At least two threat actors have recently been observed distributing malicious Windows shortcut files designed to infect victims with malware.
Late last week, cybersecurity researchers from Varonis reported seeing the dreaded Emotet threat actor, as well as the lesser-known Golden Chickens group (AKA Venom Spider), distributing .ZIP archives via email, and in those archives, .LNK files.
Using Windows shortcut files to deploy malware or ransomware (opens in new tab) on the target endpoint (opens in new tab) is not exactly novel, but these threat actors have given the idea a brand new spin.
Shortcuts posing as PDF files
The majority of older readers are probably guilty of customizing their game desktop shortcuts in the past, at least on one occasion.
In this particular campaign, the threat actors replaced the original shortcut icon with that of a .PDF file, so that the unsuspecting victim, once they receive the email attachment, can’t spot the difference with a basic visual inspection.
But the danger is real. Windows shortcut files can be used to drop pretty much any malware onto the target endpoint, and in this scenario, the Emotet payload is downloaded into the victim’s %TEMP% directory. If successful, the Emotet payload will be loaded into memory using “regsvr32.exe”, while the original dropper gets deleted from the %TEMP% directory.
The best way to protect against these attacks, researchers are saying, is to thoroughly inspect every email attachment coming in, and to quarantine and block any suspicious content (that includes ZIP-compressed files with Windows shortcuts).
Admins should also restrict the execution of unexpected binaries and scripts from the %TEMP% directory, and limit user access to Windows scripting engines such as PowerShell and VBScript. They should also enforce the need for scripts to be signed via Group Policy.
English
Arabic
Belarusian
Bengali
Bosnian
Bulgarian
Chinese (Simplified)
Croatian
Czech
Danish
Dutch
Estonian
Filipino
Finnish
French
Georgian
German
Greek
Gujarati
Hausa
Hebrew
Hindi
Hmong
Hungarian
Igbo
Indonesian
Italian
Japanese
Javanese
Kazakh
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latvian
Lithuanian
Macedonian
Malagasy
Norwegian
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Serbian
Slovak
Slovenian
Spanish
Swedish
Thai
Turkish
Ukrainian
Vietnamese
Yoruba