Cybercriminals are increasingly utilizing malicious LNK files as a point of entry to download and execute payloads such as Bumblebee, IcedID, and Qakbot.
A recent study by cybersecurity experts demonstrated that it is possible to identify relationships between different threat actors by analyzing the metadata of malicious LNK files, revealing information such as the specific tools and techniques used by different groups of cybercriminals as well as potential links between attacks that appear to be unrelated.
In a report shared with The Hacker News, Cisco Talos researcher Guilherme Venere stated, “With the increasing use of LNK files in attack chains, it is logical that threat actors have begun developing and employing tools to create such files.”
This includes applications such as NativeOne’s mLNK Builder and Quantum Builder, which permit users to generate malicious shortcut files and circumvent security solutions.
Bumblebee, IcedID, and Qakbot are among the major malware families that have used LNK files for initial access, with Talos identifying connections between Bumblebee and IcedID and Bumblebee and Qakbot by examining the metadata of the artifacts.
Multiple samples of LNK files that led to IcedID and Qakbot infections, as well as those used in various Bumblebee campaigns, were discovered to share the same Drive Serial Number.
In their attacks against Ukrainian government entities, advanced persistent threat (APT) groups such as Gamaredon (aka Armageddon) have also utilized LNK files.
As a result of Microsoft’s decision to disable macros by default in Office documents downloaded from the Internet, threat actors have adopted alternative attachment types and delivery mechanisms to distribute malware, as evidenced by the increase in campaigns employing malicious shortcuts.
Recent analyses by Talos and Trustwave have revealed that both APT actors and generic malware families are using Excel add-in (XLL) files and Publisher macros to drop remote access trojans on compromised systems.
Moreover, threat actors have been observed leveraging rogue Google Ads and search engine optimization (SEO) poisoning to distribute off-the-shelf malware such as BATLOADER, IcedID, Rhadamanthys Stealer, and Vidar to victims searching for a variety of legitimate software.
BATLOADER is capable of installing additional malware, including Cobalt Strike, Qakbot, Raccoon Stealer, RedLine Stealer, SmokeLoader, Vidar, and ZLoader. BATLOADER is associated with an intrusion set identified by Trend Micro as Water Minyades.
“Attackers imitate the websites of popular software projects to deceive victims into infecting their computers and purchasing search engine advertisements to drive traffic there,” said HP Wolf Security researcher Patrick Schlapfer.