Windows Shortcut (LNK) Malware Strategies

Source: Unit 42

Author: Haizhou Wang, Ashkan Hosseini, Ashutosh Chitwadgi

URL: https://unit42.paloaltonetworks.com/lnk-malware/

ONE SENTENCE SUMMARY:

Attackers increasingly exploit Windows LNK files, using varied techniques such as exploits, malicious file execution, and embedded scripts for malware delivery.

MAIN POINTS:

1. Malicious LNK samples surged from 21,098 in 2023 to 68,392 in 2024.
2. LNK files act as shortcuts to other files, applications, or folders in Windows.
3. Attackers abuse LNK flexibility, disguising malware as legitimate files to trick users.
4. Four types of LNK malware: exploit execution, malicious file execution, in-argument scripts, and overlay content execution.
5. Most malicious LNK files contain LINKTARGET_IDLIST, RELATIVE_PATH, or COMMAND_LINE_ARGUMENTS structures.
6. Common system targets abused include powershell.exe, cmd.exe, rundll32.exe, conhost.exe, and mshta.exe.
7. COMMAND_LINE_ARGUMENTS can embed malicious scripts directly within LNK files.
8. Overlay content execution techniques involve find/findstr, mshta, or PowerShell commands.
9. CVE-2010-2568 vulnerability is notably exploited using corrupted LNK binaries.
10. Users should carefully inspect LNK file properties, especially target paths, to detect malware.

TAKEAWAYS:

1. Windows users should be cautious and verify LNK files’ properties before execution.
2. Cybersecurity teams must understand LNK malware techniques to enhance defenses.
3. Palo Alto Networks products offer protection against various LNK-based attacks.
4. Overlay content execution techniques are increasingly used to hide malicious payloads.
5. Awareness of common system targets and malware structures significantly aids malware detection.