolderMenu::InvokeCommand function (label ).
CDefFolderMenu::InvokeCommand is implemented in the
%SystemRoot%\System32\shell32.dll. This function populates a
CMINVOKECOMMANDINFOEX structure and passes the execution flow to the
CShellLink::InvokeCommand function with the populated
CMINVOKECOMMANDINFOEX structure as the function’s parameter.
CShellLink::InvokeCommand is implemented in
%SystemRoot%\System32\windows.storage.dll (label ). The
CMINVOKECOMMANDINFOEX data structure that the
CShellLink::InvokeCommand function takes as its parameter has only a few fields populated, for example, the mandatory
cbSize field (specifies the size of
CMINVOKECOMMANDINFOEX in bytes) and
The figure below depicts the content of the
CMINVOKECOMMANDINFOEX structure that
CShellLink::InvokeCommand takes as its parameter.
malLNK.lnk resides in the
C:\Users\<user>\Desktop\malLNK folder – this determines the values of the
CShellLink::InvokeCommand function conducts the central activities related to shortcut handling. This includes locating the shortcut target on the filesystem, expanding environment variables, and fully populating a
CMINVOKECOMMANDINFOEX structure (label ).
CShellLink::InvokeCommand passes the execution flow back to the
CDefFolderMenu::InvokeCommand function with a fully populated
CMINVOKECOMMANDINFOEX structure (label ). For example, the populated
CMINVOKECOMMANDINFOEX structure stores the command parameter in the
lpParameters(W) structure fields – this is the data in the
COMMAND_LINE_ARGUMENTS structure that resides in
CDefFolderMenu::InvokeCommand function then passes the execution flow to the
CRegistryVerbsContextMenu::InvokeCommand function with the fully populated
CMINVOKECOMMANDINFOEX structure as the function’s parameter (label ).
CRegistryVerbsContextMenu::InvokeCommand is implemented in the
The invocation of
CRegistryVerbsContextMenu::InvokeCommand leads to the creation of a new process by invoking the CreateProcessW function that is implemented in
%SystemRoot%\System32\kernel32.dll (label ). The command line of this process is the shortcut target and the command line argument, as shown below.
C:\windows\system32\cmd.exe /c "%SystemRoot%\explorer.exe %cd%新建文件夹 & attrib -s -h %cd%qCAQlUf.exe & xcopy /F /S /Q /H /R /Y %cd%qCAQlUf.exe %temp%\rplKl\ & attrib +s +h %cd%qCAQlUf.exe & start %temp%\rplKl\qCAQlUf.exe & exit"
Investigators should consider highly suspicious any Windows shortcut (LNK file) that exhibits the following in the execution chain that originates from the shortcut:
cmd.exeas the shortcut target. We observed 253 different extensions of the non-
.exefiles that the malicious shortcuts we analyzed execute. The majority of these non-
.exefiles are files that store executable code (for example, Windows executables or script files) masquerading as files of other formats, such as audio or video files.
.exeextension and random filenames through
cmd.exeas the shortcut target. For
.exefiles with non-random (comprehensible) filenames, investigators should stay on top of
.exefile naming trends in the threat landscape for better detection coverage.
Users should stay vigilant against phishing attacks and refrain from executing attached files that originate from unknown sources. Threat actors are distributing malicious
LNK files through phishing emails at a mass scale and there is a substantial number of active widespread attack campaigns that involve malicious shortcuts. The malicious
LNK files often come with misleading filenames and icons masquerading as important documents or critical software to lure users into activating the shortcuts.