How malware can be hidden in LNK files and how organizations can protect themselves.
Cybercriminals are always looking for innovative techniques to attack security defenses. The more discreet the malware, the harder it is to detect and remove. Threat actors leverage this tactic to insert hard-to-detect malware into shortcut files (LNK files), manipulating a reliable application into becoming a perilous threat.
Less than a month ago, a new spear-phishing campaign started to target professionals on LinkedIn with a sophisticated backdoor trojan called "more_eggs" concealed in a job offer.
LinkedIn candidates received malicious ZIP archive files with the name of the victims’ job titles on their LinkedIn profiles. When the victims opened the fake job offers, they unknowingly initiated the surreptitious installation of the fileless backdoor “more_eggs”. Once installed onto a device, the sophisticated backdoor can fetch more malicious plugins and give the hackers access to the victims’ computers.
Once the trojan is on the computer system, threat actors can penetrate the system and infect it with other types of malware like ransomware, steal data, or exfiltrate data. Golden Eggs, the threat group behind this malware sold it as MaaS (Malware-as-a-Service) for their customers to exploit.
What are LNK files?
LNK is a filename extension for shortcuts to local files in Windows. LNK file shortcuts provide quick access to executable files (.exe) without the users navigating the program's full path.
Files with the Shell Link Binary File Format (.LNK) contain metadata about the executable file, including the original path to the target application.
Windows uses this data to support the launching of applications, linking of scenarios, and storing application references to a target file.
We all use LNK files as shortcuts in our Desktop, Control Panel, Task Menu, and Windows Explorer.
Malware Can Lurk in Your Weakest LNK
Because LNK files offer a convenient alternative to opening a file, threat actors can use them to create script-based threats. One of these methods is through the use of PowerShell.
PowerShell is a robust command line and shell scripting language developed by Microsoft. Because PowerShell runs unobtrusively in the background, it provides a perfect opportunity for hackers to insert malicious code. Many cybercriminals have taken advantage of this by executing PowerShell scripts in LNK files.
This type of attack scenario is not new. LNK-file exploits were prevalent back in 2013 and still remain an active threat today. Some recent scenarios include using this method to insert malware in COVID-19-related documents or attach a ZIP file with a disguised PowerShell virus in a phishing email.
How Cybercriminals Use LNK Files for Malicious Purposes
Threat actors can sneak a malicious script in the PowerShell command of the LNK file’s target path.
In some cases, you can see the code under Windows Properties:
But sometimes it is difficult to spot the issue:
The path URL looks harmless. However, there is a string of whitespaces after the Command Prompt (cmd.exe). Because the “Target” field has a character limit of 260, you can only see the full command in the LNK analysis tool. A malicious code has stealthily been inserted after the whitespaces:
As soon as the user opens the LNK file, the malware infects their computer, in most cases without the user realizing anything is amiss.
How Deep CDR Can Prevent LNK File Attacks
Deep CDR (Content Disarm and Reconstruction) protects your organizations from potential threats hidden inside files. Our threat prevention technology assumes all files entering your network are malicious; then deconstructs, sanitizes, and rebuilds every file with all suspicious content removed.
Deep CDR removes all harmful cmd.exe and powershell.exe commands present in LNK files. In the above example of a trojan in a LinkedIn job offer, the infected LNK file was hidden in a ZIP file. Deep CDR processes multiple levels of nested archive files, detects infected components, and removes harmful content. As a result, the malware is inactivated and can no longer be executed in the safe-to-consume files.
Additionally, OPSWAT allows users to integrate multiple proprietary technologies to provide extra layers of protection from malware. One such example is Multiscanning, which allows users to simultaneously scan with 30+ anti-malware engines (utilizing AI/ML, signatures, heuristics, etc.) to achieve detection rates approaching 100%. Compare this to a single AV engine, which on average can detect only 40%–80% of viruses.
Learn more about Deep CDR, Multiscanning, and other technologies; or talk to an OPSWAT expert to discover the best security solution to protect against Zero-day attacks and other threats from advanced evasive malware.
