Phishing Alert: LNK-based Malware Distribution is on the Rise

What is an LNK file?

• Ever seen a Windows shortcut on your laptop screen that serves as a pointer to open a file, folder, or even an application - well, the LNK link does just that. 
• LNK files hold information used to access another data object and are based on the shell link binary file format.

How are LNK files created?

• LNK files are created in two ways: one is manually by using the standard right-click create shortcut option. 
• LNK files can also be created automatically while running an application. 
• Plenty of tools are available to build LNK files - one of them is “lnkbombs” tools which are specifically for malicious purposes.

LNK threat carriers

• To distribute LNK files to victims, threat actors use spam emails and malicious URLs. 
• These files give instructions for downloading malicious files to reputable programs like PowerShell, CMD, and MSHTA.

How do the attackers infect the systems?

• Once the user is infected by manually accessing the attached LNK file, the attackers can directly hardcode malicious URLs to run along with utilities like PowerShell and download the main threat payloads.
• The downloaded file is saved under the temp folder with the name test.dll
• Typically, malicious LNK files have been observed using PowerShell and CMD commands to connect to malicious URLs and download malware, such as Emotet, Qakbot, Bazarloader, IcedID, and others, by taking advantage of its simplicity.

Final thoughts

• A comprehensive inspection is a must for every user employing LNK shortcut files as these attacks are continually developing. 
• The operating system and antivirus software of consumers must be updated. 
• Users should exercise caution when opening dangerous links and attachments in phishing emails.