Threat Research

LNK or Swim: Analysis & Simulation of Recent LNK Phishing | Splunk

Securonix

LNK Phishing Campaign and Evolution analyzes active campaigns that use .LNK files as the infection trigger, showcasing how threat actors deploy malware like AsyncRAT and Rhadamamanthys through deceptive shortcuts. It also covers defender-focused simulations and extraction techniques (e.g., LECmd) to understand and detect these tactics. #AsyncRAT #Rhadamanthys #Ducktail #LNKPhishing

Keypoints

    <li-LNK phishing campaigns use deceptive .LNK files to initiate malware delivery, with AsyncRAT and Rhadamamanthys highlighted as examples.

    <li-An LNK named “INVOICE#BUSAPOMKDS03” can trigger copying a malicious batch file (Musicfile.bat) and deploying AsyncRAT on the target.

    <li-Rhadamanthys uses an embedded Base64-encoded PowerShell script in an LNK to download a file from a malicious C2 URL, then executes it.

    <li-Obfuscation is common, e.g., the Ducktail campaign uses a caret “^” to split commands and hinder readability, aiding evasion.

    <li-Reconnaissance via LNK samples collects extensive system information (processor, computer name, user, IP, etc.) and transmits JSON to the C2.

    <li-The LNK payloads often disguise as legitimate PDFs (embedding a dummy PDF icon) to increase click-through risk.

    <li-Complex LNKs may decrypt payloads, extract CAB/ZIP contents, and drop multiple components (e.g., dummy DOCX and CAB archives) to extend the attack chain.

MITRE Techniques

  • [T1059.001] Command and Scripting Interpreter – “In a typical phishing campaign, threat actors deploy a straightforward yet impactful strategy by employing malicious LNK files to distribute malware. Crafted with a script or command line argument, these LNK files prompt a specific action upon user interaction.”
  • [T1132] Data Encoding – “Rhadamanthys … a Trojan Stealer … contains an embedded Base64-encoded PowerShell script designed to download a file from a malicious Command and Control (C2) URL.”
  • [T1027] Obfuscated Files or Information – “a caret “^” symbol as an obfuscation technique to break up commands or expressions…”
  • [TA0043] Reconnaissance – “threat actors have devised .LNK samples tailored to conduct reconnaissance on target hosts or systems. Upon execution, these .LNK files trigger PowerShell scripts designed to collect extensive system information. … and transmits it to the C2 server.”
  • [T1202] Indirect Command Execution – “This LNK file uses a Living Off the Land Binary (LOLBIN) technique known as forfiles, a legitimate Windows utility, to execute PowerShell script, which initiates the download of a malicious payload in ZIP file format.”
  • [T1204.002] User Execution: Malicious File – “When executed, this LNK file triggers a PowerShell script … obfuscation techniques.”

Indicators of Compromise

  • [Domain] – goosess.com, stuckss.com – C2 domains referenced in the LNK payloads and PHP/ZIP download URLs.
  • [Batch file] – Musicfile.bat, 49120862.bat – Files dropped/executed as part of the LNK attack chain (batch scripts).
  • [Archive] – di3726.zip – ZIP archive dropped/extracted during payload deployment.
  • [VBScript] – Start.vbs – VBScript file used to invoke further malicious actions within the chain.

Read more: https://www.splunk.com/en_us/blog/security/lnk-phishing-analysis-simulation.html

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint