Technology NewsNew Research Delves into the World of Malicious LNK...

New Research Delves into the World of Malicious LNK Files and Hackers Behind Them

-


Jan 19, 2023Ravie LakshmananThreat Intelligence / Malware

New Research Delves into the World of Malicious LNK Files and Hackers Behind Them

Cybercriminals are increasingly leveraging malicious LNK files as an initial access method to download and execute payloads such as Bumblebee, IcedID, and Qakbot.

A recent study by cybersecurity experts has shown that it is possible to identify relationships between different threat actors by analyzing the metadata of malicious LNK files, uncovering information such as the specific tools and techniques used by different groups of cybercriminals, as well as potential links between seemingly unrelated attacks.

“With the increasing usage of LNK files in attack chains, it’s logical that threat actors have started developing and using tools to create such files,” Cisco Talos researcher Guilherme Venere said in a report shared with The Hacker News.

This comprises tools like NativeOne‘s mLNK Builder and Quantum Builder, which allow subscribers to generate rogue shortcut files and evade security solutions.

Some of the major malware families that have used LNK files for initial access include Bumblebee, IcedID, and Qakbot, with Talos identifying connections between Bumblebee and IcedID as well as Bumblebee and Qakbot by examining the artifacts’ metadata.

Specifically, multiple samples of LNK files leading to IcedID and Qakbot infections and those that were used in different Bumblebee campaigns have all been found to share the same Drive Serial Number.

LNK files have also been employed by advanced persistent threat (APT) groups like Gamaredon (aka Armageddon) in its attacks aimed at Ukrainian government entities.

lnk

The noticeable spike in campaigns using malicious shortcuts is seen as a reactive response to Microsoft’s decision to disable macros by default in Office documents downloaded from the Internet, prompting threat actors to embrace alternative attachment types and delivery mechanisms to distribute malware.

Recent analyses from Talos and Trustwave have disclosed how APT actors and commodity malware families alike are weaponizing Excel add-in (XLL) files and Publisher macros to drop remote access trojans on compromised machines.

What’s more, threat actors have been observed taking advantage of rogue Google Ads and search engine optimization (SEO) poisoning to push off-the-shelf malware like BATLOADER, IcedID, Rhadamanthys Stealer, and Vidar to victims searching for a slew of legitimate software.

BATLOADER, associated with an intrusion set tracked by Trend Micro as Water Minyades, is an “evasive and evolutionary malware” that’s capable of installing additional malware, including Cobalt Strike, Qakbot, Raccoon Stealer, RedLine Stealer, SmokeLoader, Vidar, and ZLoader.

“Attackers are imitating the websites of popular software projects to trick victims into infecting their computers and buying search engine adverts to drive traffic there,” HP Wolf Security researcher Patrick Schläpfer said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.



LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest news

follow the Galaxy Unpacked 2023 live

We tell you how you can follow the Unpacked 2023 event live and online. join the conversationThe day...

அண்டார்டிகாவில் பிரண்ட் ஐஸ் ஷெல்ஃப் உடைகிறது – சான் பிரான்சிஸ்கோவின் 12 மடங்கு பெரிய பனிப்பாறையை உருவாக்குகிறது

கோப்பர்நிக்கஸ் சென்டினல்-2 செயற்கைக்கோளில் இருந்து எடுக்கப்பட்ட இந்த படங்கள், பிரண்ட் ஐஸ் ஷெல்ஃபில் இருந்து பிரிந்து சென்ற பாரிய பனிக்கட்டியின் முன்னும் பின்னும் இருப்பதைக்...

AMD Radeon 780M – upcoming graphics chip almost as good as NVIDIA GeForce RTX 2050

The first tests of the upcoming system from the red Radeon 780M based on the RDNA 3 architecture...

Experts Warn of ‘Ice Breaker’ Cyberattacks Targeting Gaming and Gambling Industry

Feb 01, 2023Ravie LakshmananGaming / Cyber Attack A new attack campaign has targeted the gaming and gambling sectors since...

The revolution of self-driving vehicles is advancing at a snail’s pace, so investors are spending their money differently

The promise that autonomous vehicles will cover the roads and transform transportation will not come to fruition for...

New Sh1mmer ChromeBook exploit unenrolls managed devices

A new exploit called ‘Sh1mmer’ allows users to unenroll an enterprise-managed Chromebook, enabling them to install any apps...

Must read

சமந்தாவின் சகுந்தலம் ரிலீஸ், பிப்ரவரி 17ஆம் தேதி என்று முதலில் அறிவிக்கப்பட்ட ரிலீஸ் தேதியிலிருந்து ஒத்திவைக்கப்பட்டது

இந்தி பதிப்பிற்கான திரையரங்குகள் கிடைக்காததால், சமந்தா நடிக்கவிருக்கும் சாகுந்தலத்தின் வெளியீடு...

‘விதி மர்மமான வழிகளில் செயல்படுகிறது’

ஷாஹித் கபூர் மற்றும் விஜய்...