Not all malicious USB devices need to be expensive pieces of hardware with sophisticated programming to do damage to your computer. With an old USB drive, you can build your own malicious BadUSB using Windows shortcut files to link to and payloads.
According to a McAfee blog post Rise of LNK (Shortcut) Malware, “During the second quarter of 2022, McAfee Labs has seen a rise in malware being delivered using LNK files. Attackers are exploiting the ease of LNK, and are using it to deliver malware like Emotet, Qakbot, IcedID, Bazarloaders, etc.”
We are going to look into how an LNK file can deliver malware on a seemingly innocent-looking USB drive. By leveraging hard-to-detect malware into Windows shortcut files (LNK files) a disguised link manipulates the user into clicking on a seemingly harmless file and launching malware. An LNK file shortcut provides quick and easy access to executable files without navigating the program’s full path. In this situation, a malware executable is in a hidden directory. The user clicks on a folder, which links to the executable, launching the malware.
The executable for this exploit is Netcat or simply nc.
Netcat is not malware, but Windows Defender flags it as such, so for the purposes of this walkthrough will we refer to it as malware.
Used by network administrators and having many uses, Netcat is a common tool that amongst other features, allows a remote computer to connect to another. Using Netcat to establish a reverse shell, the attacking machine has shell access and full control of the victim’s computer.
At the end of this section, we talk about ways to protect yourself against LNK shortcut USB attacks.
Insert a USB drive into your computer. You can use any Windows-formatted USB drive. The size of our payload in this example is only 45K so any drive should work.
Right-click and create a new folder. You can name this folder whatever you want, but for this example, we will use the aptly named payload directory. We will eventually hide this directory - more on how to do that later.
Open the folder you just created. This is where we are going to install our malware. Download the nc64.exe executable from GitHub and copy the nc64.exe file to this folder
After copying the payload onto your drive, you need to make some filesystem changes on the USB drive starting with creating a batch file.
The batch file is where you issue Windows commands for the computer to execute. Use Windows Notepad to create a text file. This file contains a single command that begins the attack.
Replace the IP address and port in this example with your attacking host that is running Netcat. The -e parameter allows us to specify what shell we want to use to make the connection. On a Windows system, we can use cmd.exe or powershell.exe. Later on, we will configure our Linux server which will accept the connection from the victim’s computer.
Save the file with a .cmd extension, and check that ‘Save as type:’ is set to ‘All files.’ Make sure the batch file and executable are in the same directory.
The payload directory should contain two files: the executable and the batch file.
Part of the success of this attack is that we can create a Windows shortcut and link to the malware in a hidden directory. In order to get the user to click on our malware, we need to trick them into doing so. Hopefully, most users know not to run random applications on their computers. But a user will try to open a folder with an interesting name.
Create the shortcut by right-clicking on the root directory of the USB drive and selecting Shortcut.
Select the batch file you created in the previous step. In our example, the run_exploit.cmd file from the payload directory and click Next to continue.
Name the shortcut something interesting that would enable a user to click on it and click Finish.
Our newly created link does not look right, and even curious users should be hesitant to click the icon. Fortunately, Windows provides a feature so we can change the default icon for files and links.
Right-click on the link and select Properties.
Click the Change Icon button.
Change the icon to a folder.
Click OK to close the Change Icon window.
Click OK to close Apply the changes and close the file Properties window.
Now our shortcut does not look like a link anymore. There is still the traditional link arrow on the bottom left, but this should pass casual inspection by curious users.
We are almost there. The drive still does not look right with the payload folder visible. We are going to fix that by making the drive hidden. Right-click on the payload folder and select Properties.
Select the Hidden checkbox and click OK to apply the changes and close the window
Enable ‘Apply changes to this folder, subfolders, files’ and click OK.
The Simple Malicious USB drive is armed and ready to deploy. When the user inserts the USB drive into their computer, this is what they see.
The shortcut looks like a regular Windows folder and looks harmless. Curious or unobservant users launch the malicious payload when they try to open the folder. But before deploying the Simple Malicious BadUSB, we need to set up our command-and-control server.
Our Command-and-control (C&C) server is controlled by an attacker and is used to send and receive commands from a computer compromised by malware. Our server for this exploit is an Ubuntu machine running up-to-date software with netcat installed.
This example uses the -n (do not use DNS), -l (listen for incoming connections only), -v (verbose), and -p (port number). Start the listener with the nc -nlvp 4444 command. The server patiently waits for an incoming connection on Port 4444.
When the user inserts the USB and clicks on the shortcut, the batch file executes the nc64.exe command with the IP address and port number we supplied earlier. The connection is quick and effective.
At this point, the machine is compromised and the attacker has full shell access to the victim’s computer. The hacker can issue commands as if they were sitting directly at the terminal.
Several things need to go right for this exploit to work.
If all of these circumstances work for the attacker, then this would be a successful ransomware attack. In these types of attacks, numbers work in the attacker’s favor. If 100 BadUSB devices are dropped at a location, then they need only one person to click the link to become a victim.
Microsoft endpoint detection (EDR) does a very good job of protecting users from running malicious code. Built into all currently supported versions of Windows, Virus & threat protection watches for unusual behavior.
If we have Virus and Threat protection settings enabled, users, will see this message when they insert the BadUSB.
Microsoft EDR would quarantine the file and it would no longer be on the drive, the attack would fail. As a result, the malware is removed and can no longer be executed.
The good news for potential victims is that most people know not to plug a random USB device into their computers but if they did, Microsoft endpoint security software will prevent the malicious software from running.