Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Malware Analysis
Who Needs Macros? Threat Actors Pivot to Abusing Explorer and Other LOLBins via Windows Shortcuts
Message
<blockquote data-quote="upnorth" data-source="post: 998617" data-attributes="member: 38832"><p>Quote: " This article discusses Windows shortcuts (LNK files) as a medium to deploy malware and/or establish persistence. In the initial stages of an attack, threat actors are gravitating more towards the use of malicious shortcuts that deploy malware by executing code in the context of so-called living-off-the-land binaries (<a href="https://www.sentinelone.com/blog/how-do-attackers-use-lolbins-in-fileless-attacks/" target="_blank">LOLbins</a>) – legitimate executables that are readily available on Windows systems, such as powershell.exe or mshta.exe – to bypass detection. Threat actors conveniently build malicious LNK files with Windows system capabilities or tools specifically designed for that purpose, and then distribute the files to victims, usually through phishing emails.</p><p></p><p>Because of these advantages, threat actors are widely abusing shortcuts. Since Microsoft’s <a href="https://techcommunity.microsoft.com/t5/microsoft-365-blog/helping-users-stay-safe-blocking-internet-macros-by-default-in/ba-p/3071805" target="_blank">announcement</a> that Office applications will by default disable the execution of Office macros in the context of documents that originate from untrusted sources, there has been a significant <a href="https://www.proofpoint.com/us/blog/threat-insight/how-threat-actors-are-adapting-post-macro-world" target="_blank">uptick</a> in malicious actors using alternative mediums for deploying malware, such as malicious Windows Apps and shortcuts (LNK files). We covered malicious Windows Apps <a href="https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/" target="_blank">in a previous article</a>. In this article, we focus on malicious shortcuts and provide:</p><ul> <li data-xf-list-type="ul">Insights about execution chains that originate from malicious shortcuts. We base our insights on an <strong>analysis of 27510 malicious LNK file samples from VirusTotal</strong> that are representative of the current malicious shortcut landscape.</li> <li data-xf-list-type="ul">An overview of active widespread attack campaigns that involve malicious shortcuts and of the dynamics of the cybercrime market for tools that build malicious LNK files.</li> <li data-xf-list-type="ul">A summarizing overview of the system activities that take place when a user executes a malicious shortcut. This enables a better and generic understanding of what occurs on a system when a user falls prey to an attack that involves a malicious LNK file.</li> </ul><h2><span style="font-size: 15px">Current Developments in the Malicious Shortcut Threat Scene</span></h2><p>Given the popularity of LNK files among threat actors, the dynamics of the cybercrime market for tools has quickly adjusted to serve the demand for tools that build malicious LNK files in a configurable and convenient manner. We spotlight in this section the mLNK and QuantumBuilder tools for building malicious LNK files. We observed that these tools have recently received updates and are currently being intensively advertised in the cybercrime web space.</p><h3><span style="font-size: 15px">mLNK</span></h3><p>The mLNK tool – released by NativeOne, a tool vendor on the cybercrime scene – is known for its configurability and ease of use. NativeOne released the newest version of the tool, version 4.2, in June 2022. We observed an intensive advertising campaign for the new mLNK version on cybercrime forums and market places. The new mLNK version brings new features that enable building LNK files that can evade Windows detection mechanisms, such as Microsoft Defender SmartScreen. The public release of mLNK currently sells for a basic price of $100 per month. NativeOne also sells a private release of mLNK 4.2 for $125.00, which bundles more evasion mechanisms than the $25.00 cheaper public release of the tool. "</p><p></p><p><img src="https://899029.smushcdn.com/2131410/wp-content/uploads/2022/08/WhoNeedsMacros_13.jpg?lossy=0&strip=1&webp=0" alt="" class="fr-fic fr-dii fr-draggable " style="width: 639px" /></p><p></p><p>Quote: "</p><h2><span style="font-size: 15px">Active Attack Campaigns Leveraging Shortcuts</span></h2><p>A number of widespread attack campaigns that involve malicious shortcuts are active at the time of writing this article:</p><ul> <li data-xf-list-type="ul">Threat actors have started intensively distributing the major malware families QBot, Emotet, IcedID, and Bumblebee through LNK files since the second quarter of 2022. These malware families are capable of deploying additional malware on compromised systems, including destructive ransomware. In addition, the Threat Analysis Group (TAG) at Google has <a href="https://www.theregister.com/2022/03/18/exotic_lily_iab_google/" target="_blank">observed</a> Exotic Lily, an initial access broker (IAB) for ransomware actors, distributing malicious LNK files to infect systems.</li> <li data-xf-list-type="ul">Threat actors have been <a href="https://www.bleepingcomputer.com/news/security/microsoft-finds-raspberry-robin-worm-in-hundreds-of-windows-networks/" target="_blank">massively deploying</a> the Raspberry Robin worm on systems through malicious LNK files since September 2021. These attacks specifically involve infected USB media, containing malicious LNK files.</li> <li data-xf-list-type="ul">There are several Ukraine-themed attack campaigns as well as attack campaigns specifically targeting Ukrainian systems that are active since the second quarter of 2022. The Armageddon threat group, which the Security Service of Ukraine identifies as a unit of the Federal Security Service of the Russian Federation, has been distributing malicious LNK files through targeted phishing emails. The malicious LNK files deploy the <a href="https://cert.gov.ua/article/971405" target="_blank">GammaLoad.PS1_v2</a> malware on compromised systems. There are also other Ukraine-themed malicious LNK files currently in circulation. In addition, the <a href="https://inquest.net/blog/2022/06/27/glowsand" target="_blank">GlowSand</a> attack campaign includes malicious LNK files that download payloads from attacker-controlled endpoints that respond only to requests from systems with Ukrainian IP addresses. "</li> </ul><p>Full source:</p><p>[URL unfurl="true"]https://www.sentinelone.com/labs/who-needs-macros-threat-actors-pivot-to-abusing-explorer-and-other-lolbins-via-windows-shortcuts/[/URL]</p></blockquote><p></p>
[QUOTE="upnorth, post: 998617, member: 38832"] Quote: " This article discusses Windows shortcuts (LNK files) as a medium to deploy malware and/or establish persistence. In the initial stages of an attack, threat actors are gravitating more towards the use of malicious shortcuts that deploy malware by executing code in the context of so-called living-off-the-land binaries ([URL='https://www.sentinelone.com/blog/how-do-attackers-use-lolbins-in-fileless-attacks/']LOLbins[/URL]) – legitimate executables that are readily available on Windows systems, such as powershell.exe or mshta.exe – to bypass detection. Threat actors conveniently build malicious LNK files with Windows system capabilities or tools specifically designed for that purpose, and then distribute the files to victims, usually through phishing emails. Because of these advantages, threat actors are widely abusing shortcuts. Since Microsoft’s [URL='https://techcommunity.microsoft.com/t5/microsoft-365-blog/helping-users-stay-safe-blocking-internet-macros-by-default-in/ba-p/3071805']announcement[/URL] that Office applications will by default disable the execution of Office macros in the context of documents that originate from untrusted sources, there has been a significant [URL='https://www.proofpoint.com/us/blog/threat-insight/how-threat-actors-are-adapting-post-macro-world']uptick[/URL] in malicious actors using alternative mediums for deploying malware, such as malicious Windows Apps and shortcuts (LNK files). We covered malicious Windows Apps [URL='https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/']in a previous article[/URL]. In this article, we focus on malicious shortcuts and provide: [LIST] [*]Insights about execution chains that originate from malicious shortcuts. We base our insights on an [B]analysis of 27510 malicious LNK file samples from VirusTotal[/B] that are representative of the current malicious shortcut landscape. [*]An overview of active widespread attack campaigns that involve malicious shortcuts and of the dynamics of the cybercrime market for tools that build malicious LNK files. [*]A summarizing overview of the system activities that take place when a user executes a malicious shortcut. This enables a better and generic understanding of what occurs on a system when a user falls prey to an attack that involves a malicious LNK file. [/LIST] [HEADING=1][SIZE=4]Current Developments in the Malicious Shortcut Threat Scene[/SIZE][/HEADING] Given the popularity of LNK files among threat actors, the dynamics of the cybercrime market for tools has quickly adjusted to serve the demand for tools that build malicious LNK files in a configurable and convenient manner. We spotlight in this section the mLNK and QuantumBuilder tools for building malicious LNK files. We observed that these tools have recently received updates and are currently being intensively advertised in the cybercrime web space. [HEADING=2][SIZE=4]mLNK[/SIZE][/HEADING] The mLNK tool – released by NativeOne, a tool vendor on the cybercrime scene – is known for its configurability and ease of use. NativeOne released the newest version of the tool, version 4.2, in June 2022. We observed an intensive advertising campaign for the new mLNK version on cybercrime forums and market places. The new mLNK version brings new features that enable building LNK files that can evade Windows detection mechanisms, such as Microsoft Defender SmartScreen. The public release of mLNK currently sells for a basic price of $100 per month. NativeOne also sells a private release of mLNK 4.2 for $125.00, which bundles more evasion mechanisms than the $25.00 cheaper public release of the tool. " [IMG width="639px"]https://899029.smushcdn.com/2131410/wp-content/uploads/2022/08/WhoNeedsMacros_13.jpg?lossy=0&strip=1&webp=0[/IMG] Quote: " [HEADING=1][SIZE=4]Active Attack Campaigns Leveraging Shortcuts[/SIZE][/HEADING] A number of widespread attack campaigns that involve malicious shortcuts are active at the time of writing this article: [LIST] [*]Threat actors have started intensively distributing the major malware families QBot, Emotet, IcedID, and Bumblebee through LNK files since the second quarter of 2022. These malware families are capable of deploying additional malware on compromised systems, including destructive ransomware. In addition, the Threat Analysis Group (TAG) at Google has [URL='https://www.theregister.com/2022/03/18/exotic_lily_iab_google/']observed[/URL] Exotic Lily, an initial access broker (IAB) for ransomware actors, distributing malicious LNK files to infect systems. [*]Threat actors have been [URL='https://www.bleepingcomputer.com/news/security/microsoft-finds-raspberry-robin-worm-in-hundreds-of-windows-networks/']massively deploying[/URL] the Raspberry Robin worm on systems through malicious LNK files since September 2021. These attacks specifically involve infected USB media, containing malicious LNK files. [*]There are several Ukraine-themed attack campaigns as well as attack campaigns specifically targeting Ukrainian systems that are active since the second quarter of 2022. The Armageddon threat group, which the Security Service of Ukraine identifies as a unit of the Federal Security Service of the Russian Federation, has been distributing malicious LNK files through targeted phishing emails. The malicious LNK files deploy the [URL='https://cert.gov.ua/article/971405']GammaLoad.PS1_v2[/URL] malware on compromised systems. There are also other Ukraine-themed malicious LNK files currently in circulation. In addition, the [URL='https://inquest.net/blog/2022/06/27/glowsand']GlowSand[/URL] attack campaign includes malicious LNK files that download payloads from attacker-controlled endpoints that respond only to requests from systems with Ukrainian IP addresses. " [/LIST] Full source: [URL unfurl="true"]https://www.sentinelone.com/labs/who-needs-macros-threat-actors-pivot-to-abusing-explorer-and-other-lolbins-via-windows-shortcuts/[/URL] [/QUOTE]
Insert quotes…
Verification
Post reply
Top
