A new tool that aids fraudsters in creating dangerous has been discovered by malware experts. LNK files to deliver payloads for an attack’s opening phase.
The so-called living-off-the-land binaries (LOLBins), such as PowerShell or the MSHTA, which is used to execute Microsoft HTML Application (HTA) files, are examples of LNKs, which are Windows shortcut files that may include malicious code to exploit reliable system utilities.
As a result, LNKs are widely used to spread malware, particularly during phishing attempts. Notable malware families that currently use LNKs include Emotet, Bumblebee, Qbot, and IcedID.
Builder of Quantum LNK
A new malicious LNK creation tool named Quantum has been discovered by Cyble researchers. It has a graphical user interface and provides convenient file generation through a wide range of choices and parameters (e.g. extension spoofing, icon selection from over 300 available options).
Renting the software costs €189 per month, €335 for two months, €899 for six months, or €1,500 all at once for lifetime access.
Quantum enables post-execution concealing, startup or delayed execution, Windows Smartscreen bypass, the ability to load multiple payloads onto a single LNK file, and UAC bypass.
Its creators assert that files created with Quantum are 100% FUD, or entirely undetectable, meaning that antivirus software and OS security features do not flag them as potentially harmful or suspicious.
Last but not least, Quantum provides the ability to create HTA files and ISO archives, which are frequently used in conjunction with LNK assaults and are all contained inside disk image files.
The inclusion of a dogwalk n-day attack in the Microsoft Support Diagnostic Tool (MSDT), which exploits a.diagcab file to execute arbitrary code, is another intriguing aspect of Quantum.
Lazarus ties
Recent LNK samples that were taken from the wild and analyzed by Cyble suggest that known APT gangs like Lazarus may be employing Quantum in their assaults.
The specific file utilized in the campaign is called “Password.txt.lnk,” and it presents itself as a password-protected text file for a PDF document that purports to provide a stablecoin analysis.
The PowerShell script that runs when the LNK file is opened is remarkably similar to scripts that Lazarus has employed recently, suggesting a likely connection.
The rise in their deployment is anticipated to continue as long as employing LNK files is profitable for malicious actors.
Cybercriminals are choosing LNK files more frequently as a result of tools like Quantum that are speeding the adoption trend.
Users are recommended to exercise caution and examine all email attachments with an anti-virus program before opening them.