Source: Unit 42
Author: Haizhou Wang, Ashkan Hosseini, Ashutosh Chitwadgi
URL: https://unit42.paloaltonetworks.com/lnk-malware/
-
ONE SENTENCE SUMMARY: Attackers increasingly exploit Windows LNK files, using varied techniques such as exploits, malicious file execution, and embedded scripts for malware delivery.
-
MAIN POINTS:
-
Malicious LNK samples surged from 21,098 in 2023 to 68,392 in 2024.
-
LNK files act as shortcuts to other files, applications, or folders in Windows.
-
Attackers abuse LNK flexibility, disguising malware as legitimate files to trick users.
-
Four types of LNK malware: exploit execution, malicious file execution, in-argument scripts, and overlay content execution.
-
Most malicious LNK files contain LINKTARGET_IDLIST, RELATIVE_PATH, or COMMAND_LINE_ARGUMENTS structures.
-
Common system targets abused include powershell.exe, cmd.exe, rundll32.exe, conhost.exe, and mshta.exe.
-
COMMAND_LINE_ARGUMENTS can embed malicious scripts directly within LNK files.
-
Overlay content execution techniques involve find/findstr, mshta, or PowerShell commands.
-
CVE-2010-2568 vulnerability is notably exploited using corrupted LNK binaries.
-
Users should carefully inspect LNK file properties, especially target paths, to detect malware.
-
TAKEAWAYS:
-
Windows users should be cautious and verify LNK files’ properties before execution.
-
Cybersecurity teams must understand LNK malware techniques to enhance defenses.
-
Palo Alto Networks products offer protection against various LNK-based attacks.
-
Overlay content execution techniques are increasingly used to hide malicious payloads.
-
Awareness of common system targets and malware structures significantly aids malware detection.