Thursday, January 23, 2025
HomeCyber Security NewsHackers Deploy Weaponized LNK Files for Malicious Payload Delivery

Hackers Deploy Weaponized LNK Files for Malicious Payload Delivery

Published on

SIEM as a Service

Follow Us on Google News

Researchers reported a phishing attack on December 4th, 2024, where malicious emails purportedly from the Ukrainian Union of Industrialists and Entrepreneurs were distributed, inviting recipients to a NATO standardization conference. 

The emails aimed to compromise systems by delivering malware, and CERT-UA warns users to be cautious of unsolicited emails, especially those with attachments or links from unknown sources.

A phishing email that contained a malicious hyperlink was sent to a victim, and when the victim clicked on the hyperlink, it caused the victim to download a shortcut file that was named “list_02-1-437.lnk.” 

Upon execution, this LNK file initiated the download and launch of the “start.hta” file, leveraging the system’s mshta.exe utility, which posed a potential security risk to the victim’s system.

The HTA file is a malicious script that leverages PowerShell to download and execute harmful payloads, which initiates the download and opening of a deceptive USPP letter and concurrently downloads a ZIP archive containing malicious files.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

The execution of a BAT file, which occurs when these files are extracted to the local AppData directory, has the potential to compromise the system and steal data. 

Example of a chain of damage

Attack involves the deployment of a malicious script, “Registry.hta,” which is strategically placed in the autorun directory to ensure automatic execution upon system startup. 

The script initiates a series of actions, including the deletion of specific downloaded files and the subsequent launch of “update.exe,” a remote access Trojan (RAT) known as MESHAGENT and grants unauthorized remote control over the compromised system, enabling malicious activities such as data theft, surveillance, and further compromise.

The threat actor UAC-0185 (UNC4221) has been operational since at least 2022, targeting sensitive information from various platforms, as recent investigations have uncovered additional resources linked to the group, suggesting prolonged and sophisticated cyberattacks. 

According to CERT-UA, the group’s primary objectives include compromising messaging applications like Signal, Telegram, and WhatsApp, as well as military systems such as DELTA, TENETA, and Kropyva, to exfiltrate valuable credentials and sensitive data.

Cybercriminals are launching targeted attacks against employees of Ukrainian defense-industrial complex enterprises and the Defense Forces, which, though less widespread, aim to compromise systems using specialized tools like MESHAGENT and ULTRAVNC. 

Intrusions that are successful allow for unauthorized remote access to the computers of their victims, which may result in the theft of data, disruption of the system, or additional activity that is malicious. 

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Critical Vulnerability in Next.js Framework Exposes Websites to Cache Poisoning and XSS Attacks

A new report has put the spotlight on potential security vulnerabilities within the popular...

New Cookie Sandwich Technique Allows Stealing of HttpOnly Cookies

The "Cookie Sandwich Attack" showcases a sophisticated way of exploiting inconsistencies in cookie parsing...

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...

Microsoft Unveils New Identity Secure Score Recommendations in General Availability

Microsoft has announced the general availability of 11 new Identity Secure Score recommendations in...