Researchers from Proofpoint have detected a campaign of millions of messages directed at organizations in the US and UK. The campaign employs a straightforward voice message lure with a LNK attachment – an unusual but not unheard of method of malware delivery.
The use of LNK files to deliver malware in phishing emails is unusual but not unheard of [1], and this campaign caught the eye of at least one other security researcher [2]. In some versions of Windows the “wav.lnk” file was represented with a Windows audio file (WAV) icon, while in others a generic file icon was displayed.
Double-clicking the attachment calls “cmd.exe” to run a series of shell commands.
This copies the LNK file to a temporary directory and extracts out a VBE file from the LNK file, writes it to disk, then executes it.
The dynamically generated script file then downloads and executes the Dridex botnet #220 binary from this URL: hxxp://laurance-primeurs[.]fr/345/wrw.exe.
Despite the size of the campaign, the technique itself was used in a relatively limited manner: only one unique file (i.e., hash) was detected in this campaign, and errors in the scripting resulted a general failure to execute on target systems. (Another recent innovation in the current wave of malicious document attachment campaigns – the use of MIME/OLE formatted documents – began with similar misfires but then went on to become a predominant masking technique [3] [4].) Moreover, some versions of mail client did not display the attachment, replacing it with a warning message that the file was potentially unsafe, and organizations following email security best practices commonly treat LNK files similar to executables (EXE) and strip them from messages before delivery.
Despite these constraints, this campaign showed that the LNK format remains a potentially effective technique, and as a whole demonstrates that threat actors are continuing to innovate and experiment with new delivery and masking techniques in order to stay ahead of adapting defenses.[su_box title=”About Proofpoint” style=”noise” box_color=”#336588″]
Proofpoint Inc. (NASDAQ:PFPT) is a leading security-as-a-service provider that focuses on cloud-based solutions for threat protection, compliance, archiving & governance, and secure communications. Organizations around the world depend on Proofpoint’s expertise, patented technologies and on-demand delivery system to protect against phishing, malware and spam, safeguard privacy, encrypt sensitive information, and archive and govern messages and critical enterprise information.[/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.