Hackers Deliver Weaponized LNK Files Through Legitimate Websites
LNK recordsdata are shortcut recordsdata in Windows that hyperlink to a program or file. Hackers could simply exploit LNK recordsdata to issue malicious payloads by disguising them as legit shortcuts, making the most of customers who unknowingly click on them, and considering the execution of malicious code.
Over the years, malware distribution suggestions earn developed and change into more refined in the realm of cyber threats. Newest data prognosis shows that cybercriminals not rely solely on Microsoft Relate of job doc recordsdata to distribute malware.
Instead, there has been a serious amplify in the use of Windows Back recordsdata (*.chm) and LNK recordsdata, which earn change into the most popular medium for delivering malware.
No longer too long ago, cybersecurity consultants at AhnLab Safety Emergency Response Center (ASEC) stumbled on a malware strain that used to be deceiving customers into launching it by disguising itself as a definite file name and propagating thru hacked legit internet sites.
Is Your Storage & Backup Techniques Fully Protected? – Peek 40-second Tour of SafeGuard
StorageGuard scans, detects, and fixes safety misconfigurations and vulnerabilities all the diagram thru a full bunch of storage and backup gadgets.
Disbursed File Names
Here below, we have got mentioned the total distributed file names:-
- Pomerium Venture Connected Inquiry Files.txt.lnk
- Files Regarding Application for Adjustments Earlier than the 2023 Iris Agreement.txt.lnk
- Suyeon Oh Observation Files.txt.lnk
- On Inquiry Confirmation.txt.lnk
- Deep Mind AI Interview Manual.txt.lnk
- Recruitment Connected Records.txt.lnk
Weaponized LNK Files
The malware spreads by diagram of compressed recordsdata with identical names, urging customers to acquire and disappear them. Hackers breach legit internet sites for distribution, favoring non-PE recordsdata for easy modification.
To pause safe, customers need EDR with behavior-basically basically based logging and detection because the threat hides in usually-operated internet sites.
The decompressed downloaded file spawns a disguised .txt.lnk file with a Notepad icon that homes:-
- A script
- A CAB file
The LNK file triggers the HTML script by diagram of mshta, leading to obfuscated VBS script execution. Both mshta commands from LNK and decrypted VBS script commands within HTML disappear sequentially.
The indispensable actions involve PowerShell studying LNK file, losing the embedded CAB file, and executing it by diagram of develop process. Detection specializes in the expanded process of decompressing the dropped CAB file.
Decompressed CAB script shows malicious parts that we have got mentioned below:-
- Executes one other script
- Gathers machine data
- Registers in autorun
- Sends data
Extra actions involve downloading recordsdata, decoding, and executing by diagram of a say-line program recognized as “certutil,” among other parts.
Risk actors trick the customers into executing recordsdata with various names on breached legit internet sites, and this makes the malware downloads laborious to detect.
Set off behavior detection in V3 endpoint anti-malware to jam such distribution suggestions. However, if infected then be sure you compare the indispensable choices by diagram of EDR and take essential safety measures to mitigate the threat.
IOCs
[Behavior Detection]
- Execution/MDP.Powershell.M2514
- Injection/EDR.Habits.M3695
- Fileless/EDR.Powershell.M11335
[File Detection]
- Downloader/BAT.Agent.SC194060
- Infostealer/BAT.Agent.SC194061
- Downloader/BAT.Agent.SC194060
[HASH]
- 04d9c782702add665a2a984dfa317d49
- 453e8a0d9b6ca73d58d4742ddb18a736
- 8f3dcf4056be4d7c8adbaf7072533a0a
- c2aee3f6017295410f1d92807fc4ea0d
Source credit : cybersecuritynews.com
