Shortcut files have recently become a common vehicle used in targeted attacks to deliver malware into organizations. Symantec has observed a variety of ways shortcut files are being used to penetrate networks, such as the one described in a previous blog. We recently came across another example of how this file type is being used in an attempt to evade detection by security products and trick email recipients into executing attachments. In this variation, an email with disassembled malware attached is sent to a recipient along with a shortcut file used to reassemble the malware.
The email used for this attack included an archive file as an attachment containing a shortcut file with an icon of a folder along with a real folder containing a Microsoft document file and two hidden files with .dat file extensions.
Figure 1. Inside the attached archive file
Figure 2. Inside the Summit-Report1 folder
For the average user with default explorer settings, the archive file would appear to only contain two folders. Clicking either of the two folders leads the user to the folder containing the document file. If the user attempts to open the folder, which is actually the shortcut file, a copy command runs and combines the two .dat files to create one malicious file. The computer then becomes infected with malware. Please note the structure inside the archive attachment varies, but the archive will always contain multiple broken-up files along with a shortcut file.
Figure 3. Shortcut file properties showing a portion of the script used to assemble the .dat files
Figure 4. Binary data in ~$1.dat
Figure 5. Binary data in ~$2.dat
Figure 6. Binary data in combined executable file
The tactic of disassembling malware before the attack and reassembling it on the victim’s computer may be used by an attacker for several reasons. The main reason may be to avoid the malicious files being detected. If the file is broken up into pieces, security products will have difficulty in determining if these files are malicious. Another reason may be to prevent gateway security products from stripping off executable files. A typical gateway product has the capability to filter by file types and it can be set to strip off executables found in email attachments. This is a common practice carried out by IT departments.
Shortcut files are very simple and cost efficient to use. They do not require the use of exploits, which can be more resource intensive and also requires the victim’s computer to be vulnerable. Icons can easily be made to look like folder or document files. Once an attacker prepares the malicious files, they then only have to write one line of script and the attack is ready.
What can be done to protect against these types of attacks? In normal circumstances, there are no practical reasons for emails to contain shortcut files. If organizations feel shortcut files are not needed in email attachments, they can explore the possibility of filtering out that file type at the gateway of the network.
Symantec detects the malware discussed in this blog as Trojan Horse.