Jan 19, 2023Ravie Lakshmanan
Cybercriminals are increasingly leveraging malicious LNK files
as an initial access method to download and execute payloads such
as Bumblebee, IcedID, and Qakbot.
A recent study by cybersecurity experts has shown that it is
possible to identify relationships between different threat actors
by analyzing the metadata of malicious LNK files, uncovering
information such as the specific tools and techniques used by
different groups of cybercriminals, as well as potential links
between seemingly unrelated attacks.
“With the increasing usage of LNK files in attack chains, it’s
logical that threat actors have started developing and using tools
to create such files,” Cisco Talos researcher Guilherme Venere said
in a report[1]
shared with The Hacker News.
This includes tools like NativeOne[2]‘s mLNK Builder[3]
and Quantum Builder[4], which allow subscribers
to generate rogue shortcut files and evade security solutions.
Some of the major malware families that have used LNK files for
initial access include Bumblebee, IcedID, and Qakbot, with Talos
identifying connections between Bumblebee and IcedID as well as
Bumblebee and Qakbot by examining the artifacts’ metadata.
Specifically, multiple samples of LNK files leading to IcedID
and Qakbot infections and those that were used in different
Bumblebee campaigns have all been found to share the same Drive
Serial Number.
LNK files have also been employed by advanced persistent threat
(APT) groups like Gamaredon (aka Armageddon) in its attacks[5] aimed at Ukrainian government entities[6].
The noticeable spike in campaigns using malicious shortcuts is
seen as a reactive[7]
response[8]
to Microsoft’s decision to disable macros by default in Office
documents downloaded from the Internet, prompting threat actors to
embrace alternative attachment types and delivery mechanisms to
distribute malware.
Recent analyses from Talos and Trustwave have disclosed how APT
actors and commodity malware families alike are weaponizing[9]
Excel add-in (XLL) files and Publisher macros to drop remote access
trojans on compromised machines.
What’s more, threat actors have[10] been[11] observed[12] taking advantage of
rogue Google Ads[13] and search engine
optimization (SEO) poisoning to push off-the-shelf malware like
BATLOADER, IcedID, Rhadamanthys Stealer, and Vidar to victims
searching for a slew of legitimate software.
BATLOADER, associated with an intrusion set tracked by Trend
Micro as Water Minyades[14], is an “evasive and
evolutionary malware” that’s capable of installing additional
malware, including Cobalt Strike, Qakbot, Raccoon Stealer, RedLine
Stealer, SmokeLoader, Vidar, and ZLoader.
“Attackers are imitating the websites of popular software
projects to trick victims into infecting their computers and buying
search engine adverts to drive traffic there,” HP Wolf Security
researcher Patrick Schläpfer said[15].
Found this article interesting? Follow us on Twitter [16] and LinkedIn[17] to read more exclusive
content we post.
References
- ^
report
(blog.talosintelligence.com) - ^
NativeOne
(research.checkpoint.com) - ^
mLNK
Builder (resecurity.com) - ^
Quantum
Builder (thehackernews.com) - ^
attacks
(cert.gov.ua) - ^
Ukrainian government entities
(thehackernews.com) - ^
reactive
(thehackernews.com) - ^
response
(thehackernews.com) - ^
weaponizing
(thehackernews.com) - ^
have
(thehackernews.com) - ^
been
(thehackernews.com) - ^
observed
(thehackernews.com) - ^
Google
Ads (support.google.com) - ^
Water
Minyades (www.trendmicro.com) - ^
said
(threatresearch.ext.hp.com) - ^
Twitter
(twitter.com) - ^
LinkedIn
(www.linkedin.com)
Read more https://thehackernews.com/2023/01/new-research-delves-into-world-of.html