In a recent campaign originating from Israel, threat actors have reintroduced the use of Windows shortcut (.LNK) files as a means to deliver a sophisticated Remote Access Trojan (RAT). These seemingly benign shortcut files cleverly exploit Living-off-the-Land Binaries (LOLBins) such as odbcconf.exe, enabling them to silently register and execute malicious DLLs while evading detection by security tools.
The attack commences when unsuspecting victims are enticed to download a file named “cyber security.lnk” from a Discord channel. Upon activation, the shortcut opens a decoy PDF titled “Cyber Security.pdf” to distract the user, while a concealed PowerShell sequence operates in the background.
To maintain stealth, the script launches conhost.exe in headless mode, dynamically resolving the path to PowerShell and executing it without any visible console windows.
Subsequently, the PowerShell script establishes a working directory under C:UsersPublicNuget and defines several key variables:
- Moq.zip: the malicious archive.
- Cyber security.pdf: the decoy.
- Cyber security.lnk: the malicious shortcut.
- $ENV:Temp and $env:PUBLIC: for file staging.
The raw LNK bytes are scanned for the %PDF magic header, facilitating the extraction of the embedded decoy PDF.
To cover its tracks, the LNK file is deleted, and the ZIP archive is extracted into the Nuget folder. After a brief pause, Moq.dll and supporting libraries—Dapper.dll, Newtonsoft.dll, and a file named Nunit—are revealed, while the ZIP is removed to enhance stealth.
DLL Execution and Core RAT
To activate the RAT discreetly, the script leverages odbcconf.exe, a legitimate Windows binary, executing the command:
textodbcconf.exe /a {regsvr "C:UsersPublicNugetmoq.dll"}
This command registers and executes Moq.dll as a COM DLL, invoking its DllRegisterServer export. Rather than embedding all payload logic, Moq.dll dynamically loads Dapper.dll and Newtonsoft.dll, complicating reverse engineering efforts.
During dynamic analysis, Moq.dll exhibited several notable behaviors:
- Loaded amsi.dll and patched AmsiScanBuffer to always return failure, circumventing the Anti-Malware Scan Interface.
- Patched EtwEventWrite in ntdll.dll to disable Windows Event Tracing, obstructing security logging.
- Invoked WideCharToMultiByte to process the “Nunit” payload, which is decoded and passed to Dapper.dll’s NowYouCanSeeME() function.
- Used CLRCreateInstance to host the .NET runtime and execute the decoded PowerShell script.
The resulting PowerShell script, once deobfuscated, reveals AES-encrypted modules that the RAT decrypts at runtime, storing the plaintext in a variable for execution. For safety, analysts redirected this output to a file instead of executing it.
Upon execution, the malware ensures persistence by modifying the registry key:
textHKCUSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell
This modification appends its launch command alongside explorer.exe, ensuring activation upon user login.
The RAT generates or retrieves a unique Bot ID and machine identifier from files in the Temp directory before contacting a hard-coded C2 URL (e.g., hotchichenfly.info). If the primary server is unreachable, it computes a fallback address based on the Bot ID and username. Commands from the C2 are base64-encoded and stored in temporary files, later decoded and executed as required.
Key capabilities of the RAT include:
- Collecting system metrics such as antivirus products, OS details, IP address, and username.
- Capturing screenshots, encoding them in base64, and exfiltrating them to a remote server.
- Uploading arbitrary files via the Dropbox API using stolen tokens.
- Entering a perpetual loop to fetch and execute new C2 commands.
This extensive feature set highlights the RAT’s versatility as a multi-functional espionage tool.
Mitigations
To combat this threat, security teams should consider implementing the following defensive measures:
- Block or closely monitor the execution of LOLBins such as odbcconf.exe for non-standard parameters.
- Enforce application whitelisting to prevent unauthorized DLL registrations.
- Enable and protect AMSI and ETW logging to detect in-memory patching attempts.
- Educate users about the risks associated with opening shortcuts and downloading files from untrusted chat platforms.
Given the sophistication of this LNK-based RAT and its reliance on legitimate Windows components, deploying a reputable security solution—such as K7 Total Security—and ensuring that signatures, heuristics, and behavioral detections are current is essential to thwarting future attacks. Continuous patching, strict privilege separation, and vigilant monitoring of abnormal process executions remain vital to maintaining a secure environment.
IOC’s
| Hash | Detection Name |
| 7391C3D895246DBD5D26BF70F1D8CBAD | Trojan (0001140e1) |
| 2956ec73ec77757271e612b81ca122c4 | Trojan (0001140e1) |
| 5a1d0e023f696d094d6f7b25f459391f | Trojan (0001140e1) |
| 92fc7724688108d3ad841f3d2ce19dc7 | Trojan (0001140e1) |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
