.. /.Lnk

Executable
Native
Double Click
Phishing

Author:

mr.d0x

Description:

LNK files are shortcuts for the files and can be used to open a URL. Just like URLs, LNK files can include an icon to display for the file and that can be leveraged for NetNTLM hash harvesting. They can also be used to reference executables (e.g. PowerShell.exe) allowing them to download and execute malware.

OS:

Windows

Recommendation:

“DisableThumbnailsOnNetworkFolders” and “DisableThumbnails” group policy settings. Set "Allow the use of remote paths in file shortcut icons" to 0 on group policy settings.

Resources:

https://www.opswat.com/blog/shortcut-lnk-files-may-contain-malware
https://www.trendmicro.com/en_ca/research/17/e/rising-trend-attackers-using-lnk-files-download-malware.html
https://www.mdsec.co.uk/2021/02/farming-for-red-teams-harvesting-netntlm/

File Samples:

Contributions:

John Smith