A “LNK” to the Past

Contributor: Fred Gutierrez

Cybercriminals have continuously evolved their methods throughout the years to avoid detection and arousing the suspicion of the users they are targeting. In the case of targeted attacks, the lure is a critical piece of the puzzle, as cybercriminals need to be sure they can get the attention of their target so they can convince them to run malicious PDFs or DOC files.

We have been monitoring malicious emails which use Tibetan protests and self-immolations as its lure. The emails contain a RAR file with photographs supposedly taken from the protests.

Once the targeted user extracts the files onto their computer, they will notice only three files in the extracted directory. These are JPG files, or so they might think. In actuality, the files presented to users are .lnk files, which are shortcuts:
 

Figure 1. LNK files seen when the RAR is extracted
 

The files have been carefully named in order to trick the user into believing they are JPG files. By default extensions are hidden, so the actual .lnk extensions are not observed by the user.
 

Figure 2. Show hidden files reveals additional files are present
 

In addition to the hidden extensions there are hidden files in the same folder. When we enable hidden files to be viewed, we see there are some legitimate JPG files present, as well as a thumbs.db file. Thumbs.db is a file normally used by Windows to store thumbnails of images in the directory. However, this thumbs.db was not generated by Windows—it is malicious—as it was purposely included in this archive by the attackers.
 

Figure 3. Contents of the LNK file shows it executes thumbs.db and the associated JPG file
 

When we examine one of the .lnk files in the folder, we see it calls the Windows Command Prompt to execute the start command. This command is passed the thumbs.db file along with the corresponding image (in this case, IMG_3915.jpg) as its parameters. Therefore, when the user double clicks on the .lnk file, they expect an image to appear, and it does, as they are presented with an actual image from a Tibetan protest. However, the thumbs.db binary (detected as Trojan.Dropper) is also executed, which drops multiple files onto the compromised computer.

The files dropped vary. One of the files drops an executable called iexplore.exe into the Application Data\Active folder. It also drops a .lnk file into the Startup folder pointing to the location of the malicious iexplore.exe (detected as Trojan Horse). Another file is a .dll file (detected as Backdoor.Trojan) that opens a back door. It attempts to collect computer information, such as the OS version, CPU, memory, and user name.

It should be noted we have not seen the malicious thumbs.db file being used in other targeted attacks. This is a deviation from the norm, as many of the attacks we see through email tend to rely on malicious DOC and PDF files to exploit a vulnerability.

This is just one example of how cybercriminals are experimenting with new ways of social engineering. It won’t be the last.