Use of windows Shortcut/LNK Files has Risen Significantly with Threat Actors

Industry: N/A | Level: Tactical | Source: SentinelOne

Threat actors’ use of windows shortcut/LNK files has risen significantly following Microsoft's announcement to disable macros by default. SentinelOne's latest research highlights the rise in the deployment of shortcut files, primarily distributed through phishing campaigns. "Our mass-analysis of 27510 representative malicious LNK files from VirusTotal revealed Windows Explorer at the top of the list (with 87.2% prevalence), followed by powershell.exe(7.3%), wscript.exe(4.4%), and rundll32.exe(0.5%). LNK files are currently immensely popular among threat actors for malware deployment and persistence." Shortcut files paired with living-off-the-land binaries (LOLbins) have been a popular and effective replacement. "Given the popularity of LNK files among threat actors, the dynamics of the cybercrime market for tools has quickly adjusted to serve the demand for tools that build malicious LNK files in a configurable and convenient manner." Cybercrime tools developed to aid in the craft of malicious LNK files include mLNK, and QuantumBuilder. Many malware families, such as Qakbot/Qbot, Emotet, IcedID, and Bumblebee, have already adopted LNK files into their attack chains. Threat campaigns launched against Ukrainians have also incorporated LNK-based threats during the initial attack stages.

Anvilogic Scenario:

• LNK & LOLBin

Anvilogic Use Cases:

• Symbolic OR Hard File Link Created
• Suspicious Executable by Powershell
• Suspicious Executable by CMD.exe

‍