Shortcuts as entry points for Malware part 3

In this last research on Windows shortcuts, we will demonstrate another sneaky technique to inject any kind of file without any limits on file size. 

The goal, again, is to demonstrate the real dangers of .LNK files (Microsoft Shortcuts), which are wrongly considered to be safe by common users.

A little reminder: a Windows shortcut is a binary file with the extension .LNK (Link File). Shortcuts are generally used to redirect one file to another, such as launching a program from your Desktop that is installed elsewhere on your system.

Less frequently, as we discussed in one of our previous papers, you can also execute shell commands through the shortcut, a good feature for users to create little automated tasks - but also an opportunity for hackers.

For whatever reason, Microsoft has also made any icons you can find on your system easy to usurp, so you can make the file appear more attractive and less dangerous.

In our first example, we demonstrate how to inject a very small file inside the shortcut itself by using a bug that allowed us to bypass the shortcut command line’s maximum length (normally set at 255 characters).

Indeed, it is possible to inject a byte encoded file, extracted and executed by a simple Visual Basic script hosted in the shortcut’s argument field.

With this method we discussed previously, there are three major disadvantages:

Because of the above disadvantages, we decide to write a final article about “exploiting” Windows shortcuts to host malware.

This time, the injected file (which we’ll call the “payload”) is not stored on the shortcut command line but at the end of the shortcut’s physical file, and is encoded.

By appending the payload at the very end of the shortcut, we bypass our biggest previous constraint: file size. This way, we are no longer limited.

The shortcut command line process is only for detecting the payload signature for extraction (from the shortcut itself) to a temporary file. Once extracted, the payload is finally decoded and executed.

The below code (Python 3) demonstrates this technique. With this script, you can generate a new Windows shortcut and inject the malicious file in the generated shortcut.


How it works:

First off, to encode the payload (desired file to inject), we choose to use the famous base64 encoding.

This allow us to inject the whole file at the end of the file without any carriage return or special characters (crucial for the next part).

In a second pass, we generate the malicious command to extract the embedded encoded payload from our future malicious shortcut file.

To do that, we need two native utilities:

The first part of the malicious command line is to search the payload inside the shortcut file using the findstr command line tool. 

Findstr will search a file for an occurrence and when a line matches our pattern, findstr will return the full matched line.

We then redirect the output buffer (containing the matched line with our encoded payload) to a temporary file.

The pattern (flag) is simply the first characters of the encoded payload, most of the time something like: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAA for W32 PE files.

After payload extraction, we just need to use the certutils tool to decode the file in its original format and execute.

Now that we have our malicious command line, we can generate the shortcut using the power of Python, assign (in our example) the Notepad application icon, and finally, append the encoded payload string at the end of the new malicious shortcut.

That’s it!

However, there are two little constraints to this technique:

The output shortcut name must not change - otherwise the command line won’t be able to locate itself on the current path.

Finally, you must not edit the shortcut after it’s been generated. Otherwise, Windows will regenerate the file and you will lose the embedded payload.

If you have a better way to locate the malicious shortcut without a static name, let us know in the comments.

License Creative Commons

2018/06/08 08:28 - Malware