The abuse of shortcut (LNK) files is steadily gaining traction among cybercriminals. We’ve seen a plethora of threats that leverage malicious LNK files: from
well-known ransomware families,
backdoors typically
deployed in targeted attacks, and
banking Trojans to
spam emails, even an
exploit to a LNK vulnerability itself. These threats are usually exacerbated by the further
abuse of legitimate tools such as PowerShell, or
script automation utility AutoIt. It’s thus not surprising that we discovered an information stealer employing LNK files, which our sensors detected in Israeli hospitals.
Healthcare is considered a cybercriminal cash cow, as it can be a lucrative source of
personally identifiable information that can be monetized in underground marketplaces. Initial findings revealed that any browser-based information, e.g., login credentials, can be stolen, making the use of browser-based management systems and applications important.
We have observed its attempts to gain footholds in the systems and the local networks’ shared folders. Another notable aspect we’re seeing so far is the combination of worm propagation and stealth capabilities.
