Cybercriminals are more and more leveraging malicious LNK recordsdata as an preliminary entry technique to obtain and execute payloads comparable to Bumblebee, IcedID, and Qakbot.
A latest research by cybersecurity consultants has proven that it’s doable to determine relationships between completely different menace actors by analyzing the metadata of malicious LNK recordsdata, uncovering info comparable to the particular instruments and methods utilized by completely different teams of cybercriminals, in addition to potential hyperlinks between seemingly unrelated assaults.
“With the growing utilization of LNK recordsdata in assault chains, it is logical that menace actors have began growing and utilizing instruments to create such recordsdata,” Cisco Talos researcher Guilherme Venere mentioned in a report shared with The Hacker News.
This contains instruments like NativeOne‘s mLNK Builder and Quantum Builder, which permit subscribers to generate rogue shortcut recordsdata and evade safety options.
Some of the foremost malware households which have used LNK recordsdata for preliminary entry embrace Bumblebee, IcedID, and Qakbot, with Talos figuring out connections between Bumblebee and IcedID in addition to Bumblebee and Qakbot by analyzing the artifacts’ metadata.
Specifically, a number of samples of LNK recordsdata resulting in IcedID and Qakbot infections and people who had been utilized in completely different Bumblebee campaigns have all been discovered to share the identical Drive Serial Number.
LNK recordsdata have additionally been employed by superior persistent menace (APT) teams like Gamaredon (aka Armageddon) in its assaults geared toward Ukrainian authorities entities.
The noticeable spike in campaigns utilizing malicious shortcuts is seen as a reactive response to Microsoft’s choice to disable macros by default in Office paperwork downloaded from the Internet, prompting menace actors to embrace different attachment varieties and supply mechanisms to distribute malware.
Recent analyses from Talos and Trustwave have disclosed how APT actors and commodity malware households alike are weaponizing Excel add-in (XLL) recordsdata and Publisher macros to drop distant entry trojans on compromised machines.
What’s extra, menace actors have been noticed profiting from rogue Google Ads and SEO (search engine marketing) poisoning to push off-the-shelf malware like BATLOADER, IcedID, Rhadamanthys Stealer, and Vidar to victims looking for a slew of professional software program.
BATLOADER, related to an intrusion set tracked by Trend Micro as Water Minyades, is an “evasive and evolutionary malware” that is able to putting in further malware, together with Cobalt Strike, Qakbot, Raccoon Stealer, RedLine Stealer, SmokeLoader, Vidar, and ZLoader.
“Attackers are imitating the web sites of in style software program tasks to trick victims into infecting their computer systems and shopping for search engine adverts to drive site visitors there,” HP Wolf Security researcher Patrick Schläpfer mentioned.