SSH commands

Cyber attackers are increasingly using malicious LNK files, which disguise themselves as harmless shortcuts, as an infection vector in 2024. Security experts, particularly Cyble Research and Intelligence Labs (CRIL), have noted a significant rise in this tactic. Attackers leverage LNK files to gain access to systems, triggering malicious actions that can deploy advanced malware. This method reflects a shift in attack vectors aimed at bypassing traditional security measures. One primary technique in these attacks is the exploitation of Living-off-the-Land Binaries (LOLBins), which are trusted system binaries manipulated to execute harmful commands without external malware. Attackers have refined their methods to evade detection by endpoint detection and response (EDR) solutions. Recent campaigns have incorporated SSH commands within malicious LNK files, allowing attackers to establish persistent connections and download malicious files from remote servers. This use of SSH is concerning as it is not typically associated with Windows systems, making it harder for conventional security measures to detect. Threat actors have also used SSH commands to execute malicious PowerShell or CMD commands indirectly through LNK files. For example, a malicious LNK file was found to trigger a PowerShell script that downloaded a malicious payload. Advanced Persistent Threat (APT) groups, known for their long-term cyber espionage, are increasingly utilizing these techniques, with groups like Transparent Tribe deploying stealer malware using similar methods. The combination of LNK files and SSH commands presents a significant threat to organizations, necessitating enhanced monitoring and detection systems to identify abnormal activities. Security teams must evolve EDR solutions to recognize malicious SSH and SCP activity, especially in environments where SSH is not commonly used. Additionally, organizations should restrict the use of legitimate SSH utilities and disable unnecessary features to minimize the attack surface.