For years attackers have used Office documents with malicious macros as one of the primary methods of infecting computers with malware. Microsoft finally took steps to disable such scripts by default in documents downloaded from the internet, forcing many groups to change tactics and increasingly choose LNK (shortcut) files as a delivery mechanism.
This trend has led to the creation of paid tools and services dedicated to building malicious LNK files. Some of these builders include MLNK Builder, Quantum Builder, Macropack, LNKUp, Lnk2pwn, SharPersist, and RustLnkBuilder, but their use can provide opportunities for easier detection by security products.
Why attackers are switching to LNK
LNK, short for Microsoft’s Shell Link Binary File Format, is a format that allows the operating system or an application to access a data object on the system. LNK files are commonly used for application shortcuts — a file that opens an application from a specified location on the file system. However, LNK files are more complex than that. They can include settings that control the application behavior, pass special configuration parameters to the application, and include other metadata in various sections.
The use of LNK files to distribute malware is not new. It used to be very common with worms that copied themselves to USB sticks and relied on users to open them. In recent years the techniques of loading rogue applications or malicious DLLs (binary libraries) via LNK files have evolved considerably.
VBA (Visual Basic Application) macros, on the other hand, are a technology that allows Office users to automate processes and workflows in their documents. It’s a powerful feature that has been very popular with businesses, especially in departments such as accounting and finance. For this reason, Microsoft has been reluctant to disrupt business workflows by making changes to the macro user experience.
For years now, Microsoft Office automatically disabled macros and displayed a warning about the risks of malicious content at the top of the document that allowed users to re-enable them. Attackers then started using various social engineering tricks through the content of their malicious documents to encourage users to manually allow macros to run.
Last year, the company took a more serious step and decided to disable macros by default with no option to override it for documents obtained from internet sources, such as email or downloaded via the browser. The OS already can flag such documents with a “mark of the web.” The new restriction reached general availability in June, but Microsoft quickly reverted the change only to re-enable it one month later. Since then, as more users updated their Office versions, attackers found less success in their campaigns using documents with macros, so they pivoted to other techniques, such as LNK files or Excel add-ins (XLL) files.
Excel add-ins are essentially DLLs created with the Excel software development kit that allows users or developers to extend the functionality of Excel and add user-defined functions. However, there are also free tools like Excel-DNA that allow users to create Excel add-ins using other programming languages like .NET.
“In particular, since it is free, malware authors have adopted Excel-DNA as one of the common tools for creating malicious XLL files,” researchers from Cisco Talos said in a report in December. “An XLL file written in a .NET language is compiled in a standalone file containing shim functions which map native exports to the CLR functions contained in a user-defined assembly DLL embedded in the resource section of the file generated by Excel-DNA.”
The good news is that Microsoft also plans to restrict this feature for files downloaded from the internet in the same way it restricted macros in Word documents. This change is expected to roll out in March, according to a new entry on Microsoft’s roadmap for Excel. This will likely push even more attackers toward alternative file formats to abuse such as LNK.
LNK metadata and lack of metadata as detection methods
LNK abuse has been growing since last year, according to researchers from Cisco Talos, who have seen several attacker groups pivoting to it. One of those groups is behind the long-running Qakbot (also known as Qbot or Pinkslipbot) malware family.
“Qakbot is known to evolve and adapt their operation according to the current popular delivery methods and defense techniques,” the researchers said in a new report. “As recently as May 2022, their preferred method of distribution was to hijack email threads gathered from compromised machines, and insert attachments containing Office XLSB documents embedded with malicious macros. However, after Microsoft announced changes to how macros were executed by default on internet downloaded content, Talos found Qakbot increasingly moving away from the XLSB files in favor of ISO files containing a LNK file, which would download and execute the payload.”
However, LNK files have a lot of sections and contain a lot of metadata about the machines that generated them, leaving unique traces that can be associated with certain attack campaigns or attacker groups. For example, a phishing campaign last year using LNK files against Ukrainian entities that was initially attributed to a new attacker group was eventually linked to the Gamaredon a Russian APT group that has been active since at least 2013 and has been using LNK files in its attack since at least 2017.
“By analyzing the metadata content of the LNK file in the report, Talos associated the machine IDs where the files were generated, to files associated with the Gamaredon APT,” the researchers said. “Furthermore, based on this metadata, Talos identified a new campaign targeting Ukrainian organizations that started around August 8, 2022.”
Not only can LNK metadata be used to associate new attacks to known groups, but it can also be used to discover entirely new attack campaigns by searching through samples collected by services like VirusTotal.
In a separate investigation, LNK file metadata was used to establish connections between a malware family called Bumblebee and the IcedID and Qakbot Trojans.
Aware that metadata is increasingly used in this manner by researchers, some of the malicious LNK building tools are removing some of it when then generate malicious files. However, the lack of some metadata can also be used as an indicator of suspicious activity, because legitimate LNK files are supposed to have those data fields.
“In the cyber threat landscape, any new information on the adversary could be critical toward improving defenses,” the researchers said. “By analyzing and tracking information leaked through metadata, and correlating this information with other actor’s tactics, techniques and procedures, defenders can develop better detections and even predict future behavior, to prepare for an attack.”