Malicious LNK Files Use PowerShell to Deliver Payload



This week, the Sonicwall Capture Labs Research team has observed an increase in shortcut-based (LNK) malware. These seemingly legitimate LNK files execute PowerShell commands to download malware from a remote server.

Infection Cycle

The malware sample arrives as a file with a .lnk file extension and may use the following names:

  • New product Reebok 2023.lnk
  • Income and benefits – UNIQLO 2023.lnk
  • Requirements and responsibilities – UNIQLO 2023.lnk
  • LAST STUDIO List new product 2023.lnk
  • Last Studio 2023 New Arrivals Campaign Contract.lnk

Executing the .lnk file will run an instance of powershell.exe in the background. PowerShell is built in to Windows and is used as a scripting language that is mostly used to automate admin tasks.

The script is base64 encoded, and when decoded, it shows that its main purpose is to download additional files from a remote server.

Figure 1: Command line

The execution of this script is done without the knowledge of the user and utilizes the following options when running PowerShell.

p o w e r s h e l l . e x e - N o L o g o - N o P r o f i l e - W i n d o w S t y l e h i d d e n - E x e c u t i o n P o l i c y b y p a s s - E n c o d e d C o m m a n d

Meanwhile, an image file is launched and shows a picture of a product. In the screenshot below, an image of what seems like a Reebok-branded outfit is shown when executing the malicious LNK file named “New product Reebok 2023.lnk”.

Figure 2: Reebok outfit

During our analysis, a file named svczHost.exe was downloaded in \Windows\Temp.

Figure 3: Powershell.exe connecting to a remote host to download a file which was saved into %temp% directory as svczHost.exe

This then further downloaded another file named MyRdpService.exe in the same directory.

Figure 4: SvczHost.exe connecting to a remote host and downloading an additional component file that was later written into %temp% directory as myRdpService.exe

As seen in Figures 5 and 6, MyRdpService.exe was constantly seen connecting to a remote command and control server, sending and receiving data.

Figure 5: MyRdpService.exe constantly seen connecting to a remote command and control server, sending and receiving data.

Figure 6: Encrypted packet sent to remote C&C by MyRdpService.exe

Figure 7 shows a log file named logrdp.txt was created which looks like the connection log file. Interestingly the log file, contains some text in Vietnamese.

Figure 7: Log file

We have seen an increasing amount of malicious LNK files used by cybercriminals to deliver payloads. These Windows shortcut files can contain malicious code to abuse legitimate windows system tools, which is a simple way for criminals to evade detection.

SonicWall Protections

SonicWall Capture Labs provides protection against this threat via the following signature:

• GAV: Suspicious#powershell.steal (Trojan)
• GAV: Infostealer.AIL (Trojan)

This threat is also detected by SonicWALL Capture ATP with RTDMI and the Capture Client endpoint solutions.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.