“A .lnk file is how Home windows handles shortcuts: Everytime you click on on that Outlook icon in your desktop, you’re really clicking on a separate file that makes use of the Outlook picture and directs the working system to open up Microsoft Outlook,” defined Jamie Boote, senior supervisor, strategic security consulting at Black Duck. “It’s also possible to create shortcut hyperlinks (.lnk information) to web sites, applications with further instructions, executable scripts, and absolutely anything else you would kind into Home windows’s Run command window.”
The LNK information within the marketing campaign use numerous scripts, together with earlier variations with easy character concatenation to masks GitHub C2 tackle and the entry token, the researchers mentioned, including that it was straightforward to find out that the script was meant to run a PowerShell command fetched from GitHub.
Later variations shifted to fundamental character decoding capabilities, making detection a bit of trickier, however nonetheless had telling metadata like title, sizes, and modification dates that allowed researchers to attach it to the particular marketing campaign. The title column repeatedly makes use of “Hangul doc,” a sample per state-affiliated teams like Kimsuky, APT37, and Lazarus.
