Cybercriminals are increasingly using malicious LNK files as a way to gain initial access and download payloads such as Bumblebee, IcedID, and Qakbot.

These malicious shortcut files are used to evade security solutions and infect victims’ computers with malware.

A recent study by Cisco Talos has revealed that it is possible to identify relationships between different threat actors by analyzing the metadata of these malicious LNK files.

This information includes the specific tools and techniques used by different groups of cybercriminals, as well as potential links between seemingly unrelated attacks.

The use of LNK files in attack chains has prompted threat actors to develop and use tools to create such files, such as mLNK Builder and Quantum Builder, that allows actors to generate rogue shortcut files and evade security solutions.

Some of the major malware families that have used LNK files for initial access include Bumblebee, IcedID, and Qakbot.

98pVKRrbNJj-WVcaiQRapRWHwFED8jdpnHSh6H74QS5FPzittmBlKCQQQMAbJNhxRutxt03y9Q8rNbETKW-9WjIhJnbwrap6ineDBiZ1mq_KkqDrcvStxE5tisyb36HMkOzxlOr1JKtDIJMvwofZX_Y6U20Bq3Dh6psti5H4dVbFLXzS2eJftMmHQExB

Talos security researchers have identified connections between Bumblebee and IcedID, as well as Bumblebee and Qakbot, by examining the artifacts’ metadata.

Specifically, multiple samples of LNK files leading to IcedID and Qakbot infections, and those that were used in different Bumblebee campaigns, have all been found to share the same drive serial number.

As1VyWHjVQxlJwPiIbf6aOKM_NW8ArrEM_uaJJqGffreE1grVL_JwQV9wzRovOq1UIIhWu-Pn3E0O5lyQxTGVdn4TfG3prS4hj31NDnzLu97qcHbXNX1cnGAH9mSga2NAJCsfYYkb6AoOVihARYJtfkzBJaJLhSOv9x6CUWx_qOeb4At20AXMBdKDedH

LNK files have also been employed by advanced persistent threat (APT) groups such as Gamaredon (also known as Armageddon) in their attacks aimed at Ukrainian government entities.

The spike in campaigns using malicious shortcuts is seen as a reaction to Microsoft’s decision to disable macros by default in Office documents downloaded from the Internet. This has prompted threat actors to use alternative attachment types and delivery mechanisms to distribute malware.

Of course, LNK files are only the initial access vehicle: recent analyses from Talos and Trustwave have disclosed how APT actors are weaponizing Excel add-in (XLL) files and Publisher macros to drop remote access trojans on compromised machines.

--E1zTInsrWAdEgoL5FX_ro_x5Me3XJfiJboCs9ZDx21LVmuQLUjvTnhykxIRjWx8zKpay2yg2PvPIeRJPht-gEh8PxpLLTKeMiZIHoAUkgsHgQC2_YWh_v_QcLRMIqm8dW6kT59WecKT6iSkwQNW1uWBT0ILTtSiwgS0fQRzfcNMIfK11x5Mc3CEPZtUA

Additionally, the same threat actors have been observed taking advantage of rogue Google Ads and search engine optimization (SEO) poisoning to push off-the-shelf malware like BATLOADER, IcedID,Rhadamanthys Stealer and Vidar to victims searching for legitimate software. BATLOADER, according to a report by Trend Micro, is malware capable of installing additional malicious tools, including Cobalt Strike, Qakbot, Raccoon Stealer, RedLine Stealer, SmokeLoader and ZLoader.


Indicators of Compromise

Qakbot

  • 8fda14f91e27afec5c1b1f71d708775c9b6e2af31e8331bbf26751bc0583dc7e

  • 2f9da7145056a4217552a5a536ceb8365e853fbd04d28ae2d494afb20e9c021f

  • 52458b4aaddbcb04048be963ea7d669c2ff7a69642d027f88812a5c6c1ade955

  • 6a980d7659efb8bfb997dec3259d6eb090d4e6a4609e4c0666e04ad612151d71

  • 67bbffb2ff5f724a201445f26018cb09fbf0588689f98f90fd82082aae7c6eec

  • da2a0d9a6b5dd2123c4c2cbd55d81fd22ab72bf7ceb1489a5a770e10bcf67137

  • 54681cbb4c61dd4fe03341cfd8d2b796366a0372b53dd3e1d52c9e6ff98692d1

  • a7f31c98147d98ac08f4b8afe7faa2f2b4aab821655717f4bde519fcd87300ac

  • c5c0daaa26815bb6528332dd4f56f7eb72db4456d5a84b8bc69239c45079a1c4

  • efdb91497fe213e8f696065c2fe81f64cbaa219da16e2b3f8e1e146d098652b5

  • c9dfafd3536977289b4bfda1369fbd113a778cf06ac0c01cdc8e00e1c300e774

  • e818b0115a9a877a9517c99b16e5a2df9cf7c5eb1fb249d9153b68e8fa94e60b

  • 7ba3eaee591cc73ab85aeb09d8c02b1e569b9dcaffcbc7c4473f504f939697d2

Gamaredon

  • 7f66f4411983001d29236c5d3fb4ff26f01b5742badca1db8d49264c01ba506c

  • 1b2ed05f488f8439688a02cc6ef84f939d16169117b489219b688a3ea482e5ed

  • 6ce64dedbe81c36aef38fd2d567f6ab9737df708591dc2f0cafa56db26a1d043

  • 1e0b92485e09ac970ae38214fb5c7407f73027ada47ea697017e49cacb576908

Bumblebee

  • 9c7e01c2c39dadc020a0cf8dc74b62e6453b56413f09705b4ad4d391981f5a3f

  • 2738ee3f181994cca5d9ea19359b8142981583d17563934ab3212eefe13af3ff

IcedID

  • 3cca8d1b4cfe0ebcf105621700454d0285ef1b44dfed3e3abf70060bb62aa5b4

  • e89cd1999517b47805106111e14de4a03669cac30adb3b3304655febce25955f

RedLine

  • 6161c01fd590c98c6dee4e510ba9be4f574c9cc5c89283dbff6bb79cd9383d70