Threat Research

Shortcut To Malice: URL Files – InQuest

Securonix

`#DarkGate #NetSupportRAT #Phemedrone #RomComRAT #QuantLoader #DBatLoader #Remcos #Formbook #AnFam17 #CVE-2023-36025 #CVE-2016-3353 #WebDAV #SMB #4shared #DriveHQ #OpenDrive

Keypoints

  • URL files are text-based shortcuts that can reference remote resources and be weaponized in attacks.
  • Threat campaigns have used URL files in multi-stage chains (e.g., DarkGate, NetSupport RAT, Phemedrone) to deliver malware, exploiting CVE-2023-36025 for SmartScreen bypass.
  • Historical vulnerabilities (CVE-2016-3353) show long-standing risk in .url handling and MOTW bypass across Windows components.
  • In 2018, phishing campaigns leveraged URL files with JavaScript downloaders to distribute malware (Quant Loader), sometimes triggering user warnings.
  • URL files can enable information leakage and NTLM credential exposure via SMB/Responder by tricking Windows subsystems into authenticating to attacker-controlled hosts.
  • They enable DLL side-loading by abusing WorkingDirectory to hijack DLL search paths from a remote SMB share.
  • URL files are used for persistence and startup execution, enabling malware to run after reboot or login (e.g., Remcos, DBatLoader).
  • Recent campaigns (e.g., 2023 FakeSG/NetSupport RAT) show flexible hosting (WebDAV/HTTP) for payload delivery via URL files and cross-protocol behavior.

MITRE Techniques

  • [T1566.002] Phishing: Spearphishing Link – “phishing-based attack where threat actors leveraged URL files in conjunction with JavaScript-based downloaders to distribute malware.”
  • [T1204.002] User Execution: Malicious File – “URL files are a shortcut file that can also be used for execution on a system.”
  • [T1203] Exploitation for Client Execution – “the security feature bypass vulnerability CVE-2023-36025; the ability to kick off a malicious content execution chain from a directly executable file type like a .cpl (DLL) file without pesky controls interrupting it or flagging it for the user is attractive to criminal actors.”
  • [T1059.007] Command and Scripting: JavaScript – “phishing-based attack where threat actors leveraged URL files in conjunction with JavaScript-based downloaders to distribute malware.”
  • [T1003.001] OS Credential Dumping: NTLM – “SMB connections to the remote servers are initiated, resulting in the authentication exchange and disclosure of NTLM credential data to the attacker.”
  • [T1574.001] DLL Search Order Hijacking – “WorkingDirectory option is processed, leading to the search path for loaded DLL being set to include an attacker-controlled directory on a remote SMB share.”
  • [T1547.001] Boot or Logon Autostart Execution – “When linked to autostart locations, these files also support a means of persistence to enable malware to execute after reboot or login.”
  • [T1071.001] Web Protocols – “the attacker is hosting the payloads on a WebDAV server, leading to content being retrieved… over HTTP using the WebDAV protocol.”

Indicators of Compromise

  • No IoCs Found

Read more: https://inquest.net/blog/shortcut-to-malice-url-files/