At least two threat actors have recently been observed distributing malicious Windows shortcut files designed to infect victims with malware.
Late last week, cybersecurity researchers at Varonis reported seeing the feared threat actor Emotet, as well as the lesser-known Golden Chickens (AKA Venom Spider), distributing .ZIP files via email, and within those files, files .LNK.
Using Windows Shortcut Files to Deploy Malware or Ransomware (opens in new tab) on the target endpoint (opens in new tab) It’s not exactly new, but these threat actors have given the idea a new spin.
Shortcuts posing as PDF files
Most older readers are probably guilty of customizing their games’ desktop shortcuts in the past, at least on one occasion.
In this particular campaign, threat actors replaced the original shortcut icon with that of a .PDF file, so that the unsuspecting victim, after receiving the email attachment, would not be able to tell the difference with a basic visual inspection.
But the danger is real. Windows shortcut files can be used to drop virtually any malware on the target endpoint, and in this scenario, the Emotet payload is downloaded to the victim’s %TEMP% directory. If successful, the Emotet payload will be loaded into memory using “regsvr32.exe”, while the original dropper will be deleted from the %TEMP% directory.
The best way to protect against these attacks, researchers say, is to thoroughly inspect all incoming email attachments and quarantine and block any suspicious content (which includes zipped files with Windows shortcuts).
Administrators should also restrict the execution of unexpected binaries and scripts from the %TEMP% directory and limit user access to Windows scripting engines such as PowerShell and VBScript. They should also enforce the need for scripts to be signed through Group Policy.