Microsoft researchers have observed a surge of LNK-based malware distribution during the second quarter of 2022. Based on reports, several threat actors have been using LNK files to disseminate malicious payloads.
The LNK link is a pointer to open a folder, file, or application. Windows users are prone to this attack since many of the features are under the same category. Moreover, LNK files keep information utilised to access another data object based on the Shell Link Binary File design.
LNK files are developed in two methods. One of the two methods is manual development using the standard right-click “create shortcut” button, while the other one includes being created automatically by installing an application. There also are tools available to reveal the files, one of which is the lnkbombs tool designed for malicious functions.
Malware threats using LNK files are spread through hostile URLs and emails.
The researchers observed that the threat actors sent the LNK files to the victims by spamming emails or sending malicious URLs. These malware-laden files will guide its targets in downloading malicious files to trustworthy programs such as MSHTA, PowerShell, and CMD.
Once the user is infected by manually accessing the file, the adversaries can directly hardcode compromised URLs to operate with tools like PowerShell and download the primary payload. Subsequently, the downloaded file will be saved by the malware under a temporary folder named test[.]dll.
The malicious LNK file has been commonly observed using the CMD commands and PowerShell to connect to compromised URLs and download malware. Some malware variants used by the threat actors for LNK-based attacks are the Emotet, BazarLoader, IcedID, and others.
Threat groups abused the Windows shortcut LML file, making it very dangerous for ordinary users. Malicious LNK files and compromised PowerShell, MSHTA, and CMD programs can significantly threaten targeted computers.
Organisations should comprehensively inspect every user who employs LNK shortcut files as these attacks constantly evolve. Additionally, consumers’ OS and AV software should continuously be updated, and users should always be wary when accessing unknown links and attachments in every email.
