Using lnk file to deceive users in phishing attacks

Expert at Trustwave explained the tactics adopted by cyber criminals how to serve malware in phishing attacks exploiting .lnk files.

Phil Hay, expert at Trustwave SpiderLab, explained how cyber criminals are using .lnk files to serve malware via email. I have chosen to detail this tactic to demonstrate how much creative is the criminal ecosystem, even if it exploit consolidated and well known vector of attack like phishing.

.lnk files are Windows Shortcut files, its usage it is not new to malware authors, in the specific case Hay discovered a mail appearing sent from a legitimate source (e.g. An individual at Automatic Data Processing) having as attachment what looks to be a PDF document and a ZIP archive.

In reality the file “statement.pdf” isn’t a pdf file but an executable, while the ZIP archive includes a collection of. lnk files and a copy of the executable “statement.pdf”.

Let’s give a close look to the link to understand the tactic adopted by criminals, analyzing the properties of the link file it is possible to discover much more. When the victim clicks on the .lnk file in reality he runs the cmd.exe which allow the execution of statement.pdf file, regardless its extension, using the “/c” option.

“The target runs cmd.exe in the current directory and executes “statement.pdf” with a /c option, which simply means “Carry out the command specified by string and then terminate”.” states the blog post.

As explained by Microsoft in this post, you can run files using the command prompt (cmd.exe), the console uses the Kernel32 API function CreateProcess to examine the content of the file and execute it regardless of its extension.

Clicking on “Statement.pdf” file user will observe that nothing happens, this can induce user to extract the content of the zip archive, seeing a series of “parts”. Clicking on them victim will infect his machine.

“These parts do not show a .lnk extension because these are hidden on Windows (think of your desktop shortcuts). But when clicked, the malware is executed, and the user’s machine is now infected. In this case, the malware was an Upatre downloader, VirusTotal report here for those interested.” reports the post.

An attack compose in this way allows criminals to bypass any email gateways that seek to block executable file simply analyzing the extension instead to examine the file contents. Another element to consider is that also to a visual inspection of the unsolicited mail, its attachment appears to be a “harmless” because it is a PDF file.

Resuming the .lnk files provide a way to invoke cmd.exe to run the renamed executable to infect the victim’s machine.

Be aware … cybercrime is always lurking!

Pierluigi Paganini

(Security Affairs – lnk files, phishing)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.