Cybercriminals have brought back an older attack vector using LNK files to execute PowerShell scripts to download malware.
LNK files were first used back in 2013, but Trend Micro has noticed a resurgence staring in January 2017. Between January and April the company has detected almost 6,000 instances of LNK malware, identified as LNK_DLOADR by Trend Micro, although a few cases were also spotted late in 2016.
LNK files are generally used to create start menu and desktop shortcuts.
Trend Micro attributed the initial wave of attacks in January to group APT10, AKA MenuPass, POTASSIUM, Stone Panda, Red Apollo, and CVNX, that used a spearphishing campaign to execute a CMD.exe that in turn downloaded a jpeg with embedded malicious PowerShell script. By April the payload had switched to BKDR_ChChes.
And APT10 continues to mix up their attacks, although it still uses phishing as the main point of entry.
There are a couple of quick fixes companies can implement to avoid LNK issues. Just as with WannaCry updating software is the first step. I this case users should have PowerShell version 5 installed. The responsibility falls on the individual and that is to be wary of any executable files received in an email.