A default setting in Google Chrome, which allows it to download files that it deems safe without prompting the user for a download location, can be exploited by attackers to mount a Windows credential theft attack using specially crafted SCF shortcut files, DefenseCode researchers have found.
What’s more, for the attack to work, the victim does not even have to run the automatically downloaded file. Simply opening the download directory in Windows File Explorer will trigger the code icon file location inserted in the file to run, and it will send the victim’s username, domain and NTLMv2 password hash to a remote SMB server operated by the attackers.