The abuse of shortcut (LNK) files is steadily gaining traction among cybercriminals. We’ve seen a plethora of threats that leverage malicious LNK files: from well-known ransomware families, backdoors typically deployed in targeted attacks, and banking Trojans to spam emails, even an exploit to a LNK vulnerability itself. These threats are usually exacerbated by the further abuse of legitimate tools such as PowerShell, or script automation utility AutoIt. It’s thus not surprising that we discovered an information stealer employing LNK files, which our sensors detected in Israeli hospitals.
Healthcare is considered a cybercriminal cash cow, as it can be a lucrative source of personally identifiable information that can be monetized in underground marketplaces. Initial findings revealed that any browser-based information, e.g., login credentials, can be stolen, making the use of browser-based management systems and applications important.
We have observed its attempts to gain footholds in the systems and the local networks’ shared folders. Another notable aspect we’re seeing so far is the combination of worm propagation and stealth capabilities.
Our monitoring and analyses are still ongoing and we will update this post as we find more details about the threat. Here’s what we know so far:
Propagation via worm. Initial analysis of the malware indicates it propagates via a worm. It creates copies of itself, including shortcut files, a non-malicious AutoIt executable, and a malicious AutoIt script into the affected system’s root directory, i.e., C:\WinddowsUpdated\<file copy>.
Masquerades as a Windows updater. The shortcut files pose as browser and Windows updaters, a web 3D creation tool, and links to the system’s Downloads and Games folder.
Execution via AutoIt. AutoIt is a legitimate scripting language software/executable designed to automate tasks (i.e., macros) for several programs in Windows. However, it’s known to be abused for wrapping various remote access trojans (RAT). In this case, a legitimate AutoIt executable is used to run a secondary file that contains the malicious commands. We’ve actually seen a similar threat in the form of the IPPEDO worm (WORM_IPPEDO.B) back in 2014.
It gathers system information. The malware executes a command to retrieve system information via C:\WINDOWS\system32\cmd.exe /c SystemInfo.
The LNK files are spawned on the affected machines. The LNK files are embedded with these malicious commands:
cmd.exe /c start ..\WinddowsUpdateCheck\WinddowsUpdater.exe “..\WinddowsUpdateCheck\WinddowsUpdater.zip” & exit
The threat appears to be a highly obfuscated information stealer. The samples we are currently analyzing were highly obfuscated, with payloads hidden under layers of encryption, for instance. The packages we saw each contain malicious 4 LNK files. These LNK files will issue commands leading to AutoIt’s execution of .TNT and .EXE files. Based on the behavior we’ve observed so far, it appears it conducts browser-based information theft and records keystrokes. This actually makes sense given the sensitive nature of the information that goes through healthcare organizations.
As the threat landscape continues to mature and diversify, the IT/system administrators and information security professionals that secure organizations should do the same. Among these countermeasures: patch and keep the system updated, enforce the principle of least privilege, secure the gateways to reduce attack surface, and implement defense in depth by arraying multilayered security mechanisms—from endpoints, networks, and servers.
Indicators of Compromise (IoCs):
01e03241c42b12381e5c3ceb11e53f6c5c6bf0fa — WORM_RETADUP.A
1186e8d32677f6ac86a35704c9435ccd9ffa8484 — WORM_RETADUP.A
479dcd0767653e59f2653b8d3fcddb662a728df4 — LNK_RETADUP.A
580ff21d0c9d8aeda2b7192b4caaccee8aba6be4 — LNK_RETADUP.A
5f32f648610202c3e994509ca0fb714370d6761d — LNK_RETADUP.A
63ac13c121e523faa7a4b871b9c2f63bea05bbff — LNK_RETADUP.A
68d90647cf57428aca972d438974ad6f98e0e2b2 — LNK_RETADUP.A
ce1b01eccf1b71d50e0f5dd6392bf1a4e6963a99 — LNK_RETADUP.A