The Latest in Software Functionality Abuse: URL Internet Shortcut Files Abused to Deliver Malware

Adding to a growing trend of phishing attacks wherein Windows and Office functionalities are abused to compromise victim systems, Cofense Intelligence™ has analyzed a recent campaign that uses the URL file type to deliver subsequent malware payloads. This file type is similar to a Windows LNK shortcut file (both file types share the same global object identifier within Windows) and can be used as a shortcut to online locations or network file shares. These files may abuse built-in functionality in Windows to enhance the ability of an attacker to deliver malware to endpoints.

By abusing these built-in functionalities, threat actors can complicate detection and mitigation in these scenarios, because the software is behaving exactly as it was designed to. The proliferation of abuse techniques indicates that threat actors may be increasingly prioritizing the use of such methodologies due to detection difficulties.

The emails analyzed by Cofense Intelligence include a nondescript phishing campaign that informs recipients of an attached bill, receipt, or invoice. The analysis performed for Threat ID 10993 focused on emails that deliver attached URL shortcut files with their target resource identified using the “file://” scheme. Windows environments use this scheme to denote a file resource that is on the hard drive or hosted on a network file share.

However, the target for these Uniform Resource Identifiers (URIs) can also be a remote resource. When a URL shortcut file is written to disk, Windows will attempt to validate the target denoted by the “file://” scheme. If validated, the remote resource can be downloaded to the local machine. The use of this file format and URI scheme may indicate that threat actors seek to abuse the resource resolution functionality associated with these shortcut files to deliver malware onto victims’ machines at the time the URL file is extracted from a Zip archive.

Figure 1 – URL shortcut files can reference remote file shares to deliver malware

During our analysis, there was no evidence that the downloaded JavaScript application can be run without user interaction. However, once the script application is executed, the infection process continues with the subsequent download and execution of the Quant Loader malware downloader. Quant Loader, in turn, runs a sample of the Ammyy Admin remote desktop administration software that is being repurposed as an effective remote access trojan by these attackers.

Figure 2 – Downloading a payload over SMB is a less-common method for malware delivery

This technique showcases yet another method in which commonplace Windows features are abused by threat actors, adding to the expanding set of delivery applications crafted to distribute malware.

The nature of these files reveals the risk involved with applications that obtain files simply by issuing connection requests without user interaction. Incident responders and network defenders must devise a response plan to address this scenario, especially if enterprises and organizations operate on a Windows environment. This campaign also demonstrates that as threat actors develop new attack methodologies, more emails are likely to reach user inboxes. Therefore, it is crucial that those users can identify and report such campaigns, because they are the final line of defense at that point.

Sign up for free threat alerts. Get phishing and malware trends delivered to your inbox: https://cofense.com/threat-alerts/

Locky-Like Campaign Demonstrates Recent Evolving Trends in Ransomware

Over the US Thanksgiving holiday, PhishMe Intelligence™ observed a recent ransomware campaign, Scarab, that shares some similarities in behavior and distribution with Locky. In this campaign, Scarab was delivered by the Necurs botnet, which made headlines due to its distribution of Locky, which was one of the most prolific ransomware families of 2016 and 2017. Like Locky, Scarab can encrypt targets via both online and offline encryption.

Panda versus DELoader: Threat Actors Experiment to Find the Best Malware for the Job

One important task for threat actors is the pursuit of new and innovative techniques for infiltrating their victims’ networks. A major aspect of this pursuit is the selection of a malware that can accomplish the mission at hand. For example, a ransomware threat actor may seek out the ransomware tool that guarantees the highest rate of ransom payment. However, threat actors with different missions might seek out tools using different success criteria. Threat actors can experiment and transition between these tools because, in many ways, these malware varieties represent interchangeable parts in an attack life cycle.

Off-the-shelf Zyklon Botnet Malware Utilized to Deliver Cerber Ransomware

Recent, large-scale distributions of the Zyklon botnet malware mark a continuing trend of off-the-shelf malware use. This multipurpose trojan, capable of supporting numerous criminal activities, has been identified in phishing attacks more and more frequently through the month of April. The bulk of these campaign have leveraged resume- and job-applicant-themed messaging as in the phishing narrative. The most recent analyses of this distribution have shown that the threat actors are attempting to leverage the malware’s full feature set by not only using it as an information stealer, but also as a downloader used to obtain and deploy the Cerber ransomware to infected endpoints. This technique demonstrates threat actor resourcefulness as well as the increasing commodification and democratization of malware utilities once reserved for only the most-technically-capable threat actors.

RockLoader – New Upatre-like Downloader Pushed by Dridex, Downloads all the Malwares

On 4/6, the Phishing Intelligence team came across a wave of phishing emails that contained a .js file packaged inside of a zip file used to deliver malware. This is nothing new, and has been seen being pushed out by resources associated with the Dridex botnet and the Locky encryption ransomware. The interesting piece is that the attackers are using a new piece of malware called RockLoader to download and install the malware on remote systems. Downloaders are nothing new, as Upatre was used with Dyre and Gameover ZeuS in the past. RockLoader has several tricks up its sleeve.