During the second quarter of 2022, Microsoft witnessed an increase in the amount of malware being spread via LNK files. In these campaigns, attackers have been utilizing LNK to spread harmful payloads.

What is an LNK file?

  • Ever seen a Windows shortcut on your laptop screen that serves as a pointer to open a file, folder, or even an application - well, the LNK link does just that. 
  • LNK files hold information used to access another data object and are based on the shell link binary file format.

How are LNK files created?

  • LNK files are created in two ways: one is manually by using the standard right-click create shortcut option. 
  • LNK files can also be created automatically while running an application. 
  • Plenty of tools are available to build LNK files - one of them is “lnkbombs” tools which are specifically for malicious purposes.

LNK threat carriers

  • To distribute LNK files to victims, threat actors use spam emails and malicious URLs. 
  • These files give instructions for downloading malicious files to reputable programs like PowerShell, CMD, and MSHTA.

How do the attackers infect the systems?

  • Once the user is infected by manually accessing the attached LNK file, the attackers can directly hardcode malicious URLs to run along with utilities like PowerShell and download the main threat payloads.
  • The downloaded file is saved under the temp folder with the name test.dll
  • Typically, malicious LNK files have been observed using PowerShell and CMD commands to connect to malicious URLs and download malware, such as Emotet, Qakbot, Bazarloader, IcedID, and others, by taking advantage of its simplicity.

Final thoughts

The attackers misuse Windows shortcut LNK files and thus turning them exceedingly dangerous for regular users. Malicious use of LNK, along with PowerShell, CMD, MSHTA, and other programs, can seriously harm the victim's computer. To prevent it:
  • A comprehensive inspection is a must for every user employing LNK shortcut files as these attacks are continually developing. 
  • The operating system and antivirus software of consumers must be updated. 
  • Users should exercise caution when opening dangerous links and attachments in phishing emails.
Cyware Publisher