Computer hackers have devised a new way to infect target hosts by using malicious Windows 10 shortcuts. This strategy is being used at large by numerous hacker groups and individual hackers as it is relatively easy to implement. The malicious Windows 10 shortcuts allow the criminals to perform arbitrary code execution.
Arbitrary Code Execution Possible via Malicious Windows 10 Shortcuts
Shortcuts are one of the core elements of every desktop environment and they serve a simple function — to show the path to an application and file thereby making it easier to access them. The newest version of Microsoft Windows (10) has added a new file type format that has been found to allow code execution. It is called .SettingsContent-ms and is used to create a special kind of shortcut that leads to the Windows 10 settings menu. It has replaced the “classic” Control Panel that was found in previous versions of the operating system.
Upon further analysis the files have been found to be XML documents that contain a DeepLink tag which is used to specify the on-disk location of the relevant settings page. A security researcher has discovered that this tag can be replaced with any executable file that is located on the local machines. It is possible for several commands to be chained together and executed in a sequence.
Given the fact that there have been numerous virus infections and other cybersecurity damage done to both individual users, government agencies and business networks, it is speculated that this might be one of the possible infection vectors.
There are two main cases that can be utilized by the criminals:
- Direct File Execution — The malicious Windows 10 shortcuts can be configured to start a certain program that is available on the local machine.
- Code Execution — The hackers can embed commands that launch the Command Prompt or PowerShell console and execute various commands.
The malicious Windows 10 shortcuts have also been found to bypass the built-in security feature of the operating system called ASR that stands for Attack Surface Reduction. This is collection of system rules that are used to prevent certain malicious instances from running.
Such shortcuts can be downloaded from the Internet and started automatically. Typical places where such strains can be found are the hacker-controlled download pages and file-sharing networks like BitTorrent. The other hacker tactic is the integration of the malicious code into documents — text files, presentations, spreadsheets or databases. By interacting with the malware element the users will start the code execution.
The security community reported that the vulnerability has been disclosed to Microsoft however the company has not considered the bug critical en ought to be included in the Patch Tuesday updates.