MLNK Builder 4.2 released in Dark Web – malicious shortcut-based attacks are on the rise

MLNK Builder 4.2 released in Dark Web – malicious shortcut-based attacks are on the rise

Cybercriminals released a new MLNK Builder 4.2 tool for malicious shortcuts (LNK) generation with an improved Powershell and VBS Obfuscator

Resecurity, Inc. (USA), a Los Angeles-based cybersecurity company protecting Fortune 500 worldwide, has detected an update of one of the most popular tools used by cybercriminals to generate malicious LNK files, so frequently used for malicious payloads delivery nowadays.

MLNK Builder has emerged in Dark Web with the new version (4.2) and the updated feature-set focused on AV evasion and masquerading with icons of popular legitimate applications and file formats.

MLNK Builder

The spike of notable campaigns involving malicious shortcuts (LNK files) conducted by both APT groups and advanced cybercriminals has been detected in April-May period this year – Bumblebee Loader and UAC-0010 (Armageddon) targeting EU Countries described by CERT UA. Malicious shortcuts continue to give a hard time for network defenders, especially, in combating global botnet and ransomware activity using them as a channel for multi-staged payload delivery.

According to experts from Resecurity, existing customers of MLNK Builder will receive an update for free, but the authors have also released a “Private Edition” available for a tight circle of vetted customers or additional license in $125 per build.

MLNK Builder

The updated tool provides a rich arsenal to generate malicious files looking like legitimate Microsoft Word, Adobe PDF, ZIP Archives, images .JPG/.PNG, audio MP3, and even video .AVI files. as well as more advanced features to obfuscate malicious payload.

MLNK Builder

Bad actors continue to develop more creative ways to trick detection mechanisms and deliver malicious payloads – by leveraging a combination of extensions and different file formats, as well as Living Off the Land Binaries (LOLbins).

According to Resecurity, the most actively used malware families leveraging LNK-based distribution are TA570 Qakbot (aka Qbot), IcedID, AsyncRAT, and the new strain of Emotet. The most recent Qakbot distribution campaign also included malicious Word documents using the CVE-2022-30190 (Follina) zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT).

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, MLNK Builder)

Leave a Reply

Your email address will not be published. Required fields are marked *