1. Reader For .lnk File Download
2. Reader For .lnk File

LNK files (labels or Windows shortcut files) are typically files which are created by the Windows OS automatically, whenever a user opens their files. These files are used by the operating system to secure quick access to a certain file. In addition, some of these files can be created by users themselves to make their activities easier.

Location

Normally, most of LNK-files are located on the following paths:

1. You now have your.lnk extention associated with adobe reader, as well as all of your other shortcuts. First, when you do 'open with' at the bottom of the dialog box is a check box, that's default checked, next to 'always use the selected program to open this kind of file.'
2. Launching Xcode. If nothing happens, download Xcode and try again. Launching Visual Studio Code. Your codespace will open once ready. There was a problem preparing your codespace, please try again. DomRe test stuff.

• For Windows 7 to 10: C:Users%USERNAME%AppDataRoamingMicrosoftWindowsRecent
• For Windows XP: C:Documents and Settings%USERNAME%Recent

Our free lnk files viewer online tools & apps does not required any registrations and installations on your system, 100% free and online windows shortcut (.lnk. 'File' Section Shows File System Metadata of a LNK File. In the 'File' section you can see the MAC-address of the device on which this shortcut was created. This information may help you identify the device associated when the LNK file was created. While conducting an investigation, one should pay attention to the time tags of a LNK file. You can find this information in the file’s properties. On a Windows computer, just right-click the file and click properties, and look for the file type under “Type of File.” On a Mac computer, right-click the file and click “More info,” and look for the file type under “Kind.” Step 4: Get help from a developer.

However, there many other places where investigators can find LNK files:

• On the desktop (such shortcuts are usually created by users to secure quick access to documents and apps)
• C:Users%USERNAME%AppDataRoamingMicrosoftOfficeRecent (for Microsoft Office documents on Windows 7 to 10)
• C:Users%USERNAME%Downloads (Sometimes users send shortcuts via e-mails to other users instead of the documents to be delivered. Consequently, other users download those shortcuts. Again, this is for Windows 7 to 10)
• Startup folder
• Etc.

Contents of Shortcuts

Before Microsoft published the information about the format of LNK files, researchers had tried to describe the format by themselves. The complexity of such research is that the different shortcuts contains different data. Correspondingly, when you analyze one shortcut type, the contents and amount of data may be different than when analyzing another shortcut type. Besides, in Windows 10, new fields are present that cannot be found in earlier versions.

So, what kind of information does a LNK file contain? Belkasoft Evidence Center digital forensic software displays the following three sections with data related to LNK file: 'Metadata', 'Origin', and 'File'.

The most important data displayed by the 'Metadata' Section include:

• Source path of a file and its time tags (Full path, Target file access time (UTC), Target file creation time (UTC), Target file modification time (UTC))
• Drive type
• Volume serial number (Drive serial number)
• Volume label
• NetBIOS name
• Target file size (bytes), i.e. the size of the file with which the shortcut is associated

As you can see, such fields as 'Droid file' and 'Birth droid file' can be found. DROID (Digital Record Object Identification) is the individual profile of a file. This structure (i.e. that of a droid file) can be used by the Link Tracking Service in order to determine whether the file has been copied or moved.

In the 'File' section you can see the MAC-address of the device on which this shortcut was created. This information may help you identify the device associated when the LNK file was created.

While conducting an investigation, one should pay attention to the time tags of a LNK file. The reason for that is that, as a rule, the time of file creation corresponds either to the time the file was created by a user or to the time of the first file access event associated with a shortcut. As for the time modification time, it normally corresponds to the last file access event associated with a shortcut.

File Recovery

If one examines the 'Recent' folder described above, up to 149 LNK files will be found there. What should be done, if the shortcut we need was deleted? The answer is simple: for sure, it should be recovered! Recovery of LNK-files can be executed with the file header signature, hex: 4C 00 00 00.

In order to specify the file header, one should start with the program menu: 'Tools'—'Options'. Then the 'Carving' tab is needed. Click on 'Add' button to create a new signature. You can learn about the carving methods with Belkasoft Evidence Center in greater details in the article 'Carving and its Implementations in Digital Forensics'.

Using LNK Files with Information Security Incidents

Compromising an Attacked System

Over 90% of malware is distributed via e-mails. Normally, malware e-mails contain either a link to a network resource or a specifically designed document. If such a document is opened, malware will be downloaded to a machine.

Likewise, LINK files are used for hacking attacks.

The general rule is that such a LNK file contains a PowerShell code which is executed when users try to open the shortcuts previously sent to them. As you can see in Fig.7, such shortcuts can be easily detected with Belkasoft Evidence Center: there is a path to an executable powershell.exe in the metadata. In the 'Arguments' field, there are arguments of a PowerShell command and encrypted 'payload'.

Embedding in a Compromised System

One of the methods to use LNK files is to embed them in a compromised system. In order to activate malware whenever a corresponding machine is turned on, the following trick can be utilized. A LNK file with a link to an executable malware file (for example, to a file with the loader code) should be created, a shortcut is to be placed at the following address: C:Users%User profile%AppDataRoamingMicrosoftWindowsStart MenuProgramsStartup.

In this case, as soon as a machine is launched, the malware will be activated as well. Such shortcuts can be found in the 'File system' tab of Belkasoft Evidence Center.

Conclusion

LNK files are Windows system files which are important in a digital forensic and incident response investigations. They may be created automatically by Windows or manually by a user. With the help of these files you can prove execution of a program, opening a document or a malicious code start up.

Belkasoft Evidence Center can help you to locate existing LNK files, recover deleted ones and help to analyze their contents.

See also

Malware

We have seen an increase in attacks that leverage malicious LNK files that use legitimate apps—like PowerShell—to download malware or other malicious files.

Update as of May 30, 2017, 5:00 AM CDT to update the date referencing Trojan downloaders that used .zip files within .zip files from '2016' to '2017'.

PowerShell is a versatile command-line and shell scripting language from Microsoft that can integrate and interact with a wide array of technologies. It runs discreetly in the background, and can be used to obtain system information without an executable file. All told, it makes an attractive tool for threat actors. There were a few notable instances where cybercriminals abused PowerShell: in March 2016 with the PowerWare ransomware, and in a new Fareit malware variant in April 2016. Because this seemed to be an upward trend, security administrators became more familiar with how to prevent PowerShell scripts from doing any damage.

However, cybercriminals are staying ahead of the curve by using alternative means of executing PowerShell script—Windows LNK (LNK) extensions. LNK files are usually seen by users as shortcuts, and used in places like the Desktop and Start Menu. LNK was actually already used as an attack vector as early as 2013. And in early 2017, we noted how Trojan downloaders used a .zip within a .zip to disguise a LNK file attachment that led to the Locky ransomware.

Now, we’re seeing an increase in attacks that leverage malicious LNK files that use legitimate apps—like PowerShell—to download malware or other malicious files. To illustrate how the trend of using LNK files is rising, note how one single LNK malware (identified by Trend Micro as LNK_DLOADR.*) has had a significant jump in detections since January 2017. The steep rise shows how popular this method is becoming:

Figure 1. Detected LNK_DLOADR over a 4 month period

Recent LNK-PowerShell and ChChes attacks

In October 2016 we saw attackers using the combination of LNK, PowerShell, and the BKDR_ChChes malware in targeted attacks against Japanese government agencies and academics. The attack used a fake .jpg extension to camouflage the malicious PowerShell file.

Figure 2. Attack used to compromise Japanese targets in October 2016

In January 2017 we spotted the group APT10 (also called MenuPass, POTASSIUM, Stone Panda, Red Apollo, and CVNX) using a similar attack for a wide-spread spear phishing campaign. In this version, the LNK file executes CMD.exe, which in turn downloads a fake .jpg file hiding the malicious PowerShell script.

The group has continued to evolve their cyberespionage activities, and in April 2017 they used a similar strategy to also download BKDR_ChChes, which is a popular malware used in targeted attacks.

New LNK-PowerShell attacks

We identified one campaign, likely still ongoing, that has a new and complicated LNK strategy. These attackers seem to be using several layers of command line, built-in, Windows tools. They send a phishing email with lures that push the victim to “double click for content”, typically a DOCX or RTF file embedded with a malicious LNK. Instead of directly executing PowerShell, the LNK file will execute MSHTA.exe (a file used for opening HTML applications), which executes a Javascript or VBScript code that in turn downloads and executes the PowerShell script. The PowerShell then executes a reverse shell (like Metasploit or Cobalt Strike) to complete the compromise.

Figure 3. Complex LNK attack leveraging MSHTA.exe files

Last month we identified another spear phishing campaign also using a combination of LNK and PowerShell. Unfortunately, the Command and Control (C&C) server where the main payload was stored is no longer accessible.

Their strategy seems to have fewer layers: the LNK file is embedded in a document file and if a user double clicks to open the message, it executes a PowerShell file (or a similar Windows command line tool) to download another script. The other script then downloads the main payload.

Figure 4. A less complicated LNK-PowerShell attack

We believe this specific attack may be politically motivated due to the economic and controversial subject of the decoy document. However, a full analysis is tricky because the trail ends when one of the C&C servers dies. Without the full picture, it is difficult to associate this type of attack to known campaigns.

Hidden LNK commands

In many cases, these malicious LNK files can reveal valuable information about the attacker’s development environment. To help get this information, a quick analysis is possible by viewing the properties of the file.

However, we are encountering cases where the command line argument is so long that it is no longer fully visible in the Properties > Shortcut window. When viewed, only the target application (CMD.exe, MSHTA.exe, and other non-malicious command line applications) is seen.

Figure 5. Only the target application is visible

Our tests revealed that the maximum length for Shortcut > Properties > Target is only 260 characters. Anything longer than that will not be visible. However, the maximum length for a command line argument is 4096 characters.

The attacker actually pads several spaces or newline characters before the malicious argument. Using a parser tool reveals that it is much longer (figure 6), though it still works normally:

Figure 6. Padded file hiding malicious code

Attackers take advantage of this to try and disguise or hide the malicious portion of the code. This padding strategy may prevent a quick analysis of a LNK file, but any LNK parser can still extract the arguments without any problem.

Recommendations and best practices

Malware developers continue to upgrade their tools and look for different ways to deliver their malicious payloads. Leveraging these LNK files is another strategy, but there are ways to prevent and mitigate these threats:

• Upgrading PowerShell to version 5, which is available as part of the Windows Management Framework and included on Windows 10, is recommended. Using Group Policy to turn on logging makes it easier to check for breaches.
• Users and enterprises alike should be wary of executable files received through email. Most files ending in *.EXE are auto-rejected on an email server, but if security is a concern then administrators should consider adding *.LNK to the list
• It is similarly not advisable to open any LNK file received via email (or from anywhere outside your machine).

To identify if it is a LNK file or not:

Reader For .lnk File Download

1. If inside an archive (e.g. WinRAR, WinZip), the LNK extension is clearly visible, as well as the “Type” (it says “Shortcut”).
2. For any Windows folder, you have to modify the registry if you want LNK files to be displayed. A small overlay arrow icon pointing to the upper right is one of the identifiers of a LNK file. Another way to do this: switch the Windows folder to “Details View”, then check the “Type”.
3. For LNK embedded in Word documents, users have to be aware of these types of attacks to know what to look for. The bottom line is: never open these kinds of documents without verifying the source. If your organization does not need any packager objects, then there is a way to disable the feature totally by editing the registry.

Trend Micro™ Smart Protection with Maximum XGen™ security infuses high-fidelity machine learning into a blend of threat protection techniques to eliminate security gaps across user activity and any endpoint—the broadest possible protection against advanced attacks.

Reader For .lnk File

Trend Micro™ Deep Discovery™ provides detection, in-depth analysis, and proactive response to today’s stealthy malware and targeted attacks in real-time. It provides a comprehensive defense tailored to protect organizations against targeted attacks and advanced threats through specialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to detect threats, even without any engine or pattern update.