Lnk File Association



Malware

We have seen an increase in attacks that leverage malicious LNK files that use legitimate apps—like PowerShell—to download malware or other malicious files.

Update as of May 30, 2017, 5:00 AM CDT to update the date referencing Trojan downloaders that used .zip files within .zip files from '2016' to '2017'.

PowerShell is a versatile command-line and shell scripting language from Microsoft that can integrate and interact with a wide array of technologies. It runs discreetly in the background, and can be used to obtain system information without an executable file. All told, it makes an attractive tool for threat actors. There were a few notable instances where cybercriminals abused PowerShell: in March 2016 with the PowerWare ransomware, and in a new Fareit malware variant in April 2016. Because this seemed to be an upward trend, security administrators became more familiar with how to prevent PowerShell scripts from doing any damage.

Lnk

However, cybercriminals are staying ahead of the curve by using alternative means of executing PowerShell script—Windows LNK (LNK) extensions. LNK files are usually seen by users as shortcuts, and used in places like the Desktop and Start Menu. LNK was actually already used as an attack vector as early as 2013. And in early 2017, we noted how Trojan downloaders used a .zip within a .zip to disguise a LNK file attachment that led to the Locky ransomware.

An LNK file is a shortcut or 'link' used by Windows as a reference to an original file, folder, or application similar to an alias on the Macintosh platform. It contains the shortcut target type, location, and filename as well as the program that opens the target file and an optional shortcut key. In this video we show you How to Fix All files converted to.LNKThis video tutorial explains you How to Fix All files converted to.lnk files in your PC Wind.

Lnk File Extension

Now, we’re seeing an increase in attacks that leverage malicious LNK files that use legitimate apps—like PowerShell—to download malware or other malicious files. To illustrate how the trend of using LNK files is rising, note how one single LNK malware (identified by Trend Micro as LNK_DLOADR.*) has had a significant jump in detections since January 2017. The steep rise shows how popular this method is becoming:

SuperUser reader Jez wants to know how to open.lnk files to view the ‘contents’ and edit them if needed: A.lnk file in Windows is an actual file intended to be a shortcut to another file, but I really do want to view the contents of the.lnk file itself. In this video we show you How to Fix All files converted to.LNKThis video tutorial explains you How to Fix All files converted to.lnk files in your PC Wind. Also, all other shortcuts for other applications Pinned to the Taskbar may work fine, thus implying that this is not a Shortcut (.lnk) file association problem. This problem occurs due to missing data in the HKEYCLASSESROOT Folders registry key. The File Explorer pinned shortcut located at the following path is a special shortcut that.

Figure 1. Detected LNK_DLOADR over a 4 month period

Recent LNK-PowerShell and ChChes attacks

In October 2016 we saw attackers using the combination of LNK, PowerShell, and the BKDR_ChChes malware in targeted attacks against Japanese government agencies and academics. The attack used a fake .jpg extension to camouflage the malicious PowerShell file.

Figure 2. Attack used to compromise Japanese targets in October 2016

In January 2017 we spotted the group APT10 (also called MenuPass, POTASSIUM, Stone Panda, Red Apollo, and CVNX) using a similar attack for a wide-spread spear phishing campaign. In this version, the LNK file executes CMD.exe, which in turn downloads a fake .jpg file hiding the malicious PowerShell script.

The group has continued to evolve their cyberespionage activities, and in April 2017 they used a similar strategy to also download BKDR_ChChes, which is a popular malware used in targeted attacks.

New LNK-PowerShell attacks

We identified one campaign, likely still ongoing, that has a new and complicated LNK strategy. These attackers seem to be using several layers of command line, built-in, Windows tools. They send a phishing email with lures that push the victim to “double click for content”, typically a DOCX or RTF file embedded with a malicious LNK. Instead of directly executing PowerShell, the LNK file will execute MSHTA.exe (a file used for opening HTML applications), which executes a Javascript or VBScript code that in turn downloads and executes the PowerShell script. The PowerShell then executes a reverse shell (like Metasploit or Cobalt Strike) to complete the compromise.

Figure 3. Complex LNK attack leveraging MSHTA.exe files

Last month we identified another spear phishing campaign also using a combination of LNK and PowerShell. Unfortunately, the Command and Control (C&C) server where the main payload was stored is no longer accessible.

Their strategy seems to have fewer layers: the LNK file is embedded in a document file and if a user double clicks to open the message, it executes a PowerShell file (or a similar Windows command line tool) to download another script. The other script then downloads the main payload.

Figure 4. A less complicated LNK-PowerShell attack

We believe this specific attack may be politically motivated due to the economic and controversial subject of the decoy document. However, a full analysis is tricky because the trail ends when one of the C&C servers dies. Without the full picture, it is difficult to associate this type of attack to known campaigns.

Hidden LNK commands

In many cases, these malicious LNK files can reveal valuable information about the attacker’s development environment. To help get this information, a quick analysis is possible by viewing the properties of the file.

However, we are encountering cases where the command line argument is so long that it is no longer fully visible in the Properties > Shortcut window. When viewed, only the target application (CMD.exe, MSHTA.exe, and other non-malicious command line applications) is seen.

Figure 5. Only the target application is visible

Our tests revealed that the maximum length for Shortcut > Properties > Target is only 260 characters. Anything longer than that will not be visible. However, the maximum length for a command line argument is 4096 characters.

File

The attacker actually pads several spaces or newline characters before the malicious argument. Using a parser tool reveals that it is much longer (figure 6), though it still works normally:

Figure 6. Padded file hiding malicious code

Attackers take advantage of this to try and disguise or hide the malicious portion of the code. This padding strategy may prevent a quick analysis of a LNK file, but any LNK parser can still extract the arguments without any problem.

Recommendations and best practices

Lnk File Association Fix Windows 7 Download

Malware developers continue to upgrade their tools and look for different ways to deliver their malicious payloads. Leveraging these LNK files is another strategy, but there are ways to prevent and mitigate these threats:

  • Upgrading PowerShell to version 5, which is available as part of the Windows Management Framework and included on Windows 10, is recommended. Using Group Policy to turn on logging makes it easier to check for breaches.
  • Users and enterprises alike should be wary of executable files received through email. Most files ending in *.EXE are auto-rejected on an email server, but if security is a concern then administrators should consider adding *.LNK to the list
  • It is similarly not advisable to open any LNK file received via email (or from anywhere outside your machine).

Lnk File Association Fix Windows 7

To identify if it is a LNK file or not:

Lnk File Structure

  1. If inside an archive (e.g. WinRAR, WinZip), the LNK extension is clearly visible, as well as the “Type” (it says “Shortcut”).
  2. For any Windows folder, you have to modify the registry if you want LNK files to be displayed. A small overlay arrow icon pointing to the upper right is one of the identifiers of a LNK file. Another way to do this: switch the Windows folder to “Details View”, then check the “Type”.
  3. For LNK embedded in Word documents, users have to be aware of these types of attacks to know what to look for. The bottom line is: never open these kinds of documents without verifying the source. If your organization does not need any packager objects, then there is a way to disable the feature totally by editing the registry.

Lnk File Association Fix Windows 10

Trend Micro™ Smart Protection for Endpoints with Maximum XGen™ security infuses high-fidelity machine learning into a blend of threat protection techniques to eliminate security gaps across user activity and any endpoint—the broadest possible protection against advanced attacks.

Lnk File Association Fix Windows 10

Trend Micro™ Deep Discovery™ provides detection, in-depth analysis, and proactive response to today’s stealthy malware and targeted attacks in real-time. It provides a comprehensive defense tailored to protect organizations against targeted attacks and advanced threats through specialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to detect threats, even without any engine or pattern update.