Video Review A Malicious LNK Stealer Part 1

The associated review may contain user-generated or external video content.
Content source
https://youtu.be/eBfdrX22fug
Content created by
Ophelia

The_King

Level 12
Verified
Top Poster
Well-known
Aug 2, 2020
547
Ophelia - The name of an album by one of my fav bands 10 000 Maniacs! Natalie Merchant.

Waiting for part 2. (y)
 
Last edited:
  • Like
Reactions: Correlate and Nevi

Oerlink

Level 11
Dec 24, 2022
510
Why haven't they improved detection and blocking of LNK files? This threat has been around for at least 6 months to a year.
Malicious shortcut (LNK) files have been around for 20+ years. They are still popular as download cradles.

WIndows hardening prevents this sort of malware \ attack. Microsoft recommends blocking
Code:
c m d
and
Code:
p o w e r s h e l l
by default.

If a user does not have the capacity or inclination to harden and manage their own Windows system, then they need to find a protection method that works for them personally.
 

ErzCrz

Level 14
Verified
Top Poster
Well-known
Aug 19, 2019
691
Not block, but sandbox. It would not block the LNK file itself, by default. It would sandbox the process and scripts executed by the LNK file command line (targets= c m d and xs34).

See the LNK command line at 2:00 in the video.
Thanks and with @cruelsister 's Restricted rule, any network traffic would be blocked or prompted for ;)
 

Oerlink

Level 11
Dec 24, 2022
510
Thanks and with @cruelsister 's Restricted rule, any network traffic would be blocked or prompted for ;)

Of course threat actors can package a LNK file with their executables and social engineer the user into executing the malware with that file.

Generally, in malicious LNK files, the following processes are used to download and execute malware to the system:

Code:
cmd
powershell
cscript
wscript
rundll

There are others, but statistically, these are the most encountered in terms of malicious LNK files.

The above also applies to Office macros and other download cradles, such as OneNote (.one). A Golden Rule to always follow is to assume that ANY widely-used Windows file type will be abused by threat actors. This means anything associated with Office and Adobe. Evidently there were some who were shocked that OneNote (.one) files were being abused. lol, those were on internal block lists for years.

Typically, at enterprise level, protections are put into place to prevent all of this through various methods. But you know, we're talking about unmanaged home users here, and somehow when it comes to that utterly insecure group, it is unacceptable to prevent them from shooting themselves in the foot by default. "Users want to use stuff" and all that nonsense.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
7,477
The standard protection (any AV on default settings) cannot protect well against such attacks in the wild. Even when the attack is detected in the antivirus test, the result is not reliable because most such malware is already dead. In many cases, it successfully managed to bypass AV protection in the wild (when malware was alive). Most malware is short living (from several minutes to several hours).
Also, the Windows built-in protection via AppLocker and WDAC can sometimes be insufficient against LNK malware because they cannot block shortcuts. One can decrease the chances of infection by blocking some LOLBins (especially script interpreters), but it would be impossible to block all LOLBins that can be executed via shortcuts.
Promising prevention can provide Smart App Control (if MOTW is not bypassed) and SRP because they can block shortcuts in unsafe locations.
 
Last edited:

Oerlink

Level 11
Dec 24, 2022
510
The standard protection (any AV on default settings) cannot protect well against such attacks in the wild. Even when the attack is detected in the antivirus test, the result is not reliable because most such malware is already dead. In many cases, it successfully managed to bypass AV protection in the wild (when malware was alive).
AV generally does not even attempt to detect malicious LNK files. Some will detect malicous LNK command lines while most others will deal only with the downloaded or executed malware. Sometimes the behavioral analysis will block any used sponsors from connecting out to the network to download malware. How AVs handle malicious LNK and command lines is all over the place.

Once the malware is downloaded to the system the AVs deal with it as they would any other file downloaded from the internet. If malware is "missed" then that has nothing to do with the LNK file download method. MOTW or not, a default allow has to detect a malicious file to protect the system.

Also, the Windows built-in protection via AppLocker or WDAC can sometimes be insufficient against LNK malware because they cannot block shortcuts.
This is a problem as malicious LNK files are increasingly being delivered to corporate email addresses.

One can decrease the chances of infection by blocking some LOLBins, but it would be impossible to block all LOLBins that can be executed via shortcuts.
Every single LOLBin can be blocked without any issues. Some enterprises do it. Their LOLBin blocklist can include 250+ processes shipped with Windows on workstation and server. That does not include all of the firewall block rules or firewall automation to deny access to any approved process from a particular source IP address. Any problems arise when talking about unmanaged home users who want to use stuff.

I have yet to hear of a single infection caused by LNK method on a properly configured system. There configurations are layered so that if one layer fails, there is a cascade failover that blocks the attack at the next layer.

New LOLBin discoveries are not frequent. The lists have remained essentially static over the years, with a couple of new processes added to the list every couple of years.

I do not take the perspective that this forum is intended only for home users. What is done at the enterprise level is pertinent to home users because when it comes to Microsoft native security, Microsoft uses the "Hand-Me-Down" security model from enterprise to unmanaged home users. It surprises me that more people are not outraged by this behavior. Microsoft gives unmanaged home users - the most vulnerable and insecure group - the least amount of security by default. This is primarily due to the obsolete dinosaur thinking that "users that want to use stuff" should be allowed to do what they want. That is ridiculous.

Promising remediation can provide Smart App Control (if MOTW is not bypassed) and SRP because they can block shortcuts in unsafe locations.
At least with SRP one can whitelist known, good LNK files and block others by default.
 

Oerlink

Level 11
Dec 24, 2022
510
The sentence "Some enterprises do it" is very important. :)
Most enterprises have ineffective protections altogether. I know that is an absolute, irrefutable fact because I see it daily. They get away with it because:

1. Except for corner cases, they are not liable under current laws and regulations.
2. They will simply pass any expenses, including punitive fines or civil case judgments resulting from breaches, onto clients and consumers.

Ultimately, in society, many things are left up to the person to figure out and decide. For the typical world citizen, one of them is IT security. Given human nature, it is no surprise that most will choose convenience over their own security.

Unmanaged home users are a blight, but it is not their fault. In my view they are hapless victims to "the system" that caters to "users that want to use stuff."
 

cruelsister

Level 41
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,009
Nice vid. Presuming CF would block these?
Thanks! Running the malware with CF onboard would first result in the Containment alert, followed by 3 Firewall alerts (First to download the trigger, second to initiate the stealer mechanism, third for the data exfiltration). In the case of this malware one MUST hit block on ANY of the FW alerts to be protected (blocking the first 2 will stop the malicious cascade and the third would block the data going bye-bye).
 

simmerskool

Level 20
Verified
Well-known
Apr 16, 2017
974
Thanks! Running the malware with CF onboard would first result in the Containment alert, followed by 3 Firewall alerts (First to download the trigger, second to initiate the stealer mechanism, third for the data exfiltration). In the case of this malware one MUST hit block on ANY of the FW alerts to be protected (blocking the first 2 will stop the malicious cascade and the third would block the data going bye-bye).
I did run CF for a few years, but not currently running it, so question: I recall with your recommended settings, the containment was "automatic" or is my recollection frayed? So are you saying that even in Containment you'd still get get Firewall alerts that require the user to select block. Maybe I never encountered malware this strong, or if I did, I just don't remember having to manually tell the the Firewall to block a connection. I do recall looking at "logs" and finding items listed after the fact that CF could continue to block, or "trust" -- :unsure:
 

cruelsister

Level 41
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,009
I did run CF for a few years, but not currently running it, so question: I recall with your recommended settings, the containment was "automatic" or is my recollection frayed? So are you saying that even in Containment you'd still get get Firewall alerts that require the user to select block. Maybe I never encountered malware this strong, or if I did, I just don't remember having to manually tell the the Firewall to block a connection. I do recall looking at "logs" and finding items listed after the fact that CF could continue to block, or "trust" -- :unsure:
Thank you for this post! It is appreciated more than you can know, as it reminded me that I had never mentioned another setting that deals with your question, as well as preventing ANY stealer that I am familiar with from doing any damage.

As an example, consider the Stealer that was used in the video. Clicking on the Link malware will start the infection mechanism that begins with the download of the trigger, the the subsequent other two. Although the malware will be automatically contained and will still collect the data from Chrome (the data also being in Containment). But in the absence of the Firewall (or by allowing all of the 3 alerts) the packaged stolen data can still be transmitted out (double-plus Ungood).

However there is a something in Firewall settings that can be applied to prevent this without any FW alerts being given, and that is simply by Checking the "Do Not Show FW Alerts" and in the drop down box selecting "Block Requests". For the Link malware in the video this stops it cold with no data being harvested. Further this will also stop the bunch of other stealers that are currently circulating including keyloggers. Think maybe a video is called for.

And speaking of settings, there is a easy way to essentially lock down the system to any but totally valid applications without ANY popups. Perhaps this would assist in choosing a simple security solution for Grandma Grandpa, and disgustedly reprobate children to use.
 

simmerskool

Level 20
Verified
Well-known
Apr 16, 2017
974
Thank you for this post! It is appreciated more than you can know, as it reminded me that I had never mentioned another setting that deals with your question, as well as preventing ANY stealer that I am familiar with from doing any damage.

As an example, consider the Stealer that was used in the video. Clicking on the Link malware will start the infection mechanism that begins with the download of the trigger, the the subsequent other two. Although the malware will be automatically contained and will still collect the data from Chrome (the data also being in Containment). But in the absence of the Firewall (or by allowing all of the 3 alerts) the packaged stolen data can still be transmitted out (double-plus Ungood).

However there is a something in Firewall settings that can be applied to prevent this without any FW alerts being given, and that is simply by Checking the "Do Not Show FW Alerts" and in the drop down box selecting "Block Requests". For the Link malware in the video this stops it cold with no data being harvested. Further this will also stop the bunch of other stealers that are currently circulating including keyloggers. Think maybe a video is called for.

And speaking of settings, there is a easy way to essentially lock down the system to any but totally valid applications without ANY popups. Perhaps this would assist in choosing a simple security solution for Grandma Grandpa, and disgustedly reprobate children to use.
technically I'm in Grandpa mode, but like to pretend I think younger (smarter) than that -- delusions... :unsure:
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top