Uh oh, malicious Windows shortcuts are making a return

Uh oh, malicious Windows shortcuts are making a return

Trending 3 months ago 26
  1. Home
  2. News
  3. Computing
Magnifying solid  enlarging the connection     'malware' successful  machine  instrumentality   code
(Image credit: Shutterstock)

At slightest 2 menace actors person precocious been observed distributing malicious Windows shortcut files designed to infect victims with malware.

Late past week, cybersecurity researchers from Varonis reported seeing the dreaded Emotet menace actor, arsenic good arsenic the lesser-known Golden Chickens radical (AKA Venom Spider), distributing .ZIP archives via email, and successful those archives, .LNK files.

Using Windows shortcut files to deploy malware oregon ransomware (opens successful caller tab) connected the people endpoint (opens successful caller tab) is not precisely novel, but these menace actors person fixed the thought a marque caller spin. 

Shortcuts posing arsenic PDF files

The bulk of older readers are astir apt blameworthy of customizing their crippled desktop shortcuts successful the past, astatine slightest connected 1 occasion.

In this peculiar campaign, the menace actors replaced the archetypal shortcut icon with that of a .PDF file, truthful that the unsuspecting victim, erstwhile they person the email attachment, can’t spot the quality with a basal ocular inspection.

But the information is real. Windows shortcut files tin beryllium utilized to driblet beauteous overmuch immoderate malware onto the people endpoint, and successful this scenario, the Emotet payload is downloaded into the victim’s %TEMP% directory. If successful, the Emotet payload volition beryllium loaded into representation utilizing “regsvr32.exe”, portion the archetypal dropper gets deleted from the %TEMP% directory.

The champion mode to support against these attacks, researchers are saying, is to thoroughly inspect each email attachment coming in, and to quarantine and artifact immoderate suspicious contented (that includes ZIP-compressed files with Windows shortcuts).

Admins should besides restrict the execution of unexpected binaries and scripts from the %TEMP% directory, and bounds idiosyncratic entree to Windows scripting engines specified arsenic PowerShell and VBScript. They should besides enforce the request for scripts to beryllium signed via Group Policy.

Sead Fadilpašić

Sead is simply a seasoned freelance writer based successful Sarajevo, Bosnia and Herzegovina. He writes astir IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, information breaches, laws and regulations). In his career, spanning much than a decade, he’s written for galore media outlets, including Al Jazeera Balkans. He’s besides held respective modules connected contented penning for Represent Communications.