Select Page

Cybercriminals are increasingly leveraging malicious LNK files as an initial access method to download and execute payloads such as Bumblebee, IcedID, and Qakbot.

A recent study by cybersecurity experts has shown that it is possible to identify relationships between different threat actors by analysing the metadata of malicious LNK files, uncovering information such as the specific tools and techniques used by different groups of cybercriminals, as well as potential links between seemingly unrelated attacks.

“With the increasing usage of LNK files in attack chains, it’s logical that threat actors have started developing and using tools to create such files,” Cisco Talos researcher Guilherme Venere said in a report shared with The Hacker News.

This comprises tools like NativeOne‘s mLNK Builder and Quantum Builder, which allow subscribers to generate rogue shortcut files and evade security solutions.

Some of the major malware families that have used LNK files for initial access include Bumblebee, IcedID, and Qakbot, with Talos identifying connections between Bumblebee and IcedID as well as Bumblebee and Qakbot by examining the artefacts’ metadata.

images from Hacker News