New LNK Malware Uses Windows LOLBins to Evade Detection

Researchers at K7 Security Labs have uncovered a new wave of Windows shortcut (.LNK) malware that exploits legitimate system binaries to deploy a multi-functional Remote Access Trojan (RAT). The campaign, first observed in Israel, is distributed via Discord, and demonstrates the increasingly creative use of Living-off-the-Land Binaries (LOLBins) to evade detection.

According to the researchers, “Attackers keep availing the use of Windows shortcut (.LNK) files to deliver malware. These LNK files normally used as shortcuts to programs or documents, are being abused to silently execute malicious payloads on target systems.”

The infection begins with a malicious shortcut named “Cyber Security.lnk” that arrives through Discord. When clicked, the shortcut opens a decoy file — “a fake job offer decoy PDF titled ‘Cyber Security.pdf’” — while silently executing a PowerShell command in hidden mode.

The PowerShell script prepares directories, extracts the embedded PDF for distraction, and sets up a malicious ZIP file containing Moq.dll, which is placed in a hidden NuGet folder within the Public user directory. The script then deletes traces of the shortcut and ZIP file to remain stealthy.

Finally, execution is handed over to odbcconf.exe, a legitimate Windows binary, which silently registers and launches Moq.dll: “Here, the attacker abuses odbcconf.exe (a Windows legitimate binary) to silently register and execute the malicious DLL without raising any alerts.”

Analysis of Moq.dll revealed it to be a sophisticated Remote Access Trojan, capable of stealthy persistence and modular functionality. The report explains, “The Dropped DLL is a multi-functional Remote Access Trojan (RAT) designed to execute commands from a Command and Control (C2) server and collect system information from the infected machine.”

Moq.dll dynamically loads supporting DLLs such as Dapper.dll and Newtonsoft.dll to complicate analysis. It also decodes a file named Nunit, which feeds into a function called NowYouCanSeeMe(), enabling the RAT to execute decrypted PowerShell payloads on the fly.

To evade detection, Moq.dll tampers with core Windows defenses. The researchers observed that it:

• Patches AmsiScanBuffer in memory to bypass the Anti-Malware Scan Interface (AMSI).
• Disables Event Tracing for Windows (ETW) by patching the EtwEventWrite function.

As K7 Security Labs noted, “This clever use of Living-off-the-Land Binaries (LOLBins) helps bypass security tools and makes detection significantly harder.”

Once installed, the RAT provides attackers with powerful control over the compromised system. Its features include:

• System reconnaissance: collects OS, IP, usernames, installed antivirus software, and more.
• Persistence: modifies the registry under Winlogon\Shell to launch at every user login.
• Command execution: retrieves and runs attacker commands in an infinite loop.
• Screenshot capture: “The Get-MultiPic() function takes screenshots on a Windows machine… and sends it to a remote server.”
• Data exfiltration: uploads stolen files via Dropbox API, ensuring covert and reliable exfiltration.

Related Posts:

• Rogue WordPress Plugin Unmasked: Stealthy Malware Skims Credit Cards & Steals Credentials
• Researchers found that backdoors hijacks desktop shortcuts to infect user devices
• Hidden Threat: Zero-Day Windows Shortcut Exploited by Global APT Networks
• LNK Files and SSH Commands: The New Arsenal of Advanced Cyber Attacks