Breaking through Windows’ defenses: Analyzing mLNK Builder

March 26, 2020

Introduction

Launching an attack does not always require high technical aptitude on the part of a threat actor, especially when there are ready-made tools available for every stage of the infection chain. Delivery document builders and MaaS (Malware-as-a-Service) providers are just some of the services that thrive in hacking forums, and save attackers the trouble of developing a payload or socially engineering a document.

However, making those tools easily accessible and available in bulk has its downsides, since security solutions and Anti-Virus products are usually quite proficient at protecting against them. To overcome this problem, underground sellers have started providing services to make malicious files more evasive and less detectable. A prime example of this is the mLNK Shortcut Builder.

Enters mLNK

We first encountered an advertisement for the mLNK Shortcut Builder in a Discord channel called “NativeOne Products”, which is managed by a user under the name “Ren and Stimpy:”

 

mLNK enables payloads to bypass security solutions such as Windows Defender, Windows 10 Smart Screen and UAC by converting the payloads to LNK shortcuts:

“LNK” or “LiNK” files are shortcuts used by the Windows operating system to point to a file, and are most commonly used in the Desktop directory. LNK files can be leveraged to run PowerShell, and since the displayed icon does not have to match the file type the shortcut points to, victims are less likely to realize exactly what type of file they’re about to open.

Despite the developers’ claim that this tool was created for educational purposes, our collected evidence suggests the  tool’s actual use is to deliver malicious files to victims. In one such case, an LNK file was sent to a target in the United States from an e-mail address belonging to a UAE-based company called “Bin Rashed Transporting and General Contracting.”

The message contained a malicious attachment called Doc001.png.lnk, which downloads an HTA payload from s-c[.]live.

The final payload is packed with CypherIT, an AutoIt packer used to encrypt executables, which we discussed in a previous report.
The mLNK developers endorsed CypherIT and even recommended using it alongside their own tool:

Full Features

In addition to file conversion, other features by mLNK Shortcut Builder include delaying the execution of the payload, or opening a decoy document at the same time, making it even harder for a victim to detect any suspicious activity:

Surprisingly, those features did not come with a hefty price; the cheapest support plan for the mLNK Shortcut Builder costs only $50 and gives the attacker access to the builder for one month, more than enough time to add another layer of protection:

Despite the relatively small fee, our analysis of mLNK showed that its creators managed to generate at least $11,000 in revenue, while enabling nearly 230 customers to make their payloads less detectable in less than a year.

Marketing Efforts

mLNK was promoted in the Discord channel alongside other products that were developed by “NativeOne Exploits”, including tools that convert malicious attachments to  IMG or ISO files, allowing them to bypass e-mail protections:

However, the marketing efforts were not restricted to the specific Discord channel. The products were also promoted in various hacking forums by a user with the same  “Ren and Stimpy” avatar, as well as by a user called “Qismon:”

Interestingly, in June 2018, the same users were observed querying other forum members for technical information:

Answers to these questions, for example about converting .NET executables to native ones, later led to the development and release of new products that the mLNK authors sold on their website:

Similarly, some of the features in the mLNK Shortcut Builder itself, like the Windows 10 UAC bypass, were ones that the authors inquired about earlier:

The threads about mLNK in online forums gave away some information about the authors. For example we noticed that they mentioned the CCC (Chaos Computer Club) Jabber server, jabber.ccc[.]de, in their contact details:

Moreover, the demo video for the mLNK Shortcut Builder shows that the authors’ operating system is in German:

Getting the mLNK Builder

A post shared by an anonymous user on Discord included the order confirmation received after purchasing mLNK:

Accessing native-one[.]com:8020/token shows a registration page asking the user to set up credentials and enter the token received in the above e-mail:

Surprisingly, after entering information in all the fields and pressing the “Register” button, an executable approximately 10KB in size is immediately downloaded. Opening the downloaded executable in a disassembler shows that it starts by running a PowerShell script:

The executed PowerShell script downloads a file from native-one[.]com:8020/client_auth. Then, it decodes this file using base64 and decrypts it using AES256:

The end result of this is another PowerShell script, which was version 2.2 of the mLNK Shortcut Builder:

mLNK Version 2.2

The builder starts by checking the following registry key to determine if it was previously executed on the same system:

“HKCU\Control Panel\Video\Drivers\Microsoft\Core”

If this is the builder’s first run, it creates this registry key and sets the “Driver” value to “0”. Afterwards, the Terms of Service window is displayed:

Interestingly enough, the terms of service claim that the mLNK Shortcut Builder is a legitimate service used “for educational purposes” only. However, the feedback shows a different picture, with some users claiming that they managed to infect their victims with the help of mLNK:

After accepting the terms, the main mLNK Builder window appears, where the user can enter the payload’s URL, the displayed icon of the LNK, and the features to include:

While it is not really common to come across a GUI application written with the help of PowerShell, the authors of the mLNK builder expressed their enthusiasm for this scripting language on more than one occasion in an online forum:

Whenever a payload is built using mLNK, its filename, hash (SHA256), and the system hardware ID are POSTed to the address hxxp://193.37.212[.]15:8020/hash_add with the User-Agent ‘ERSW6XIZWGR2JXX7MR1PWHX6OVRF9KCO’.

This was probably so the builder’s authors could track the customers’ payloads and view their names and hashes, but the mechanism did not work as intended. When analyzing mLNK, the IP address 193.37.212[.]15 did not accept any connections. Therefore, its presence in the code is strange, and it seems as if the authors forgot to update this value.

Payload Methods

Before creating the LNK, the user’s file (EXE, DLL, JS, VBS) can be converted to a PowerShell, MSHTA, or RegSVR32 payload. The MSHTA payload is an HTML page with a VisualBasic script:

If the customer has a public mLNK license, the VisualBasic script simply runs a PowerShell command that downloads the original payload from a provided URL and executes it. If a private license is used, the PowerShell command is stored in hexadecimal values:

In the case of a custom license, the same command is stored as a binary encoded string:

More protective layers are added when private and custom licenses are used. For example, all of the URLs in the VisualBasic script are encoded using base64, and a “System” attribute can be added to the payload in addition to the “Hidden” one.

As for the RegSVR32 payload, the outcome is an SCT (Script Component) file with an XML extension and embedded JavaScript, which has the following format:

The JavaScript decodes a PowerShell command and runs it. Similar to the MSHTA payload, the code is encoded using hexadecimal or binary values if private or customer licenses are used:

UAC Bypass

One of the available features in the mLNK builder is UAC Bypass:

 

Depending on the Windows version, there are two techniques that are used by the builder :

  • Event Viewer technique
  • Fodhelper technique

If the Windows OS version is earlier than Windows 10, the Event Viewer technique is used, where the payload’s path is written to the “Default” value of the HKCU\Software\Classes\mscfile\shell\open\command registry key:

The EventViewer tool is then started. When EventViewer is launched, it spawns the assigned default application for the “mscfile” type, which in this case is the payload:

This allows the payload to bypass UAC and run with high privileges. More about this technique can be found here.

The Fodhelper technique is used in Windows 10 or newer versions. The payload’s path is set as the “Default” value in the HKCU\Software\Classes\ms-settings\Shell\Open\command registry key. Similar to the previous technique, when Fodhelper is launched, the payload is executed and the UAC bypass is triggered. More information about this technique can also be found here.

Conclusion

The mLNK Shortcut Builder shows how well-known and off-the-shelf payloads that are usually removed immediately by Windows Defender or stopped from running by UAC can bypass those protections and infect a victim easily.

Check Point SandBlast successfully intercepts those attacks and is able to block all of the malicious techniques described in this report.

SandBlast Protection:

  • win.ps.strmnplt.c