Windows Shortcut (LNK) Malware Strategies
Summary:
Attackers are increasingly leveraging Windows shortcut files to deliver malware, with malicious LNK samples rising from 21,098 in 2023 to 68,392 in 2024, indicating a clear surge in adoption by threat actors. LNK files, used to quickly access files, folders, or applications without navigating deep directory structures, can be easily abused due to their flexibility. Attackers disguise these LNK files with familiar icons and names, making them appear legitimate to trick users into execution. LNK malware typically falls into four main categories: exploit execution, malicious file execution, in-argument script execution, and overlay content execution.
In exploit execution, attackers exploit vulnerabilities like CVE-2010-2568 using corrupted LNK structures to trigger code execution when a user opens a folder, bypassing the need for clicks. Malicious file execution involves LNK files pointing to malware already on disk or leveraging system utilities like PowerShell, cmd[.]exe, rundll32[.]exe, and wscript[.]exe to execute hidden payloads, which comprised a significant portion of Palo Alto’s dataset. In in-argument script execution, attackers embed malicious scripts in the command-line arguments of the LNK file, using obfuscation techniques like Base64 encoding, environment variable substitution, and random escape character insertion to evade detection, with PowerShell and cmd[.]exe used in over 80% of cases.
Overlay content execution involves appending malicious scripts or binaries to seemingly legitimate LNK files, leveraging methods like find/findstr to extract and execute embedded scripts, mshta.exe to execute malicious HTA scripts appended to LNK files, or PowerShell’s advanced intrinsic functions to locate, decode, and run malicious payloads. This overlay method allows attackers to hide malware in LNK files while maintaining file integrity, as Windows ignores appended data during normal use, and accounted for about 95% of overlay execution tactics in Palo Alto’s analysis. The LINKTARGET_IDLIST, RELATIVE_PATH, and COMMAND_LINE_ARGUMENTS fields in LNK files are critical in identifying malicious activity, as they direct execution paths, supply malicious arguments, and are present in over 99% of malicious samples analyzed.
Security Officer Comments:
Notably, attackers often use system utilities to bypass direct execution restrictions: for example, executing hidden scripts using cmd[.]exe with embedded PowerShell commands, or using conhost.exe to hide script execution windows from users. They may also leverage system tools like forfiles to search for files and execute malicious commands on matching files, further expanding the LNK’s capabilities as a malware loader. Overlay techniques often use encoded malicious payloads, such as PE binaries, HTA files, or PowerShell scripts, extracted and executed dynamically, often with environmental persistence.
Suggested Corrections:
To mitigate these threats, users should carefully inspect LNK files before execution, especially reviewing the “Target” and “Start in” fields by right-clicking and checking the properties for unusual paths, long arguments, or suspicious system utilities. Organizations are encouraged to enforce policies restricting LNK file execution from suspicious directories, enable macro/script execution restrictions, and block commonly abused system utilities where feasible.
Link(s):
https://unit42.paloaltonetworks.com/lnk-malware/
Attackers are increasingly leveraging Windows shortcut files to deliver malware, with malicious LNK samples rising from 21,098 in 2023 to 68,392 in 2024, indicating a clear surge in adoption by threat actors. LNK files, used to quickly access files, folders, or applications without navigating deep directory structures, can be easily abused due to their flexibility. Attackers disguise these LNK files with familiar icons and names, making them appear legitimate to trick users into execution. LNK malware typically falls into four main categories: exploit execution, malicious file execution, in-argument script execution, and overlay content execution.
In exploit execution, attackers exploit vulnerabilities like CVE-2010-2568 using corrupted LNK structures to trigger code execution when a user opens a folder, bypassing the need for clicks. Malicious file execution involves LNK files pointing to malware already on disk or leveraging system utilities like PowerShell, cmd[.]exe, rundll32[.]exe, and wscript[.]exe to execute hidden payloads, which comprised a significant portion of Palo Alto’s dataset. In in-argument script execution, attackers embed malicious scripts in the command-line arguments of the LNK file, using obfuscation techniques like Base64 encoding, environment variable substitution, and random escape character insertion to evade detection, with PowerShell and cmd[.]exe used in over 80% of cases.
Overlay content execution involves appending malicious scripts or binaries to seemingly legitimate LNK files, leveraging methods like find/findstr to extract and execute embedded scripts, mshta.exe to execute malicious HTA scripts appended to LNK files, or PowerShell’s advanced intrinsic functions to locate, decode, and run malicious payloads. This overlay method allows attackers to hide malware in LNK files while maintaining file integrity, as Windows ignores appended data during normal use, and accounted for about 95% of overlay execution tactics in Palo Alto’s analysis. The LINKTARGET_IDLIST, RELATIVE_PATH, and COMMAND_LINE_ARGUMENTS fields in LNK files are critical in identifying malicious activity, as they direct execution paths, supply malicious arguments, and are present in over 99% of malicious samples analyzed.
Security Officer Comments:
Notably, attackers often use system utilities to bypass direct execution restrictions: for example, executing hidden scripts using cmd[.]exe with embedded PowerShell commands, or using conhost.exe to hide script execution windows from users. They may also leverage system tools like forfiles to search for files and execute malicious commands on matching files, further expanding the LNK’s capabilities as a malware loader. Overlay techniques often use encoded malicious payloads, such as PE binaries, HTA files, or PowerShell scripts, extracted and executed dynamically, often with environmental persistence.
Suggested Corrections:
To mitigate these threats, users should carefully inspect LNK files before execution, especially reviewing the “Target” and “Start in” fields by right-clicking and checking the properties for unusual paths, long arguments, or suspicious system utilities. Organizations are encouraged to enforce policies restricting LNK file execution from suspicious directories, enable macro/script execution restrictions, and block commonly abused system utilities where feasible.
Link(s):
https://unit42.paloaltonetworks.com/lnk-malware/