Cybercriminals are increasingly leveraging malicious LNK files as an initial access method to download and execute payloads such as Bumblebee, IcedID, and Qakbot.
A recent study by cybersecurity experts analyzed the metadata of malicious LNK files for information such as the specific tools and techniques used by various cybercriminal groups, as well as seemingly unrelated attacks.
In a report shared with The Hacker News, Cisco Talos researcher Guilherme Venere said, “The increasing use of LNK files in the attack chain has made it difficult for attackers to create such files. No wonder you started developing and using tools.
It consists of tools such as NativeOne’s mLNK Builder and Quantum Builder that allow subscribers to generate malicious shortcut files to evade security solutions.
Major malware families that used LNK files for initial access include Bumblebee, IcedID, and Qakbot. Talos examines the artifact’s metadata to identify the connection between Bumblebee and IcedID, and between Bumblebee and her Qakbot.
Specifically, we found that multiple samples of LNK files leading to IcedID and Qakbot infections, as well as samples used in various Bumblebee campaigns, all shared the same drive serial number.
LNK files are also used in attacks against Ukrainian government agencies by Advanced Persistent Threat (APT) groups like Gamaredon (aka Armageddon).
A notable surge in campaigns using malicious shortcuts was seen in response to Microsoft’s decision to disable macros by default in Office documents downloaded from the Internet, as attackers used alternative attachment types and delivery mechanisms. to distribute malware.
Recent analysis by Talos and Trustwave reveals how APT actors and commodity malware families alike weaponize Excel add-in (XLL) files and Publisher macros to drop remote access Trojans on compromised machines became.
Additionally, attackers are leveraging rogue Google ads and search engine optimization (SEO) poisoning to deliver off-the-shelf malware such as BATLOADER, IcedID, Rhadamanthys Stealer, and Vidar to victims looking for a host of legitimate software. Observed to push.
Associated with the intrusion set Trend Micro tracks as Water Minyades, BATLOADER is an evasive evolution that can install additional malware such as Cobalt Strike, Qakbot, Raccoon Stealer, RedLine Stealer, SmokeLoader, Vidar, and ZLoader. Malware”.
“Attackers mimic the websites of popular software projects to trick victims into infecting their computers and buying search engine ads to increase traffic,” said Patrick Schläpfer, a researcher at HP Wolf Security. ,” he said.
