Executive summary

Microsoft security researchers discovered a campaign taking advantage of shortcut (LNK) files to load malware onto systems. The campaign used the shortcut files to call PowerShell commands in the sLoad malware framework. The commands then downloaded and installed the Ramnit banking trojan, which stole credentials, contacts, and other sensitive information.

Both the sLoad and Ramnit malware have existed for some time, but this new delivery method gives them another avenue for reaching their targets. In fact, as attackers constantly shift techniques to evade detection, many are now using LNK files to distribute commodity malware and perform targeted attacks.

Microsoft security researchers discovered this campaign while pivoting from a behavioral detection for the malicious use of certutil.exe — a system tool that displays certificate authority (CA) information—highlighting the need for SOC operators to be vigilant about behavioral alerts that can indicate attacker activity even before concrete signatures for new campaigns are created.

Analysis

During routine “false negative” hunting work, Microsoft security researchers discovered a series of malicious PowerShell commands executing on several machines. They verified the activities as malicious, validating Windows Defender ATP alerts showing PowerShell commands using certutil.exe to download an executable on the machines. However, the detected activity was only part of the latter stages of a more extensive attack.

Working backwards from the malicious use of certutil.exe, the security researchers discovered a campaign that had been sending emails mimicking an invoice. The emails had an attachment with an Italian file name made to look like an invoice. The fake invoice was in fact a shortcut (LNK) file.

Double-clicking the attachment caused the shortcut file to run in the context of Windows Explorer, triggering a PowerShell command.

LNK file properties

The shortcut executed PowerShell commands—part of the sLoad malware framework—and used available tools to download and install additional payloads. We found that, in some cases, the commands used the BITSAdmin support tool instead of certutil.exe. In fact, some sLoad malware servers appeared to accept only requests that had BITSAdmin as the user-agent.

While sLoad can be used to deliver other payloads, it managed to install the Ramnit banking trojan on machines without antivirus protection as part of this campaign. Ramnit consequently exfiltrated passwords, contacts, and screenshots from infected machines.

During this campaign, sLoad also dropped LNK files to the startup folder to stay persistent.


Mitigations

Apply these mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations.

  • If your end users don’t need to send or receive LNK files on email, block LNK attachments on Exchange Online or your mail server.
  • Turn on cloud-delivered protection and automatic sample submission on Windows Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.

Antivirus

Windows Defender ATP detects threat components as the following malware:

Endpoint detection and response (EDR)

Alerts with the following titles in the Windows Defender Security Center portal can indicate threat activity on your network:

  • Connection to domain known to host sLoad malware
  • sLoad malware has been detected
  • Malware from the Ramnit family has been detected
  • Suspicious LNK file opened (behavioral)

The following alert, which can indicate a broad range of suspicious certutil.exe activity, is not monitored as part of this report:

  • Suspicious usage of certutil.exe to decode an executable

References

sLoad and Ramnit pairing in sustained campaigns against UK and Italy. Proofpoint (accessed 2018-10-24)
Change log
2018-12-01 01:00 UTC | Entry created