LNK Files Distributed Through Breached Legitimate Websites (Detected by EDR)

AhnLab Security Emergency response Center (ASEC) detected circumstances of a malware strain being distributed through breached legitimate websites using various file names, prompting users to run them. This post will introduce how AhnLab EDR analyzes and detects the method of malware distribution using LNK files as the medium, a method that has been employed often in recent times.

Pomerium Project Related Inquiry Data.txt.lnk
Data Regarding Application for Changes Before the 2023 Iris Agreement.txt.lnk
Suyeon Oh Statement Data.txt.lnk
On Inquiry Confirmation.txt.lnk
Deep Brain AI Interview Guide.txt.lnk
Recruitment Related Information.txt.lnk
Table 1. Distributed file names

Malware distribution occurs using compressed files with the same file name as those in Table 1. The files prompt users to download and execute them. This threat actor is known for breaching legitimate websites to use them as distribution platforms. The attacker uses non-PE files since unlike PE files, non-PE files are relatively easy to modify. As the files are downloaded through websites that are operated normally, users must use products like EDR which has behavior-based loggings and detections.

Figure 1. Infiltration/Exfiltration detection

AhnLab EDR records files infiltration and exfiltration. The screen above shows the infiltration/exfiltration detection feature which allows users to view the infiltration path and file information at a glance.

Figure 2. Content of the downloaded file
Figure 3. Content of the LNK file

The downloaded file is shown in Figure 2. When the file is decompressed, a .txt.lnk file disguised with the .txt file extension is created. The LNK file impersonating a Notepad icon contains a script and a CAB file.

Figure 3 shows the content of the LNK file. The left part shows the execution command line of the LNK file and the right part shows the HTML script within that file. The LNK file runs the HTML script within through mshta, a default Windows process. The HTML script in turn runs an obfuscated VBS script.

Figure 4. Screen showing LNK being run, detected by EDR

Figure 4 shows the execution of the aforementioned content in Figure 3. You can see the mshta command line executed through the LNK file as well as the decrypted execution command line of the VBS script within the HTML run through mshta. The lines’ major features are reading the LNK file through the PowerShell process and dropping the CAB file embedded within the LNK file to decompress and execute the CAB file through the expand process.

Figure 5. Decompression using the expand process

Figure 5 shows the detection of the dropped CAB file being decompressed with the expand process. The screen displays the command line being decompressed by exploiting the expand process, as well as the path where the malicious file is created.

Figure 6. Malicious behaviors of the BAT script
Figure 7. Malicious behaviors of the BAT script, detected by EDR

Figure 6 shows the malicious features of the script decompressed from the CAB file. Its major features include executing another script decompressed from the CAB file, collecting system information, registering itself to the autorun registry, and sending data. Figure 7 shows the detection of these execution details through AhnLab’s EDR product. Additionally, the script also includes features such as attempting to download additional files, decoding and executing the downloaded file through certutil, and so on.

Figure 8. EDR diagram screen

In this post, we covered a method of malware distribution that breaches legitimate websites and uses various file names to prompt users to run them. Figure 8 shows the overall diagram of this distribution process. You can see the details covered above at a glance as well as the attack flow.

Using various file names to prompt users to execute files is currently a commonly used method. Because the distribution platforms are legitimate websites that have been breached, users find it difficult to realize they are downloading malware. To detect such methods of distribution, behavior detection must be activated in V3, an endpoint anti-malware product. If your system is infected, you must take measures after checking the details through EDR.

Because legitimate websites are breached and being used in distribution, the URLs of these distribution sites are not released with the IOC information. Related information will be posted separately on AhnLab TIP (Threat Intelligence Platform) ASEC Notes (This report supports Korean only for now.) to provide information for relevant organizations.

[Behavior Detection]

[File Detection]


AhnLab EDR protects the endpoint environment by delivering behavioral detection, advanced analysis, holistic visibility, and proactive threat hunting. For more information about the product, please visit our official website.

The post LNK Files Distributed Through Breached Legitimate Websites (Detected by EDR) appeared first on ASEC BLOG.

Article Link: https://asec.ahnlab.com/en/58919/