I’ve blogged a bit…okay, a LOT…over the years on the topic of parsing LNK files, but a subject I really haven’t touched on is LNK builders or generators. This is actually an interesting topic because it ties into the cybercrime economy quite nicely. What that means is that there are “initial access brokers”, or “IABs”, who gain and sell access to systems, and there are “RaaS” or “ransomware-as-a-service” operators who will provide ransomware EXEs and infrastructure, for a price. There are a number of other for-pay services, one of which is LNK builders.
In March, 2020, the Checkpoint Research team published an article regarding the mLNK builder, which at the time was version 2.2. Reading through the article, you can see that the building includes a great deal of functionality, there’s even a pricing table. Late in July, 2022, Acronis shared a YouTube video describing how version 4.2 of the mLNK builder available.
In March, 2022, the Google TAG published an article regarding the “Exotic Lily” IAB, describing (among other things) their use of LNK files, and including some toolmarks (drive serial number, machine ID) extracted from LNK metadata. Searching Twitter for “#exoticlily” returns a number of references that may lead to LNK samples embedded in archives or ISO files.
In June, 2022, Cyble published an article regarding the Quantum LNK builder, which also includes features and pricing scheme for the builder. The article indicates a possible connection between the Lazarus group and the Quantum LNK builder; similarities in Powershell scripts may indicate this connection.
In August, 2022, SentinelLabs published an article that mentioned both the mLNK and Quantum builders. This is not to suggest that these are the only LNK builders or generators available, but it does speak to the prevalence of this “*-as-a-service” offering, particularly as some threat actors move away from the use of “weaponized” (via macros) Office documents, and toward the use of archiv
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: