LNK Shortcut

Adversaries are increasingly pivoting away from macro-enabled documents to other alternatives, including container files such as ISO and RAR as well as Windows Shortcut (LNK) files in campaigns

Refs

• https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rise-of-lnk-shortcut-files-malware/

• https://www.socinvestigation.com/hackers-opted-for-new-techniques-after-microsoft-disables-excel-4-0-macros/

• https://www.trendmicro.com/en_vn/research/17/e/rising-trend-attackers-using-lnk-files-download-malware.html

Why is LNK Shortcut now trendy

Because Macro is now disabled by default (thank god for that MS), many blogs and news now talk about the major shift for the Adversaries but the LNK shortcut has been used for such a long time.

Many big APT and Adversaries is now using LNK as a way to deliver their payload

Tool to extract the URL or the command line

How to determine whether the user has clicked on the LNK

Prefetch, AmCache, ShimCache in Windows