Hackers weaponize LNK files by using them to carry malware into systems without being detected. These shortcuts are designed to appear legitimate, making it difficult for users to spot their malicious intentions. One recent discovery by cybersecurity researchers at GDataSoftware revealed that Turla hackers have been actively using LNK files to distribute fileless malware.
The Turla hackers have targeted various companies and organizations in the Philippines. To infiltrate these targets, they employ a compromised media website to distribute harmful code. The attack begins with a fake shortcut posing as an official advisory from the Philippine Statistics Authority. When the shortcut is executed, it triggers a PowerShell script that leverages Microsoft’s msbuild.exe to launch a fileless backdoor, bypassing any application whitelisting measures in place.
The malware is designed to run every 30 minutes through scheduled tasks to avoid detection. Additionally, the payload is an MSIL binary protected by SmartAssembly, making it challenging to reverse engineer. This attack combines social engineering tactics, fileless malware, and legitimate system tools, showcasing the sophistication of the Turla hacking group.
The backdoor incorporates several evasion techniques to evade detection. It disables ETW, patches its copies in memory, and circumvents AMSI. The malicious software establishes communication with its command-and-control (C2) server through an infected personal website, enabling the attacker to remain undetected and maintain control over the compromised system.
Analysis of the malware reveals similarities with Turla APT techniques, such as using infected websites as servers and bypassing AMSI through memory patching. However, there are also new techniques employed in this variant that were not previously associated with Turla, indicating potential changes in tactics within the group or the emergence of a new threat actor utilizing similar methods.
The evolving tactics of advanced persistent threats make it challenging for cybersecurity researchers to attribute attacks to specific groups or individuals. Understanding the motives and identities of threat actors behind such attacks remains a complex task.
To prevent such attacks, several precautions can be taken, including setting PowerShell to execute only signed scripts, assessing the necessity of PowerShell and removing it if not needed, disabling or restricting the WinRM Service to prevent remote PowerShell use, removing MSBuild.exe if unnecessary, and blocking msbuild.exe with application control if it serves no legitimate purpose.
In conclusion, the use of LNK files to deploy fileless malware highlights the advanced capabilities of threat actors like the Turla hackers. By remaining vigilant and implementing robust security measures, organizations can mitigate the risk of falling victim to such sophisticated cyber attacks.