Weaponizing LNK Files in Offensive Operations

You can also view the article at Bitcrack’s blog here

LNK files are Windows shortcut files designed to provide access to applications, files, or folders. Desktop shortcuts of browsers or any other programs are basically LNK files polished with the appropriate icons (e.g. the Firefox icon of the Firefox Desktop shortcut). In their core, they are files with a set of instructions for the OS to execute: where the shortcut icon is stored, where the actual program executable is located, if there are any arguments to pass on etc. Although created for benign use and UX ease, those features can be abused.

For attackers, LNK files are a powerful tool for executing code and credential theft, allowing them to gain access and move laterally into the network. They are dangerous because:

They can execute commands without user interaction in some contexts (e.g., icon loading).
They can be made to look like documents (Invoice.pdf.lnk) with convincing icons.
They are part of the native Windows functionality, i.e. no macro warnings, no scripting.

There have been numerous campaigns during the past year by APTs, where the attackers utilized LNK files:

North Korean APT delivered an LNK file that was used to further download an execute malware on the target machine (Source)
Suspected Asian APT delivered an LNK file that created a scheduled task on the target machine to pull down further payloads (Source)

In this article we'll explore some ways an LNK file can be weaponized, both before infection and after getting the initial foothold in the network.

Triggering the infection chain

Modern malware infection techniques such as the above-mentioned examples involve a trigger, which is the initial stage of infection, where the victim clicks on it. This usually triggers two commands: the decoy, which is to convince the victim into believing that they clicked on something benign, and the actual payload which contains the malicious code.

An LNK file can be used as a trigger, since an attacker controls its icon (they can make it look like the filetype of the decoy) and they can make the file execute OS commands, upon opening it, by creating a shortcut to %COMSPEC%, which is the environment variable of CMD.EXE, and also pass arguments.

$wsh = New-Object -ComObject WScript.Shell
$lnk = $wsh.CreateShortcut("C:\\\\Users\\\\user1\\\\Desktop\\\\report.pdf.lnk")
$lnk.TargetPath = "%COMSPEC%"
$lnk.Arguments = "/C start payload.exe && start decoy.pdf"
$lnk.IconLocation = "C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe,13"
$lnk.Save()

Arguments may also include downloading files needed for the infection, the actual malware, or whatever the campaign needs, with any added obfuscation and AV/EDR evasion.

Detection and Mitigation

Admins should be wary of this behavior. Defenders can look for:

LNK files spawning command interpreters or LOLBINs like powershell, CMD, mshta, etc.