Using office macros to exploit endpoints continues to be a popular method for exploitation. Users are presented with a dialog box, which they must click for the attack to work, most users will click, especially if the document looks like something they normally operate on. This removes the need for attackers to have office or browser zero-days. It also makes exploitation simpler and cheaper. Additionally, it is typically possible to tune the malicious macro to bypass security controls like anti-virus. There are even toolkits like Luckystrike to ease macro exploit development.

There are controls within Windows domains, which can be activated to stop macros from executing. There are also security tools that can sandbox, scan, or even put untrusted documents into VMs.

We began investigating an attack that hit one of our customers. We found that it was an office document with an embedded link (.lnk) file. The image of the .lnk must be clicked by the user, this is all but certain to happen.

What is interesting: for at least one VM protection product, LNK requires the document to be trusted and opened natively. Thus, we believe attacks using LNK files would be effective at bypassing a container based tool. Likewise, most malware analysis sandboxes are not able to properly analyze threats with embedded LNK files.

Binary Defense takes a different approach. We use behavioral heuristics to find attacks. Here is what a BDS Vision customer would see.

When the exploit is running on the victim:

Vision Alarms noticed by our SOC operators:

In order of time:

  1. The malicious LNK is detected, and code is shown
  2. Payload is run with PowerShell
  3. Payload is noticed – but the hash is wrong because the file size is empty. This is because the malware site was moved by the attackers by the time we checked into this threat.

VT Shows the Doc to be Malicious

Only 19 of 55 anti-virus engines believe the threat we found was malicious. Tweaking it to make the attack fresh to bypass all the AVs should be straight forward.

Summary

Embedded LNK files can and will be used to exploit enterprise systems. Expect attackers to use them to even bypass next generation endpoint security controls.

This blog was written by Dr. Jared Demott – CTO at Binary Defense