Stealthy Cyber Attacks: LNK Files & SSH Commands Playbook

Dec. 19, 2024, 1:38 p.m.

Description

This analysis explores a rising trend in cyber attacks where threat actors leverage LNK files and SSH commands as initial infection vectors. The attackers use meticulously crafted shortcut files, often disguised as legitimate documents, to execute commands using Living-off-the-Land Binaries (LOLBins). The report highlights three specific campaigns: one using SCP to download and execute malicious files, another abusing SSH and PowerShell commands to run harmful payloads, and a third combining SSH and CMD commands to load malicious DLLs. These sophisticated techniques aim to bypass traditional security mechanisms and evade detection by exploiting trusted system utilities. The evolving tactics underscore the need for continuous vigilance and adapted security strategies to counter these advanced attack vectors.

Date

  • Created: Dec. 19, 2024, 12:56 p.m.
  • Published: Dec. 19, 2024, 12:56 p.m.
  • Modified: Dec. 19, 2024, 1:38 p.m.

Indicators

  • 8bd210b33340ee5cdd9031370eed472fcc7cae566752e39408f699644daf8494
  • 5b6dc2ecb0f7f2e1ed759199822cb56f5b7bd993f3ef3dab0744c6746c952e36
  • 0016e1ec6fc56e4214e7d54eb7ab3d84a4a83b4befd856e984d77d6db8fc221d
  • c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0
  • a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
  • 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647

Attack Patterns

  • HackBrowserData
  • T1053.005
  • T1218.011
  • T1204.001
  • T1059.001
  • T1566.002
  • T1547.001
  • T1204.002
  • T1105
  • T1036
  • T1027

Linked vulnerabilities