Hidden command-line arguments
In a recent presentation, researcher Beukema unveiled a sophisticated method for concealing malicious command-line arguments within seemingly benign executables. This technique, which extends beyond the realm of target spoofing, leverages LNK files to initiate trusted Windows binaries while simultaneously embedding attacker-controlled instructions. This approach aligns with the “living-off-the-land” (LOLBINs) execution strategy, allowing for the execution of commands without directly referencing malware.
Beukema explained that the manipulation occurs within specific fields of the LNK file’s “ExtraData” section, which dictates additional metadata about the target. By enabling the “HasExpString” flag and configuring the “EnvironmentVariableDataBlock” with the “TargetANSI/TargetUnicode” fields populated with null bytes, the researcher observed what he termed “unexpected” outcomes.
“First, it disables the target field, meaning the target field becomes read-only and cannot be selected,” Beukema elaborated. “Secondly, it hides the command-line arguments; yet when the LNK is opened, it still passes them on.” This dual functionality presents a unique opportunity for exploitation, allowing an attacker to launch a harmless system component while covertly executing arbitrary commands, such as downloading payloads or executing scripts.
