Internet Shortcut (.url) file in a Nutshell

A .url file, also known as an Internet Shortcut, is a text-based file format used by Windows to store a hyperlink or URL (Uniform Resource Locator) that points to a web page or a network resource. These files are typically created by web browsers or users to easily access websites directly from their desktop or a folder. The .url file contains metadata about the target URL, such as its title, icon, and the actual link itself.

Creation of a .url file

A .url file is generally created in the following ways:

• Manual Creation: A user can manually create a .url file by dragging a website's icon from the browser's address bar onto their desktop or into a folder.
• Automatic Creation by Applications: Web browsers, email clients, or any application that provides a way to save shortcuts can generate .url files.
• Programmatically via Scripting: .url files can also be created programmatically using scripts in languages like PowerShell, VBScript, or Batch. For example, a .url file can be created using a PowerShell script as follows:

$shortcut = "[InternetShortcut]`nURL=http://example.com"
Set-Content -Path "C:\Users\User\Desktop\example.url" -Value $shortcut

Purpose of a .url file

The primary purpose of a .url file is to provide a quick way to access a website or a network location. These files serve several use cases:

• Bookmarking: Users can create .url files as bookmarks to frequently visited websites or important web resources.
• Shortcut Distribution: Organizations may use .url files to distribute links to internal resources or web applications.
• Automation: Scripts or applications can use .url files to automate navigation to specific web pages or network locations.

Malicious vs. Non-Malicious Use of .url Files

• Non-Malicious Use: As described, .url files are typically used to create shortcuts to web pages for convenience. This is their legitimate use case.
• Malicious Use: Attackers can leverage .url files for malicious purposes. For example, they can craft .url files that point to malicious websites that host malware, phishing sites, or drive-by-download exploits. In addition, .url files can contain properties (like the IconFile property) that point to a malicious executable or script. If the .url file is opened, Windows may fetch the icon from a remote server, which can be abused to leak information or trigger malicious behavior.

File Structure of a .url File

A .url file is a simple text file with a .url extension, typically structured as follows:

[InternetShortcut]
URL=http://example.com
IconFile=http://malicious-site.com/icon.ico
IconIndex=0

• URL: The actual URL to be opened.
• IconFile: The path to the icon file. This can be a local or remote path.
• IconIndex: An index specifying which icon to use if multiple are present.

How Windows Processes a .url File

When a .url file is opened, Windows handles it through several steps:

1. File Association and Shell Execution

• Windows associates the .url file extension with the Internet Shortcut handler in the Windows Shell (Explorer).
• The shell reads the contents of the .url file using the ReadFile system call and interprets the [InternetShortcut] section.
• It parses the URL and any other metadata properties such as IconFile.

2. ShellExecuteEx API Call

• Windows uses the ShellExecuteEx API function to process the URL.
• This API call triggers the default web browser (as configured in the system) to handle the URL by passing it as an argument to the browser executable.
• If an IconFile is specified, Windows may fetch the icon from the local or remote path.

3. System Calls and APIs Involved

• CreateFile / OpenFile: Windows first opens the .url file to read its content.
• ReadFile: Reads the contents of the .url file to parse the [InternetShortcut] section.
• RegOpenKeyEx / RegQueryValueEx: Windows may query the registry to check for the default program associated with the URL protocol to determine the appropriate handler (usually a web browser).
• ShellExecuteEx: Executes the URL handler (web browser) with the URL as a parameter.

SHELLEXECUTEINFO sei = { sizeof(sei) };
sei.lpVerb = "open";
sei.lpFile = "C:\\Path\\To\\Shortcut.url";
sei.nShow = SW_SHOWNORMAL;
ShellExecuteEx(&sei);

4. Network Calls

• If the .url file has a remote IconFile property, Windows will make a network call (using Winsock or similar network stack API) to fetch the icon from the specified URL.
• This network call can be intercepted or manipulated by attackers to exploit vulnerabilities.

APIs, Syscalls, and Other System Behavior in Handling .url Files

1. ShellExecuteEx API Call: Primary API used by Windows to execute the target URL in a web browser. It sets up the execution context, checks for security policies, and delegates the handling of the URL to the default web browser.
2. ReadFile and CreateFile System Calls: These calls handle reading the contents of the .url file to extract necessary information such as the target URL.
3. NtOpenFile, NtReadFile, NtQueryInformationFile Syscalls: Low-level NT system calls that underlie the higher-level CreateFile and ReadFile operations, interacting with the NTFS file system to access file content.
4. Registry API (RegOpenKeyEx, RegQueryValueEx): Used to query system settings or user preferences for the default web browser and security settings associated with URLs.
5. Networking Stack (Winsock, HTTP(S) Requests): If the .url file refers to a remote icon (IconFile property), the Windows networking stack handles the request to fetch the icon from the specified server.

Security Implications and Considerations

• Malicious URL Files: Attackers can create .url files that point to malicious websites. These sites may host malware or exploit kits. Users might unwittingly execute these .url files by clicking on them.
• Phishing: .url files can be used in phishing campaigns to link to credential-harvesting sites.
• Drive-by Downloads: .url files pointing to malicious sites may lead to drive-by download attacks, where malware is automatically downloaded and potentially executed on the user's system.
• Remote Code Execution: If the .url file includes a reference to a malicious executable disguised as an icon, or exploits a bug in the handler of the IconFile property, it could result in arbitrary code execution.

Real-World Attack Involving a .url File

Case Study: Emotet Malware Campaign Using .url Files (2021)

The Emotet malware, which is a modular banking Trojan that has been used as a dropper for other malware like TrickBot and Ryuk ransomware, employed .url files in one of its phishing campaigns. Here's a detailed breakdown of how .url files were used maliciously in this context:

1. Phishing Email Distribution: Attackers sent out a wave of phishing emails containing seemingly benign .url files as attachments or embedded in archive files (like .zip). These emails were often crafted to look legitimate, using social engineering tactics such as pretending to be from known contacts, companies, or services.
2. Contents of the Malicious .url File: The .url file attached to these emails contained a link pointing to a remote server controlled by the attackers.
3. Execution and User Interaction: When a user opened the .url file (believing it to be a legitimate document or link), the OS would read the file and use the ShellExecuteEx API to open the URL in the default web browser. This would lead to the user’s browser navigating to the malicious-site.com URL, which hosted a malicious script or file.
4. Malware Delivery: Once the URL was accessed, the browser could be directed to download a malicious executable or a macro-enabled document (such as a .doc or .xls file). If the user downloaded and executed this file, the Emotet malware would be installed on the victim’s machine.
5. Propagation and Secondary Payloads: After initial infection, Emotet could propagate through the network and download additional payloads like TrickBot, Ryuk, or Cobalt Strike beacons. This layered approach allowed attackers to use the .url file as the initial entry point in a multi-stage attack chain.

Analyzing .url Files Manually

1. Open the .url File in a Text Editor: Since .url files are plain text, open them with a text editor (like Notepad or Notepad++) to examine their content. Look for suspicious or unexpected URLs, particularly ones pointing to unknown or untrusted domains.
2. Check for Suspicious Properties:
   URL Property: Examine the URL closely. Be wary of typosquatting domains, URLs with unusual characters, or those pointing to IP addresses instead of domain names.
   IconFile Property: This is a common vector for malicious activity. If it points to a remote resource, it could trigger additional network activity. Cross-check the domain for known indicators of compromise (IOCs) or use a URL reputation service.
3. Inspect File Metadata and Alternate Data Streams (ADS): Check the file properties and metadata for any unusual information, such as a mismatch between the file’s creation time and the user’s activity. Use tools like streams.exe or dir /r in Windows to check for hidden ADS, which may contain additional malicious payloads or commands.
4. Use a Hex Editor to Review the Raw File Contents: Examine the file with a hex editor to identify any obfuscated or hidden content, particularly if the .url file appears unusually large for its expected content.

Analyzing Network Activity Triggered by .url Files

1. Monitor DNS Queries and HTTP/HTTPS Requests: Use network monitoring tools like Wireshark or tcpdump to analyze any network traffic generated when the .url file is executed. Pay attention to DNS queries and HTTP/HTTPS requests that could indicate an attempt to reach a malicious server.
2. Use a Web Proxy for Inspection: A web proxy (like Burp Suite or Fiddler) can capture and analyze all HTTP/HTTPS traffic. This is useful for examining the payloads delivered by the malicious site and the behavior of any scripts or files downloaded.
3. Check for Digital Signatures and MOTW: Examine the file for digital signatures or Mark-of-the-Web (MOTW) attributes. Files with MOTW attributes indicate that they were downloaded from an external or potentially unsafe source.

Analyzing .url Files Using System-Based Tools

1. Antivirus and Endpoint Detection and Response (EDR) Tools: Use antivirus software and EDR solutions to detect .url files that match known malicious patterns or signatures. Many EDR tools can also alert on suspicious file executions and anomalous network activity.
2. Sandbox Analysis: Submit the .url file to a sandbox environment (such as Cuckoo Sandbox, Hybrid Analysis, or any enterprise-grade sandbox solution) to safely execute the file and observe its behavior. Sandboxes provide detailed reports on file behavior, network activity, system changes, and potential indicators of compromise.
3. Static Analysis Tools: Tools like YARA or CyberChef can be used to create and apply custom rules for detecting malicious characteristics in .url files (such as specific domains or properties).
4. Sysinternals Tools:
   Process Monitor (ProcMon): Monitor real-time file system, registry, and network activity generated by .url file execution. Use filters to isolate events related to the opening or execution of .url files.
   Autoruns: Check for .url files registered to run at startup or in other autorun locations.
5. Network Forensics Tools: Tools like Zeek (formerly Bro) or Suricata can be configured to detect traffic patterns that match known malicious URLs or command-and-control (C2) domains associated with .url file activity.
6. PowerShell or Python Scripts for Bulk Analysis: Develop scripts to automatically parse and extract URLs and other metadata from .url files. This is useful for analyzing large sets of files quickly.
   For example, a PowerShell script can read the .url files and output their properties:

Get-ChildItem -Path "C:\Path\To\Files\" -Filter "*.url" | ForEach-Object {
    $content = Get-Content $_.FullName
    if ($content -match "URL=(.*)") {
        Write-Output "File: $($_.Name) - URL: $($matches[1])"
    }
}

Defensive Measures Against Malicious .url Files

1. Block .url Files at the Email Gateway: Configure email filters to block or flag emails containing .url file attachments, especially if they originate from unknown or suspicious sources.
2. Group Policy Restrictions: Use Group Policy Objects (GPO) to prevent .url files from being executed or to restrict their execution to certain trusted directories.
3. Network Isolation and Segmentation: Implement network segmentation to limit the spread of potential malware and restrict access to critical assets from user workstations.
4. URL Filtering and Blocking: Use web filters or firewalls to block known malicious URLs or suspicious domains that are often linked in .url files.
5. User Education and Awareness: Educate users about the dangers of opening unexpected attachments, even those that appear benign, like .url files.

#InternetShortcut #WindowsInternals #Analysis