Malware Forensics for Uncommon Payloads: LNK Files and the Ransomware Ecosystem

Microsoft has begun to crack down on malicious Office documents and intends to change default policies on the execution of macros on Windows. As a result, threat actors are turning towards other file formats to phish victims and gain initial access. The most prevalent of these is .LNK files, AKA Windows Shortcuts.

Threat actors and malware authors have written custom tools to build and obfuscate .LNK payloads. This talk will dive into several such techniques and campaigns, connecting these malicious Shortcut files to their final payloads. These include the major Banking Trojans, Initial Access Brokers and other unknown backdoors.