Creating a Polyglot
Creating a .lnk file that will run some additional code (using .hta in this instance) as well as the original expected .exe a chrome browser in this example. First an attacker would create using notepad or a related app with a generic .hta file.
The main idea here is that in the target property of icon files there is a character limit. So running the code there is out of the question but, if adversaries can create a polyglot file to run both an .hta and .exe the user can be fooled into thinking nothing else is going on in the background.
Strangely enough when it comes to .lnk files when opened in an editor they are not affected nor do they react adversely when you add extra code to the bottom of a .lnk file. Essentially this gives us the space we need to create a polyglot and bypass the aforementioned character limit. The second critical piece of the Polyglot is going to have to be another file type that is quite lenient with regards to languages used and character limiting. That's where the .hta file comes into play.
At its core an .hta file is just html code that can be naturally rendered into windows user space. HTML doesn't mind at all if there may be extra code added to the end of a file; it will simply continue to execute that code if directed to do so properly. Specifically windows visual basic script and jscript, which is what in this instance we will be using to create the payload.
Embedding an .hta file within an .lnk icon we can essentially break that target property character limit. The adversary now has a working framework to create a malicious .lnk file.
Combining the .hta & .lnk to complete the malicious polyglot
This is the copying template to combine our two files into the malicious polyglot.(referred to as COPY from this point)
C:\\Users\JohnDoe\Desktop\>copy /b \path\to\icon.lnk+code.hta Chrome.lnk
This will result in the creation of v1 polyglot. Now we need to enable the .lnk polyglot we just created to run both the .hta and the intended program. In the target property the following would be added.
cmd /c mshta %CD% \Chrome.lnk
Weaponization of the polyglot
Now lets edit the .hta to test our polyglot :
<hta:application windowstate="minimize">
<script language ="VBScript">
MsgBox "We are running the HTA"
Close
</script>
Use COPY once again to integrate our new code.
Success! Next an adversary would use a program like metasploit to generate a reverse shell payload such as this :
This will result in a Base64 encoded reverse shell. This code would be added to the .hta file and then appending the following to the end of the file will result in the .lnk running the said reverse shell code as well as running the intended Chrome.exe. Thus tricking the user into believing all is well and chrome would continue to run totally normally as there is essentially not a single process but two separate process’ running the Chrome.exe & the .hta malicious payload. The polyglot gives us this functionality.
So pasting in the Base64 reverse shell code and appending :
←base64 code above→
Set shell = CreateObject("WScript.Shell")
shell.Run """C:\Program Files\Google\Applications\Chrome.exe""", 0, False
Close
</script>
Run COPY once again . . .
Now the adversary has a reverse shell & access into the system. This same method can be used for multiple malicious means whether it be malware delivery, persistence, ect. Fortutely this type of activity would alert Microsoft Defender in this case it was disabled to display the danger of this simple method to gain unauthorized access. This can be a great tool to illustrate to employees just how easy a person can make it by opening unknown attachments or seeing something as innocuous as a new looking or extra shortcut for applications they may use during day to day work.
