Cybercriminals have brought back an older attack vector using LNK files to execute PowerShell scripts to download malware.
LNK files were first used back in 2013, but Trend Micro has noticed a resurgence staring in January 2017. Between January and April the company has detected almost 6,000 instances of LNK malware, identified as LNK_DLOADR by Trend Micro, although a few cases were also spotted late in 2016.
LNK files are generally used to create start menu and desktop shortcuts.
Trend Micro attributed the initial wave of attacks in January to group APT10, AKA MenuPass, POTASSIUM, Stone Panda, Red Apollo, and CVNX, that used a spearphishing campaign to execute a CMD.exe that in turn downloaded a jpeg with embedded malicious PowerShell script. By April the payload had switched to BKDR_ChChes.
And APT10 continues to mix up their attacks, although it still uses phishing as the main point of entry.
“They send a phishing email with lures that push the victim to “double click for content”, typically a DOCX or RTF file embedded with a malicious LNK. Instead of directly executing PowerShell, the LNK file will execute MSHTA.exe (a file used for opening HTML applications), which executes a Javascript or VBScript code that in turn downloads and executes the PowerShell script. The PowerShell then executes a reverse shell (like Metasploit or Cobalt Strike) to complete the compromise,” the report said.
There are a couple of quick fixes companies can implement to avoid LNK issues. Just as with WannaCry updating software is the first step. I this case users should have PowerShell version 5 installed. The responsibility falls on the individual and that is to be wary of any executable files received in an email.