LNK Malware Campaign Exploits Windows for Stealth Attacks

Emerging Threat via Discord

In a recently discovered cyber threat, researchers have identified a sophisticated malware campaign that utilizes Windows shortcut (.LNK) files to execute a multi-functional Remote Access Trojan (RAT). Distributed through Discord, this threat is particularly concerning due to its innovative use of legitimate Windows processes. The LNK malware disguises itself as a seemingly benign file, "cyber security.lnk," which, upon opening, displays a decoy PDF file while covertly executing a series of potent commands via PowerShell.

Leveraging Legitimate Tools

This attack employs the strategy known as living-off-the-land binary (LOLBIN) abuse. It takes advantage of the odbcconf.exe tool, a legitimate component of Windows, to run a malicious DLL named Moq.dll without triggering security alerts. When executed, the PowerShell script utilizes the command odbcconf.exe /a {regsvr"C:\\Users\\Public\\Nuget\\moq.dll"} to embed and activate the payload. The malware creates a hidden NuGet folder to house integral files such as Dapper.dll and Newtonsoft.dll, further complicating detection.

Advanced Evasion Techniques

Evasion is critical in the operational strategy of this malware. The injected Moq.dll file executes a series of patches, disabling key Windows defense mechanisms. It modifies AmsiScanBuffer to render AMSI ineffective and alters EtwEventWrite in ntdll.dll to switch off Windows Event Tracing (ETW), thereby avoiding detection and preventing logging activities.

Persistence and Control

Achieving persistence involves manipulating the Windows Registry. The malware revises the registry key HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell to ensure it is launched with explorer.exe upon user logon. This ensures the malware recurs with system restarts and user logins, cementing its foothold.

Extensive Capabilities

Once installed, the RAT establishes communication with a command and control server at hotchickenfly.info, meticulously generating unique machine identifiers for tracking. The RAT is equipped with features to capture screenshots, perform system reconnaissance for installed antivirus products, and exfiltrate data using the Dropbox API with hardcoded tokens, securing communications through AES encryption to maintain confidentiality and integrity of transmitted data.

Attribution and Mitigation

The campaign, initially identified by K7 Labs, was first noted in Israel, exemplifying a growing trend in cybercrime methods exploiting legitimate Windows utilities to circumvent traditional defense systems. To combat such threats, experts recommend robust strategies such as implementing application whitelisting, meticulously monitoring the use of LOLBINs, and deploying endpoint detection systems that focus on spotting behavioral anomalies rather than signature-based threats.