Update as of May 30, 2017, 5:00 AM CDT to update the date referencing Trojan downloaders that used .zip files within .zip files from "2016" to "2017".
PowerShell is a versatile command-line and shell scripting language from Microsoft that can integrate and interact with a wide array of technologies. It runs discreetly in the background, and can be used to obtain system information without an executable file. All told, it makes an attractive tool for threat actors. There were a few notable instances where cybercriminals abused PowerShell: in March 2016 with the PowerWare ransomware, and in a new Fareit malware variant in April 2016. Because this seemed to be an upward trend, security administrators became more familiar with how to prevent PowerShell scripts from doing any damage.
However, cybercriminals are staying ahead of the curve by using alternative means of executing PowerShell script—Windows LNK (LNK) extensions. LNK files are usually seen by users as shortcuts, and used in places like the Desktop and Start Menu. LNK was actually already used as an attack vector as early as 2013. And in early 2017, we noted how Trojan downloaders used a .zip within a .zip to disguise a LNK file attachment that led to the Locky ransomware.
Now, we’re seeing an increase in attacks that leverage malicious LNK files that use legitimate apps—like PowerShell—to download malware or other malicious files. To illustrate how the trend of using LNK files is rising, note how one single LNK malware (identified by Trend Micro as LNK_DLOADR.*) has had a significant jump in detections since January 2017. The steep rise shows how popular this method is becoming:
Figure 1. Detected LNK_DLOADR over a 4 month period
Recent LNK-PowerShell and ChChes attacks
In October 2016 we saw attackers using the combination of LNK, PowerShell, and the BKDR_ChChes malware in targeted attacks against Japanese government agencies and academics. The attack used a fake .jpg extension to camouflage the malicious PowerShell file.
Figure 2. Attack used to compromise Japanese targets in October 2016
In January 2017 we spotted the group APT10 (also called MenuPass, POTASSIUM, Stone Panda, Red Apollo, and CVNX) using a similar attack for a wide-spread spear phishing campaign. In this version, the LNK file executes CMD.exe, which in turn downloads a fake .jpg file hiding the malicious PowerShell script.
The group has continued to evolve their cyberespionage activities, and in April 2017 they used a similar strategy to also download BKDR_ChChes, which is a popular malware used in targeted attacks.
New LNK-PowerShell attacks
We identified one campaign, likely still ongoing, that has a new and complicated LNK strategy. These attackers seem to be using several layers of command line, built-in, Windows tools. They send a phishing email with lures that push the victim to “double click for content”, typically a DOCX or RTF file embedded with a malicious LNK. Instead of directly executing PowerShell, the LNK file will execute MSHTA.exe (a file used for opening HTML applications), which executes a Javascript or VBScript code that in turn downloads and executes the PowerShell script. The PowerShell then executes a reverse shell (like Metasploit or Cobalt Strike) to complete the compromise.
Figure 3. Complex LNK attack leveraging MSHTA.exe files
Last month we identified another spear phishing campaign also using a combination of LNK and PowerShell. Unfortunately, the Command and Control (C&C) server where the main payload was stored is no longer accessible.
Their strategy seems to have fewer layers: the LNK file is embedded in a document file and if a user double clicks to open the message, it executes a PowerShell file (or a similar Windows command line tool) to download another script. The other script then downloads the main payload.
Figure 4. A less complicated LNK-PowerShell attack
We believe this specific attack may be politically motivated due to the economic and controversial subject of the decoy document. However, a full analysis is tricky because the trail ends when one of the C&C servers dies. Without the full picture, it is difficult to associate this type of attack to known campaigns.
Hidden LNK commands
In many cases, these malicious LNK files can reveal valuable information about the attacker’s development environment. To help get this information, a quick analysis is possible by viewing the properties of the file.
However, we are encountering cases where the command line argument is so long that it is no longer fully visible in the Properties > Shortcut window. When viewed, only the target application (CMD.exe, MSHTA.exe, and other non-malicious command line applications) is seen.
Figure 5. Only the target application is visible
Our tests revealed that the maximum length for Shortcut > Properties > Target is only 260 characters. Anything longer than that will not be visible. However, the maximum length for a command line argument is 4096 characters.
The attacker actually pads several spaces or newline characters before the malicious argument. Using a parser tool reveals that it is much longer (figure 6), though it still works normally:
Figure 6. Padded file hiding malicious code
Attackers take advantage of this to try and disguise or hide the malicious portion of the code. This padding strategy may prevent a quick analysis of a LNK file, but any LNK parser can still extract the arguments without any problem.
Recommendations and best practices
Malware developers continue to upgrade their tools and look for different ways to deliver their malicious payloads. Leveraging these LNK files is another strategy, but there are ways to prevent and mitigate these threats:
- Upgrading PowerShell to version 5, which is available as part of the Windows Management Framework and included on Windows 10, is recommended. Using Group Policy to turn on logging makes it easier to check for breaches.
- Users and enterprises alike should be wary of executable files received through email. Most files ending in *.EXE are auto-rejected on an email server, but if security is a concern then administrators should consider adding *.LNK to the list
- It is similarly not advisable to open any LNK file received via email (or from anywhere outside your machine).
To identify if it is a LNK file or not:
- If inside an archive (e.g. WinRAR, WinZip), the LNK extension is clearly visible, as well as the “Type” (it says “Shortcut”).
- For any Windows folder, you have to modify the registry if you want LNK files to be displayed. A small overlay arrow icon pointing to the upper right is one of the identifiers of a LNK file. Another way to do this: switch the Windows folder to “Details View”, then check the “Type”.
- For LNK embedded in Word documents, users have to be aware of these types of attacks to know what to look for. The bottom line is: never open these kinds of documents without verifying the source. If your organization does not need any packager objects, then there is a way to disable the feature totally by editing the registry.
Trend Micro™ Smart Protection with Maximum XGen™ security infuses high-fidelity machine learning into a blend of threat protection techniques to eliminate security gaps across user activity and any endpoint—the broadest possible protection against advanced attacks.
Trend Micro™ Deep Discovery™ provides detection, in-depth analysis, and proactive response to today’s stealthy malware and targeted attacks in real-time. It provides a comprehensive defense tailored to protect organizations against targeted attacks and advanced threats through specialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to detect threats, even without any engine or pattern update.