55

Hackercool's
3rd
Free Gift
CREATING
A
MALICIOUS
SHORTCUT
 2
How To Create A Malicious Shortcut
REAL WORLD HACKING
Ever since Microsoft banned the usage of Macros by default, hackers and APTs alike
have shifted to various other methods to deliver malware. Macros were a perfect method
to deliver malware for hackers. Seeing the seriousness of this feature, Microsoft has
finally decided to disable macros by default after some dilly dallying. This move comes a
few months after disabling XLM macros by default.
To be precise, hackers have been moving towards other delivery methods even
before the ban of macros by default. Some of these methods were being used since long
time. It is only the recent Microsoft's ban on macros that increased their usage.
Pròofpoint reported that the use of VBA & XL4 macros by malicious action
reduced approximately by 66% starting from October 2021 to June 2022. It also
reported that in place of macro enabled documents, hackers are moving towards other
alternatives like Windows shortcut (LNK), RAR and ISO files to deliver malware.
These files are being sent as email attachments or are stored on a website and
victims are lured to this malicious website provided in the spear phishing email.
In this Issue, readers will learn how to generate malicious LNK, ISO, RAR files and
learn how APTs deliver these malware files.
An ISO file is an archive file that contains an identical copy (image) of data
found on an optional disc like CD or DVD. You can say ISO like is a soft copy of CD
or DVD. So these are typically container files. .
Hackers have been using poisoned disk image files for years to deliver malware to their
targets. The popularity of this method among attackers is because ISO file is a standard
file type of Windows environment.
A LNK file is Windows shortcut file that serves as a pointer to open an application or
folder or a file. LNK files are easy to create and hence hackers have been using them
since long. McAfee has reported that recently hackers have been using LNK files to
deliver malware like Emotet, Quakbot, IcedID and Bazarloaders etc.
Not that you don’t know it, a RAR is a proprietary archive file format used to compress
multiple files into an archive which is in . rar format. I hope that gave you a basic
understanding of all the file formats. Now, let’s get into practical exploitation starting
with creating a LNK file.

"The use of VBA and XL4 Macros decreased approximately 66% from
October 2021 through June 2022,"
- ProofPoint
 3
How To Create A Malicious LNK File
A LNK file can be created on a Windows machine using commands given below.

In the above commands, I have created e Windows shortcut (LNK) named “malicious shortcut”
that will open PowerShell upon clicking on it.
 4
If you think this is a bit cumbersome, don’t worry, there are many tools available that can simplify
the job for you. Sharp LNK gen is one such tool (with Graphical User Interface) that automatically
generates LNK files for us.
This is a CSharp project (Download information is given in our Downloads section). Like any
other C# project, Visual Studio can be used to build this tool.
 5

"Threat actors pivoting away from directly distributing macro-based

attachments in email represents a significant shift in the threat landscape."
- Sherrod DeGrippo, VP, ProofPoint
 6

"Threat actors are now adopting new tactics to deliver malware, and the
increased use of files such as ISO, LNK, and RAR is expected to continue." "
- Sherrod DeGrippo, VP, ProofPoint
 7

After the build is successful, go the to the folder where the binary is created and click on it. It sho-
uld open a GUI as shown below. You will see two fields: Target and Icon.

As self-explainable they are, Target field specifies which executable to open when the shortcut is
clicked upon. Let’s set it to open a “CMD” window. "Icon" field specifies the icon to be set for our
shortcut. Icon plays an important role in the victims clicking on the shortcut.
I select a Wordpad icon which I downloaded from internet. Below these two fields, you will
see four checkboxes. Let's deal with two of them first. "Description" describes the program
thatshould be mimicked by this shortcut. I selected "Note pad” here.
 8

I click on "Generate" and the shortcut is successfully generated. I named it “test1.lnk” as I am reall
-y testing the tool. When I click on the shortcut, I successfully get a CMD shell opened as shown
below.

Now, let’s come to "Arguments" option. The "Arguments" option is used to specify commands to
run after opening a program. For example, in my case, I want the shortcut I generated to open a
 9
CMD window and then run command "/c start firefox.exe" in CMD.

This command starts Firefox browser. We can start any program like this.
 10

Fine. I successfully generated a shortcut and started whatever programs I like. Although I am a
bit of a script kiddie, I don’t want to start the program that is already installed on the victim’s com-
puter. What I want is to execute any executable I want (Hacker’s smile).
I have my mind set on many executables but for start let’s create a reverse shell executable
payload with msfvenom as shown below.

Now, let’s generate a shortcut that opens CMD window and then executes this payload I just
created (shell×64-8883-exe). I named this shortcut “READ ME.TXT.LNK”. Why? You will see
soon.
 11

DOWNLOADS
1. Malicious Shortcut Generator :
https://github.com/jfmaes/SharpLNKGen-UI

Follow Hackercool Magazine For Latest Updates

USEFUL RESOURCES

https://haveibeenpwned.com