Malicious LNK files, GitHub leveraged in South Korea-targeted malware campaign

Infosecurity Magazinereports that Windows users across South Korea have been subjected to attacks involvingillicit LNK filesthat trigger multi-stage compromise.Malicious LNK files, which have been enhanced with decoding functionality and the removal of metadata identifiers since their initial discovery two years ago, deployed a decoy PDF while covertly running PowerShell scripts retrieved from GitHub, according to a Fortinet advisory. Aside from monitoring for virtual machines and security tools, the PowerShell script also facilitates additional payload decoding and storage, scheduled task creation, system data gathering, and log uploading to GitHub repositories, with which it ensures continuous communications for persistence and additional compromise. Such an intrusion was noted by Black Duck senior manager Jamie Boote to exhibit the exploitation of legitimate infrastructure as an attack surface.”The fact that this shortcut file creates a chain that ultimately reaches out to a GitHub repository, and pulls scripts over the internet, should put network defenders on alert that even productivity platforms can be attack vectors,” Boote added.