There are some torrrents showing up with .lnk
extension (ex: movie.mp3.lnk, tvshow.mkv.lnk...) and automated software (Sonarr, Radarr, Lidarr, qBittorrent RSS Downloader) could pick those torrents (but not import).
These (fake) torrents include a .lnk
file that executes a script on your Windows
HOW TO exclude from download on qBittorrent.
-
Go to Options -> Downloads
-
Enable "Exclude file names"
-
Add patterns:
(one by line)
*.mp4.lnk
*.mp3.lnk
*.mkv.lnk
*.torrent.lnk
Or exclude all together: *.lnk
Example on VirusTotal https://www.virustotal.com/gui/file/e74f64df6ebaf3a1b6e3f42591eb6e87d2ac2828eb5a99fd8d3d82c140137fc9/detection
When I read the title, I was thinking of something sophisticated such as hidden executable streams inside the MKV container (IIRC, it's possible to append binary data other than audio, video or subtitles specifically inside a MKV). The ".lnk" trick only works in Windows and, even there, it's easy to prevent: Windows Explorer > Options > Advanced > find and check "Always show extensions for files" (i can't really remember the exact label for this option as I'm not a Windows user, but something like this will be there).
Exactly! Thanks! I couldn't point the exact label, I've been using Linux for years in a daily basis so I forgot most of the Windows shortcuts/options.
Even then, that setting doesn't unhide the ".lnk" file extension, that requires a registry edit: https://www.askvg.com/tip-how-to-show-file-extensions-of-shortcuts-lnk-url-pif-in-windows-explorer/
Although shortcuts are pretty easy to spot in the first place unless you just double-click things without paying attention lol
For those interested, John Hammond did a video a few months ago about
.lnk
extension (and other 16 hidden extensions on Windows).He doesn't go to much or to deep into the subject, but you get a general view how this could be exploitable.
How is the link file executing malware? Can you put any shell script as the target?
I am pretty sure a link file can open cmd/powershell with parameters to execute commands
yep! I've found out browsing hacking/spamming site and i've found something too good to be true, it downloaded archive nested inside other archive and in it was silngle .lnk file leading to "the resource". Peeking inside i've found powershell executing base64 (or base32?) encoded script (it's got commandline option for that. if you want to ask wtf ask microsoft, and tell me), it dl'd some exe from some site and ran it, site was down alredy.
You can put the script itself as the link. Shortcut to: powershell -command "Write-Host 'Gonna pwn your shit'"
Nice one OP. Just had sonar pick up one of these today named like a proper release of a trusted group. Sonarr didn't move it from qbit but better to not DL it in the first place even though its a linux box