Understanding How .LINK Files Work

Malicious actors keep us on our toes as they move from executables (.EXE) and scripts files to .LNK file to sneak in their payloads. With email servers routinely configured to reject attachments with file extensions like .exe, .pif, and .com, attackers have gotten more creative with their deception techniques.

From Locky to Kovter, the most popular of ransomware is getting in on the .LNK fun. After all, an attack is only as good as the size of its impact.

What is .LNK Files? Understanding Their State

Attackers have moved to script based droppers to bypass the restrictions on email servers by deploying Microsoft JScript (.js), VisualBasic Script (.vbs), and Microsoft Office files that use macros (.doc/.xls). Using .LNK files is a further progression of this type of evasion since traditionally it is not blocked.

However, this is no longer flying under the radar. Even email giants like Gmail have taken note of the shift and actively block files with .JS extensions. With protections being put in place, JavaScript developers are facing challenges when creating harmless scripts.

Unlike scripts, .LNK files are not traditionally thought of as code. The Windows shortcut file is an easy way to open a file located elsewhere on the filesystem. Yet, attackers are still leveraging it to craft malicious files.

Windows Shortcut File
Example of a shortcut file:
Original file (left) and Windows Shortcut File with arrow (right)

Methods for Using Windows Shortcut File or .LNK

Windows shortcut files are not only valued for deception capabilities, but also for the flexibility in delivering malicious payloads. .LNK can be used to:

  1. Run CodeIn the case of Stuxnet (CVE-2010-2568 and MS10-046), the .LNK files were used to start running the Stuxnet code. The only requirement was that the icon simply appeared, whether from an infected USB drive, a network share, malicious website, or packaged into a document. Even without clicking on the icon, it was able to deliver the malware’s payload.
  2. Bypass Email Filtration.LNK files used in phishing attacks are typically pointed to Windows components.
    When given a specific set of command line parameters, the file will execute a malicious payload. Windows components that have been used, include:

    • powershell.exe
    • regsvr32.exe
    • rundll32.exe
  3. Assist Penetration Testers Tools have been created by penetration testers to craft malicious .LNK files. By using this method, they can launch Meterpreter, Powershell, Empire, and others.

Recent Windows Shortcut Attacks You Should Watch For

It’s likely that we will begin to see more threats leveraging the Windows shortcut. For now, you should be aware of the most recent attacks:

Japanese-Centric Threat
Snake Wine is a highly adaptable threat that uses a batch of .LNK files contained inside similarly password-protected ZIP files. Once the .LNK files are opened, a PowerShell command downloads and executes an additional payload.

PowerDuke Post-Election Spear Phishing Campaign
In a multi-wave attack, this phishing campaign leveraged the election to lure in victims with spoof eFaxes and malicious documents citing truths about election rigging, how results could be revised, and why elections are flawed.

Detecting and Stopping .LNK Files

Since .LNK files are typically considered benign, detecting malicious files of this type can be challenging. Traditional signature-based detection is no match considering attackers can make easy modifications to evade detection.

This file format can even outsmart next-generation machine learning static-based engines. Since machine-learning engines build models of each file from scans, they allow the .LNK file to run if a model doesn’t already exist.

Attackers know that to be successful they have to find a way around email and file scanning security. That’s why .LNK has seen a rise in popularity. Fortunately, SentinelOne’s behavior-based detection is able to identify and stop attacks regardless of the file type.