Inside Out Security Blog   /   Threat Research

Rogue Shortcuts: LNK'ing to Badness

Whilst not a new tactic, multiple recent campaigns suggest that rogue Windows shortcuts, 'LNK' files, are back in favor with threat actors.

Shortcut files can be used to link to any file or folder and, in addition to providing user-friendly links to programs within the Windows 'Start Menu', many users will create shortcuts to easily access their own content.

By default, Windows shortcuts adopt the target filetype icon with a small arrow overlay although it is trivial to change this icon and give the impression that the target is of another filetype (Figure 1).

Figure 1 - Example shortcut to 'calc.exe' visually appearing as a PDF file

Utilizing this somewhat simple social engineering technique the threat actor can lure the victim into launching the content and negates the need for some complex exploit or suspicious initial payload.

Appearing somewhat like any other shortcut file, adopting the appearance of a benign file that is likely familiar to the victim, the target executable uses existing legitimate utilities to launch an initial stager, a technique commonly known as 'LOLBins' ('living off the land binaries').

Based on this simple approach, recently observed malicious activity includes targeted attacks orchestrated by the malware-as-a-service provider 'Golden Chickens', a group also known as 'Venom Spider', as well as broader malspam campaigns conducted by the infamous cybercrime group 'Emotet'.

Delivery

Unsurprisingly, these recent attacks commenced with the delivery of an initial lure email, masquerading as some legitimate business communication, including a Zip-compressed attachment containing the rogue shortcut file.

Given that Emotet have a broader indiscriminate approach to targeting victims, they continue to adopt their tried-and-tested tactic of using email lures with common business terminology related to financial or sales matters. Conversely, the Golden Chickens campaign appeared more targeted in nature with email lures purporting to be job offers or details of some job vacancy likely of interest to the victim.

Regardless of the email theme, the language and content within the lure will encourage the victim to open the Zip-compressed attachment that contains the rogue shortcut.

Whilst many of the recently observed samples include some seemingly benign filenames, without any specific file extension, some mimic legitimate productivity files that would appear more convincing to an unwary eye (Figure 2).

Figure 2 - Example Zip-compressed attachment containing a rogue shortcut (Note: Windows will only render the icon when the file has been extracted)

Victims lured into launching the rogue shortcut will trigger an initial stager that is used to download the main attack payload.

Initial Stager

Both Emotet and Golden Chickens have recently adopted similar rogue shortcut techniques utilizing various 'LOLBins' ('living off the land binaries') to execute some obfuscated content to download a subsequent malicious payload.

Emotet PowerShell

Featuring a generic file icon selected from the Windows 'SHELL32.dll' icon library (Figure 3), recent Emotet campaigns have delivered a shortcut that will launch PowerShell with a series of parameters that prepare and launch the initial stager.

Figure 3 - Shortcut icon used in recent Emotet PowerShell campaigns

Given that the entire command is visible within the shortcut properties, an initially benign PowerShell command and padding is used to hide the nefarious elements from casual visual inspection.

Commencing with the execution of the 'InputObject' cmdlet, the filename and padding are converted to a string that, given the command is followed by 'OutNull', serves no purpose and will not be displayed to the victim (Figure 4).

Figure 4 - Shortcut 'Target' padding

Subsequently, the initial stager, a base-64 encoded string, is decoded and written to a randomly named 'PS1' file within the victim's temporary '%TEMP%' directory (Figure 5).

Figure 5 - Initial stager base-64 decoded and saved to %TEMP%

The decoded initial stager, another PowerShell script, includes several Emotet command and control (C2) URLs from which the next stage Emotet payload can be downloaded (Figure 6).

Figure 6 - Initial stager PowerShell

Using the 'Invoke-WebRequest' cmdlet, referred to by its short name 'IWR', an attempt is made to connect to each URL in turn and, assuming a successful connection is made, the payload is downloaded to a randomly named file in the victim's %TEMP% directory.

Notably, the script includes exception handling via the 'try' and 'catch' statements that, in the event of an exception, will silently continue and attempt to download the payload from the next URL in the list.

Upon success, the Emotet payload, a Windows dynamic link library (DLL) file, will be loaded into memory using `regsvr32.exe`, allowing the threat actor to act on their objectives.

Finally, to clean up after themselves, the `Remove-Item` cmdlet is executed to delete the initial stager PS1 file from the victim's %TEMP% directory (Figure 7).

Figure 7 - Initial stager PowerShell execution and subsequent removal

Emotet VBScript

Superseded by the Emotet PowerShell-based rogue shortcut, a short, albeit unsuccessful campaign was observed using Visual Basic Script (VBScript) elements that included a hardcoded misconfiguration.

Utilizing the same icon as the PowerShell variant, the command line 'find' string utility is used to locate a block of VBScript that has been appended to the footer of the shortcut file (Figure 8).

Figure 8 - VBScript extracted from the footer of the LNK file

In this instance, assuming the shortcut file is still named 'Password2.doc.lnk', the VBScript will be matched by the 'findstr' command, saved to a file within the '%TEMP%' directory, and executed.

Given the hardcoded shortcut filename, most instances of this observed campaign appeared to fail and Emotet shifted their attention to the PowerShell variant.

That being said, it is possible that Emotet could resolve their build process, and 'fixed' lures that reflect the correct shortcut filename could be observed in the future.

Assuming the correct operation of this lure, with the VBScript being located and saved to the %TEMP% directory, a combination of base-64 encoded strings and character substitutions are used to obfuscate the content (Figure 9) with all statements being on a single line separated by colons.

Figure 9 - VBScript excerpt showing the obfuscation techniques

De-obfuscating and simplifying the script reveals that the stager process is similar to that of the Emotet PowerShell variant: randomly select one of the seven (decoded) base-64 encoded URLs and save the payload to a file within the '%TEMP%' directory (Figure 10).

Figure 10 - Deobfuscated/simplified VBScript Initial Stager main process

Notably, the HTTP request within this VBScript includes an unusual, fixed User-Agent string that would likely appear anomalous alongside other legitimate traffic.

Having downloaded the Emotet payload, a Windows dynamic link library (DLL), the final statements in the VBScript launch 'regsvr32.exe' to load it into memory before deleting the initial stager VBScript from the '%TEMP%' directory (Figure 11).

Figure 11 - Payload execution and initial stager removal

Golden Chickens MS Internet Explorer Per-user Initialization Utility

Unlike Emotet, the recently observed Golden Chickens campaigns have not used Windows native scripting engines but have instead rekindled a bypass and evasion technique first detailed back in 2018 [1].

Hiding behind the default text file icon (Figure 12), the rogue shortcut includes a series of obfuscated shell commands, effectively forming a 'batch file' or 'shell script', that makes heavy use of the 'set' command to assign values to various environment variables (Figure 13).

Figure 12 - 'Text file' shortcut icon used in recent Golden Chickens' campaigns Figure 13 - Obfuscation through the assignment of multiple environment variables

Deobfuscating this initial stager command reveals that it writes a setup information file ('.INF') to '%APPDATA%\Microsoft\ieuinit.inf' including some string variables that further obfuscate the content.

Removing the second layer of obfuscation allows the information file to be easily reviewed and identified as containing a malicious URL that could be invoked by running the legitimate 'Internet Explorer Per-User Initialization Utility' executable ('ie4uinit.exe') (Figure 14).

Figure 14 - Deobfuscated information file

The legitimate 'ie4uinit.exe' executable is copied from the %SYSTEM32% directory to "%APPDATA%\Microsoft\", alongside the newly created information file, and is executed via the Windows Management Instrumentation (WMI) Command-Line Utility (Figure 14).

Figure 15 - Copy and execution of 'ie4uinit.exe'

Subsequently, the 'ie4uinit.exe' '-basesettings' parameter causes the dropped information file, located in the same directory, to be processed and initiates the download of a remote payload that allows the threat actor to further act on their objectives.

Recommendations

Given that Windows shortcuts are typically considered as being benign, and based on the common traits observed recently, defenders should consider the following to mitigate these threats:

• Inspecting email attachments and quarantining or blocking suspicious content such as Zip-compressed files containing Windows shortcuts ('.lnk' files)
• Restrict the execution of unexpected binaries and scripts from the '%TEMP%' directory
• Limiting user access to Windows scripting engines including PowerShell and VBScript, enforcing the need for scripts to be signed via Group Policy
• Monitor for, and be wary of, the unexpected execution of legitimate 'LOLbins' identified in this article by 'standard' users, for example, 'ie4uinit.exe' and 'wmic.exe'

References

[1] https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/