Earlier this month, researchers at McAfee Labs spotted a sophisticated technique where hackers employed email spam and malicious URLs to deliver LNK files to victims. The files command authentic applications like PowerShell, CMD, and MSHTA to download malicious files.
LNK files are shortcut files that link to an application or file commonly found on a victim’s desktop or throughout a system and end with an .LNK extension. LNK files can be created by the user or automatically by the Windows operating system.
To identify the true nature of these files we will go through recently identified Emotet malware.
In this particular campaign, the hacker targets the victims’ by manually accessing the attached LNK file. Threat actor replaces the original shortcut icon with that of a .pdf file, so that the unsuspecting victim, once they receive the email attachment, can’t spot the difference with a basic visual inspection.
But the threat is real. Windows shortcut files can be employed to deploy pretty much any malware onto the target endpoint, and in this case, the Emotet payload is downloaded into the victim’s %TEMP% directory. If successful, the malware will be loaded into memory using “regsvr32.exe”, while the original dropper gets deleted from the %TEMP% directory.
Precautionary tips
Emotet is a sophisticated and long-lasting malware that has impacted users globally. Threat Actors are constantly adapting their techniques to stay one step ahead of cybersecurity researchers.
McAfee Labs is continuously monitoring the activity of Emotet and has published the guidelines to protect users from malware infection.
• It is important to note that Emotet is an endpoint threat spread via email, therefore endpoint detection and response (EDR) and antivirus tooling are imperative to disrupting this threat.
• Don’t keep important files in common locations such as the Desktop, My Documents, etc.
• Use strong passwords and enforce multi-factor authentication wherever possible.
• Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
• Use a trusted anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
• Avoid clicking on untrusted links and email attachments without verifying their authenticity.
• Conduct regular backup practices and keep those backups offline or in a separate network.
