Shortcut-based (LNK) attacks delivering malicious code on the rise

Cybercrime Intelligence

Malware, Cybercrime, Powershell

Shortcut-based (LNK) attacks delivering malicious code on the rise

Cybercriminals are always looking for innovative techniques to evade security solutions. Based on the Resecurity® HUNTER assessment, attackers are actively leveraging tools allowing them to generate malicious shortcut files (.LNK files) for payload delivery.

Resecurity, Inc. (USA), a Los Angeles-based cybersecurity company protecting Fortune 500's worldwide, has detected an update to one of them most popular tools used by cybercriminals. The tool in question generates malicious LNK files, and is so frequently used for malicious payload deliveries these days. 

MLNK Builder has emerged in Dark Web with their new version (4.2), and the updated feature-set focuses on AV evasion and masquerading with icons from legitimately popular applications and file formats.

bypass windows defender mlnk v4.2 docx pdf encryption

The noteable spike of campaigns involving malicious shortcuts (LNK files) conducted by both APT groups and advanced cybercriminals was detected in April-May this year – Bumblebee Loader and UAC-0010 (Armageddon) targeting EU Countries described by CERT UA

Malicious shortcuts continue to give hard times to network defenders, especially when combating global botnet and ransomware activity, using them as a channel for multi-staged payload deliveries.

According to experts from Resecurity, the existing MLNK Builder customers will receive an update for free, but the authors have also released a “Private Edition” which is only available to a tight circle of vetted customers, it requires an additional license costing $125 per build.

mlnk v4.2 private stub windefender bypass smartscreen uac

The updated tool provides a rich arsenal of options and settings to generate malicious files to appear as legitimate Microsoft Word, Adobe PDF, ZIP Archives, images .JPG/.PNG, audio MP3 and even video .AVI files. as well as more advanced features to obfuscate malicious payload.

mlnk mlink private edition builder malicious tool hacker payload delivery

Bad actors continue to develop creative ways to trick detection mechanisms enabeling them the successful delivery of their malicious payloads – by leveraging combinations of extensions and different file formats, as well as Living Off the Land Binaries (LOLbins).

The most actively used malware families leveraging LNK-based distribution are TA570 Oakboat (aka Qbot), IcedID, AsyncRAT and the new strain of Emotet. The most recent Qakbot distribution campaign also included malicious Word documents using the CVE-2022-30190 (Follina) zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT).

Some notable campaigns have been detected in April-May 2022. The cybercriminal activity utilized related APT attacks targeting private and public sectors:

- UAC-0010 (Armageddon) Activity targeting EU Countries

The bad actors are using malicious LNK files in a combination with ISO (via extension spoofing) to confuse the antivirus logic and endpoint protection solutions. It’s interesting to note how well-known products in the industry are not able to properly detect and analyze them.

What is the LNK file?

Shell Link Binary File Format, which contains information that can be used to access another data object. The Shell Link Binary File Format is the format of Windows files with the extension ".LNK".

LNK is a filename extension for shortcuts to local files in Windows. LNK file shortcuts provide quick access to executable files (.exe) without the users navigating the program's full path.

Files with the Shell Link Binary File Format (.LNK) contain metadata about the executable file, including the original path to the target application.

Windows uses this data to support the launching of applications, linking of scenarios, and storing application references to a target file.

We all use .LNK files as shortcuts in our Desktop, Control Panel, Task Menu, and Windows Explorer

Why attackers use LNK file

Such files typically look legitimate, and may have an icon the same as an existing application or document. The bad actors incorporate malicious code into LNK files (e.g. Powershell scenario) allowing the execution of the payload on the target machine.

malicious lnk files executed powershell downloader malware compressed zip file
The process of a malicious .LNK

Let’s review a sample of a malicious LNK file in more detail:

malicious lnk attackers file malware
The malicious .LNK file

In this example, PowerShell code was embedded inside the file which will be executed after the victim clicks on the LNK file. We have examined the structure of the file using Malcat:

powershell embedded code inside malicious victim malcat structure
PowerShell code embedded inside the file

You can see the PowerShell scenario embedded in the file:

PowerShell scenario embedded malicious code lnk file hacker
PowerShell scenario embedded

The logic of the scenario allows to bypass the execution policy and download the file from external resource and execute it:

bypass execution policy download file external resource execute malicious code
Bypassing the execution policy

We observed a campaign that delivered Bumblebee through contact forms on a target’s website. The messages claimed that the website used stolen images and included a link that ultimately delivered an ISO file containing the malware.

Resecurity attributed this campaign to another threat actor the company tracks as TA578 and has done since May 2020. TA578 uses email campaigns to deliver malware like Ursnif, IcedID, KPOT Stealer, Buer Loader, and BazaLoader, as well as Cobalt Strike.

Our researchers detected another campaign in April that hijacked email threads to deliver the Bumblebee malware loader in replies to the target with an archived ISO attachment.

LNK file executes DLL malware protected hacker malicious shortcut
LNK file executes DLL malware file

So, we can extract the hidden file with pass, we can see that in the next figure.

extracting hidden file pass malicious code
Extracting the hidden file with pass

After that we can examine the .ISO contents which includes a document file (.LNK file) and namr.dll file, we can then further analyze the .LNK file, shown in the next figure.

analyzing malicious lnk shortcut file
Analyzing the malicious .LNK file

From the previous figure, we identify how the .LNK file contains a command to execute the .DLL file.

How Attackers Generate Malicious LNK Files?

Attackers can generate malicious shortcuts via tools available for sale in the Dark Web. One such tool is advertised in a Telegram channel “ | Products & Software | Exploit " called mLNK builder – it grants the ability to convert any payload into a .LNK file format.

generation malicious shortcut files exploits software products native one hacker
Generation of malicious shortcut files

Cybercriminals can purchase mLNK builder by using one of the three available plans, starting from a one month to 3 month plan and then a private option (providing unique stub).

purchase mlnk builder plan software malicious hacker
Purchasing the mLNK builder

The price of the tool starts from $100 (per month) with the option to evade Windows Defender, Smart Screen and UAC:

mLNK tool evades Windows Defender Smart Screen UAC
mLNK tool evades Windows Defender, Smart Screen & UAC

The features of the mLNK builder include bypassing the following solutions:

  1. Windows Defender
  2. Windows Defender Memory
  3. Windows Defender Cloud Scanner
  4. Smart Screen Alert
  5. AMSI and MUCH MORE!

windows defender memory cloud scanner screen alert amsi
The features of mLNK

After buying the tool, the author of the tool will send you text file containing the credential to login.

text file credentials login software malicious LNK builder
The text file containing credentials to login

After we opened the link we found this page, we must enter the credentials which were sent by the author, after registering the tool will downloaded.

token register download malicious lnk builder software tool
Token registration

Recently they published a new version of the tool, it will be free to all the old users, it now also contains new ICONs like Documents and PDF as we will see in this report.

bypass amsi mlnk private public docx hacker malicious tool

pdf html builder download injected windows defender bypass malicious tool

The analysis of the tool

Here we can see the analysis of the tool, we can see there are two functions.

malicious lnk builder tool software functions analyzing
Analyzing the malicious tool

When examining the sub_401350, we can see how the tool use ShellExcuteA to execute the PowerShell code. This PowerShell communicates with C&C, we can see that in the next figure.

powershell communications c&c shellexcutea
PowerShell communicates with C&C

After downloading the binary from C&C, we can decode the payload by using the base64 decoder, then use ASE decryption to decrypt the payload, we can then see the process the tool follows to decrypt the payload,

  1. Downloading the payload from “https://native-one[.]com:4200/client_auth
  2. Gets 'BHDAU532BKPXTGB89G3JK6KKDSZDY8SM' converts to bytes and computes sha1 and convert to hex string returns first 32chars of hexstring(aeskey) == fc002b88fa5ccd51bfabd8c753e8aa3d
  3. coverts downloaded payload each hex XX to an array of decimal values and get the first 16 and uses it as IV for AES
  4. Decryption AES CBC 256 key == fc002b88fa5ccd51bfabd8c753e8aa3d (32bytes each char 1 byte) IV == 9042766da089753480c479e2b342862f -fromhex(16bytes).

ase decryption payload binary c&c base64 decoder
Using ASE decryption on the payload

After decrypting the payload, we got a second PowerShell code that’s used to validate the credentials, we can see that in the next figure.

decrypt payload powershell code credentials malicious hacker tool lnk builder
Decrypting the payload reveals second PowerShell code

After executing the tool, the email and password used to register is required once again, we can see this in the next figure.

password username login mlnk lnk shortcut builder malicious tool
After executing the tool

We register with the email and password, then we get the GUI for the tool enabling us to start converting payloads into .LNK files, we can see that in the next figure.

malicious shortcut builder pdf tool hacker
GUI after logging in

We can see the folder setup the tool uses which has a Decoders payloads, also we can see the shortcuts for the converted payloads, we can see that in the next figure.

folder tree malicious software tool lnk shortcut builder
We can now see the folder tree

We create four payloads to test detection, after creating the payloads, we start importing them one by one to create shortcuts for them. We test detection by using windows defender and others, we can see importing file into the next figure.

create malicious lnk shortcut file payload
Creating four payloads to test detection

After that we can build the decoder and we can see that in the next figure.

malicious hacker software create bad lnk shortcut files
Building the decoder

After decoding the payload, it will save in the Decoders folders, we can see that in the next figure.

decoder creation save location malicious shortcut lnk file
Saved in decoders folder

And after that we can import the URL of decoded payload and create the .LNK, we can see that in the next figure.

payload creation detection testing mlnk lnk shortcut malicious hacker tool software
Creating four payloads to test detection

Now, we can build the .LNK file, we can see that in the next figure

building using creating malicious shortcut lnk file
Building the malicious .LNK (shortcut) file

Finally, we can see the .LNK file in the shortcut folder, we can see that in the next figure.

creation location malicious hacker lnk shortcut file tool
After the creation of the file, we can see the location

So, now we can examine the target file and see how the .LNK file was created, we can see that in the next figure.

examining target file creation malicious lnk shortcut file
Examining the target file to see how it was created

From the previous figure, we can see how the target contains PowerShell code. Now, we want to test the detection of the payload.

The attackers recently generated a new .LNK file with the PowerShell ICON, this is not common, the .LNK technique nowadays is widely used as we can see in the below screenshot, this is a PowerShell .LNK containing a new stage of the malware.

powershell icon lnk technique attacker malware

As observed, the newest version of mLNK Builder demonstrated very low detection rates by popular antivirus products which increases the effectiveness of the malicious .LNK files in cyber-attacks.

Recently we found qabot was using the LNK technique.

obama187 - .html > .zip > .img > .lnk > .dll

as we can see there are two files the LNK file will run the dll file

qabot lnk technique obama187 html zip img ink dll

Here we can see the LNK command
“rundll32.exe scanned.dll,DllUnregisterServer”

scanned documnets rundll32 system32

Also, we observed how Bumblebee used the LNK technique
via OneDrive URLs -> IMG -> LNK -> BAT -> DLL recently

bumblebee lnk technique onedrive img lnk bat dll

After we extracted the ISO we found these files, the shortcut was conations, code to run the batch file.

extracted ISO code batch file

As we can see the shortcut contains the code to run the batch file in the screenshot below.

application scanned documents bat inf cmd system32 windows

The batch conations this code to run the DLL library.

run code dll library batch

Also, recently we caught emotet using the technique to run VBS code via the LNK file, as we can see in the below screenshot the LNK file contains the malicious code:

“C:\Windows\system32\cmd.exe /v:on /c findstr "glKmfOKnQLYKnNs.*" "Datos-2504.lnk" > "%tmp%\YlScZcZKeP.vbs" & "%tmp%\YlScZcZKSSeP.vbs"”

datos vbs cmd windows system32 lnk

Another SideWinder malware was using LNK

system32 windows application shortcut malicious

It will download a new stage by using this command.

download new stage command

Another sample was related to ICDL malware, it was also using LNK

downloaded stage compressed iso

It contained these files, the document file contains the command to run the DLL library.

document file command dll library malicious code execution hacker mlnk

As we can see here, the command.

rundll32 namr.dll cmd system32 windows application malicious lnk tool hacker

windows system32 cmd command rundll32 namr dll plugininits

Also, we have found a new one related to Matanbuchus. Matanbuchus Loader is a new malware-as-a-service created by a threat actor who references demonic themes in software and usernames.

It appears as a normal file but contains malicious code within it, as we can see in the below screenshot

application system32 malicious code matanbuchus malware

The malicious code will ping a malicious domain to create a new directory “ItF5”, and it will download new file as an image then change it to a new file, and run it.

malicious code ping domain directory ltf5





- UAC-0010 (Armageddon) Activity targeting EU Countries


Keep up to date with the latest cybersecurity news and developments.

By subscribing, I understand and agree that my personal data will be collected and processed according to the Privacy and Cookies Policy

Cloud Architecture
Cloud Architecture
445 S. Figueroa Street
Los Angeles, CA 90071
Google Maps
Contact us by filling out the form.
Try Resecurity products today with a free trial