Varonis Threat Labs has recently noticed an increasing number of cyberattacks via malicious Windows shortcuts. Targeted attacks by Malware-as-a-Service provider Golden Chickens (also known as Venom Spider) and malspam campaigns by Emotet have been observed.
“These campaigns show once again that cybercriminals keep using proven tactics, even if they seem to have gone out of style long ago.” Users use shortcut files to create a shortcut to any file or folder and develop user-friendly Windows shortcuts in the Start menu. By default, Windows shortcuts take on the target file type’s icon with a small arrow mark.
However, it’s easy to change this icon to make it appear that the target is some other, seemingly legitimate file type. Accordingly, the malicious shortcut looks like any additional shortcut file familiar to the victim and uses legitimate utilities to launch an initial stager (LOLBins/living off the land binaries technique). “This fairly simple social engineering technique can trick victims into viewing malicious content. It also doesn’t require complex exploits or suspicious initial payloads,”.
Windows Shortcuts: Countermeasures Against Cyberattacks
Since Windows shortcuts are generally viewed as benign by users, security officers should implement the following measures to mitigate these threats due to the similarity in attacks observed recently:
- Scan email attachments and quarantine or block questionable content such as compressed files containing Windows shortcuts (.lnk files).
- Prevent the execution of unexpected binaries and scripts from the %TEMP% directory.
- Restrict user access to Windows scripting engines, including PowerShell and VBScript. Make sure scripts need to be signed via Group Policy.
- Beware of the unexpected execution of legitimate LOLbins such as ie4uinit.exe and wmic.exe by “normal” users.
Since its inception in 2005, Varonis has taken a different approach than most IT security vendors. The provider places the company data stored locally and in the cloud at the center of the security strategy. Varonis Data Security Platform (DSP) detects insider threats and cyberattacks by analyzing data, account activity, telemetry, and user behavior.