In recent years, cyber attackers have continuously upgraded their tactics, exploiting a variety of tools and techniques to evade detection and compromise systems. One such trend that has caught the attention of security experts is the increasing use of malicious LNK files in conjunction with SSH commands.
These files, often disguised as legitimate shortcuts, have become an effective weapon in the arsenals of threat actors (TAs), enabling them to infiltrate systems and deploy a wide range of malicious payloads. Cyble Research and Intelligence Labs (CRIL) has closely investigated this rising threat and found that, in 2024, the use of LNK files as an infection vector is on the rise.
The Shift in Attack Vectors: LNK Files as an Entry Point
In its investigation, CRIL identified a trend where attackers are increasingly using LNK files to infiltrate targeted systems. These shortcut files, typically designed to point to a specific application or location on a computer, are often disguised as innocuous documents or files to trick users into executing them. Once opened, they initiate a chain of malicious activities, leading to the deployment of more sophisticated malware and enabling cybercriminals to establish a foothold within the compromised environment.
The growing use of LNK files as a delivery mechanism for cyberattacks is part of a broader shift in the tactics employed by threat actors. By leveraging these shortcut files, attackers aim to bypass traditional security defenses, including antivirus programs and endpoint detection and response (EDR) solutions.
Living-Off-the-Land Binaries (LOLBins) and Evasion Techniques
One of the primary techniques utilized by attackers in these LNK-based campaigns is the use of Living-off-the-Land Binaries (LOLBins). These are trusted system binaries that are already present in the operating system and are typically used for legitimate purposes. However, when exploited by cybercriminals, they can serve as powerful tools for executing malicious commands without the need to deploy external malware. In many of these attacks, attackers leverage various LOLBins to download or execute additional malicious payloads, further advancing their attack chain.
While modern EDR solutions are designed to detect suspicious activities involving LOLBins, the sophistication of these attacks continues to evolve. Attackers have refined their methods to bypass detection, making it crucial for organizations to implement more advanced detection mechanisms that can identify malicious use of trusted system utilities.
SSH Commands in Malicious LNK Files: A New Layer of Sophistication
One of the more interesting developments observed in recent campaigns is the incorporation of SSH commands within malicious LNK files. Traditionally used for secure communication between systems, SSH commands have now been weaponized by attackers to establish persistent connections, execute malicious payloads, and maintain control over compromised systems.
CRIL’s research has uncovered several campaigns where SSH commands, specifically those using the Secure Copy Protocol (SCP), have been used within LNK files. SCP allows attackers to download malicious files from remote servers to a compromised system, where they are then executed to further the attack.
Once the file is downloaded, it is executed, advancing the attacker’s objectives. This technique is particularly concerning because the use of SSH for such operations is not common on Windows systems, allowing the activity to go undetected by traditional security systems.
Exploiting PowerShell and CMD Through SSH
In addition to using SCP for file downloads, threat actors have also employed SSH commands to indirectly execute malicious PowerShell or CMD commands through the LNK file. These commands can be configured to load and execute additional payloads or exploit other system utilities.
One such attack observed by CRIL involved a malicious LNK file that used an SSH command to trigger a PowerShell script, which then called mshta.exe to download a malicious payload from a remote URL. The execution of the malicious PowerShell script led to the deployment of a harmful file on the compromised system.
Furthermore, attackers have also leveraged cmd.exe and rundll32 commands to load malicious DLL files and execute them, further complicating detection efforts. In one such case, the attackers used the LNK file to execute a series of commands that ultimately launched a PDF file containing a lure document, which, when opened, triggered the execution of malicious code.
Tactics Employed by Advanced Persistent Threat (APT) Groups
As the sophistication of these attacks continues to grow, APT groups are increasingly incorporating SSH-based techniques into their campaigns. These groups are known for their targeted and long-term cyber espionage activities, and their use of LNK files and SSH commands demonstrates their ongoing refinement of attack methods.
Notably, the Transparent Tribe, a well-known APT group, has been linked to the deployment of stealer malware via similar techniques. In these attacks, the malicious payloads are often compiled using Go, making them harder to detect and analyze.
The Need for Vigilance and Enhanced Detection
The combination of LNK files and SSH commands represents a significant threat to organizations worldwide. As attackers continue to refine their methods, it is essential for security teams to implement monitoring strategies and detection systems capable of identifying abnormal activities, such as the malicious use of trusted system binaries.
EDR solutions must evolve to detect the subtle signs of malicious SSH and SCP activity, especially in environments where SSH is not typically used. By closely monitoring the legitimate SSH utility and restricting its use to authorized personnel, organizations can reduce the risk of exploitation. Additionally, disabling unnecessary features, such as OpenSSH, on systems where they are not required, can help limit the attack surface.
