Malware researchers have noticed a new tool that helps cybercriminals build malicious. LNK files to deliver payloads for the initial stages of an attack.
Some of the prevalent malware families using .lnk files for their payload delivery of late are:
Quantum offers UAC bypass, Windows Smartscreen bypass, the ability to load multiple payloads on a single LNK file, post-execution hiding, startup or delayed execution.The .
lnk builder embeds the generated .hta payload and creates a new .lnk file. The builder provides various icons as an option while building the .lnk file. The below figure shows the Quantum .lnk builder.
The file used in the campaign is “Password.txt.lnk”,which appears as a text file with a password for a protected PDF document.
The powershell script that executes upon opening the LNK file is very similar to scripts used by Lazarus in recent campaigns .
Tools like Quantum are accelerating the adoption trend even more and make the choice of LNK files more enticing to cybercriminals.
Users are advised to remain vigilant and scan all files they receive via email on an anti-virus tool before executing them
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
Command and Scripting Interpreter
|System Binary Proxy Execution|
Deobfuscate/Decode Files or Information
Indicators Of Compromise (IOCs)
Following recommendations are observed:
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Verify the source of files before executing them.
- Turn on the automatic software update .