Cybersecurity researchers detected a new malware tool that helps threat actors build malicious Windows shortcut files, known as .LNK files.
Quantum LNK Builder and the Use of .lnk Files
Dubbed Quantum Lnk Builder, the tool is currently being offered for sale on underground, cybercrime forums. The price depends on the subscription plan: €189 a month, €355 for two months, €899 for six months, or €1,500 for a lifetime purchase.
Cyble researchers have been observing a surge in the use of .lnk files by several malware families, including Emotet, Bumblebee, Qbot, and Icedid. Many APT actors also leverage these files for initial execution to deliver the final payload.
What are .lnk files?
“.lnk files are shortcut files that reference other files, folders, or applications to open them. The TAs [threat actors] leverages the .lnk files and drops malicious payloads using LOLBins. LOLBins (Living off the Land Binaries) are binaries that are native to Operating Systems such as PowerShell and mshta. TAs can use these types of binaries to evade detection mechanisms as these binaries are trusted by Operating Systems,” the researchers explained.
It is noteworthy that Windows hides the .lnk extension by default. If a file is named as file_name.txt.lnk, then only file_name.txt will be visible to the user even if the show file extension option is enabled, the report explained. These are the reasons that threat actors would start using .lnk files – “as a disguise or smokescreen.”
The new Quantum malware builder is most likely associated with the infamous Lazarus Group, as evident by overlaps in source code in the tool and the threat group’s modus operandi. Lazarus hackers have been known to leverage .lnk files for delivering further stage payloads, the report noted.
The threat actors behind the Quantum builder are updating their tool with new attack techniques, making it more lucrative to other cybercriminals. The researchers are expecting to see an increased use of similar builders in their attack arsenals.