Cybersecurity teams are warning Windows users of a new wave of infections delivered through deceptive LNK files that appear harmless but silently install backdoors like REMCOS.
What happened
Security researchers from Point Wild’s Lat61 Threat Intelligence Team have issued an alert about ongoing malware campaigns that use Windows shortcut (LNK) files to infect users with powerful backdoors, including REMCOS. These malicious LNK files mimic PDF or Word documents and are often delivered via phishing emails, archives, malicious websites, or pirated software.
When clicked, the LNK file executes a command that installs malware, giving attackers extensive control over the system. The files often evade detection because they appear legitimate and do not trigger any security prompts.
Going deeper
The LNK files serve as disguised carriers for malicious commands. Instead of linking to a real document or application, they execute instructions using legitimate Windows tools like PowerShell, CMD, or rundll32.exe. These commands can allow attackers to steal files, record from webcams or microphones, take screenshots, log keystrokes, or run other harmful processes, all without the user's knowledge.
Windows’ default settings further enable these attacks by hiding file extensions, allowing attackers to name files like “Invoice.pdf.lnk,” which displays simply as “Invoice.pdf.” Users are therefore less likely to suspect the file is a shortcut, especially when paired with a convincing icon.
The malware is delivered in stages. In some cases, the LNK file executes a small command that downloads the rest of the malware package from a remote server, leaving little to no trace on the local disk. Obfuscation and exploitation of Windows features like Alternate Data Streams or custom icon paths are also commonly used to conceal the attack.
What was said
Point Wild’s report urges caution when opening files, especially those received by email or from unfamiliar sources. “Malicious LNK shortcut files remain a serious threat because they’re easy to create, hard to detect, and trick users into running harmful commands,” researchers said. Unlike Office macros, LNK files do not prompt any warnings before execution.
Investigators linked two IP addresses, one in Romania and one in the U.S., to the infrastructure supporting the campaign. Domains like “shipping-hr[.]ro” and “mal289re1[.]es” were among those used to deliver the attacks.
FAQs
What makes LNK files different from other malware delivery methods?
Unlike Office documents with macros, LNK files execute silently and don’t prompt warnings. They rely on built-in system tools and user trust in familiar icons.
Why are LNK files hard to detect?
They look like normal files and often mimic trusted formats (e.g., PDFs). Obfuscation techniques and the use of trusted system paths make them harder for both users and antivirus software to flag.
Can antivirus software catch these LNK-based attacks?
Detection depends on how the malware behaves after execution. Some advanced endpoint protection tools can catch the activity, but many traditional tools miss it unless the payload is well-known.
How can users spot a malicious LNK file?
It’s difficult, but users can enable file extension visibility in Windows and inspect file properties. However, many LNKs use complex commands that are still hidden or obfuscated even in the properties window.
What can be done at the system level to reduce this risk?
IT administrators can disable Windows features commonly abused by LNK malware (like scripting tools), enforce file extension visibility, and block known malicious domains/IPs at the network level.
Farah Amod
%20-%202024-11-06T172515.452.jpg)
