Uh oh, malicious Windows shortcuts are making a return

Magnifying glass enlarging the word 'malware' in computer machine code
(Image credit: Shutterstock)

At least two threat actors have recently been observed distributing malicious Windows shortcut files designed to infect victims with malware.

Late last week, cybersecurity researchers from Varonis reported seeing the dreaded Emotet threat actor, as well as the lesser-known Golden Chickens group (AKA Venom Spider), distributing .ZIP archives via email, and in those archives, .LNK files.

Using Windows shortcut files to deploy malware or ransomware on the target endpoint is not exactly novel, but these threat actors have given the idea a brand new spin. 


<a href="https://polls.futureplc.com/poll/2022-cybersecurity-survey" data-link-merchant="polls.futureplc.com"">Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the <a href="https://polls.futureplc.com/poll/2022-cybersecurity-survey" data-link-merchant="polls.futureplc.com"" data-link-merchant="polls.futureplc.com"">end of this survey to get the bookazine, worth $10.99/£10.99.

Shortcuts posing as PDF files

The majority of older readers are probably guilty of customizing their game desktop shortcuts in the past, at least on one occasion.

In this particular campaign, the threat actors replaced the original shortcut icon with that of a .PDF file, so that the unsuspecting victim, once they receive the email attachment, can’t spot the difference with a basic visual inspection.

But the danger is real. Windows shortcut files can be used to drop pretty much any malware onto the target endpoint, and in this scenario, the Emotet payload is downloaded into the victim’s %TEMP% directory. If successful, the Emotet payload will be loaded into memory using “regsvr32.exe”, while the original dropper gets deleted from the %TEMP% directory.

The best way to protect against these attacks, researchers are saying, is to thoroughly inspect every email attachment coming in, and to quarantine and block any suspicious content (that includes ZIP-compressed files with Windows shortcuts).

Admins should also restrict the execution of unexpected binaries and scripts from the %TEMP% directory, and limit user access to Windows scripting engines such as PowerShell and VBScript. They should also enforce the need for scripts to be signed via Group Policy.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.