At least two threat actors have recently been observed distributing malicious Windows shortcut files designed to infect victims with malware.
Late last week, cybersecurity researchers from Varonis reported seeing the dreaded Emotet threat actor, as well as the lesser-known Golden Chickens group (AKA Venom Spider), distributing .ZIP archives via email, and in those archives, .LNK files.
Using Windows shortcut files to deploy malware or ransomware (opens in new tab) on the target endpoint (opens in new tab) is not exactly novel, but these threat actors have given the idea a brand new spin.
Shortcuts posing as PDF files
The majority of older readers are probably guilty of customizing their game desktop shortcuts in the past, at least on one occasion.
In this particular campaign, the threat actors replaced the original shortcut icon with that of a .PDF file, so that the unsuspecting victim, once they receive the email attachment, can’t spot the difference with a basic visual inspection.
But the danger is real. Windows shortcut files can be used to drop pretty much any malware onto the target endpoint, and in this scenario, the Emotet payload is downloaded into the victim’s %TEMP% directory. If successful, the Emotet payload will be loaded into memory using “regsvr32.exe”, while the original dropper gets deleted from the %TEMP% directory.
The best way to protect against these attacks, researchers are saying, is to thoroughly inspect every email attachment coming in, and to quarantine and block any suspicious content (that includes ZIP-compressed files with Windows shortcuts).
Admins should also restrict the execution of unexpected binaries and scripts from the %TEMP% directory, and limit user access to Windows scripting engines such as PowerShell and VBScript. They should also enforce the need for scripts to be signed via Group Policy.