Threat Management, Malware

UPDATED: Information-stealing malware found targeting Israeli hospitals

Researchers from Trend Micro have discovered a malware attack targeting two Israeli hospitals with highly obfuscated information-stealing malware that abuses LNK shortcut files.

The malware, named WORM_RETADUP.A, attempts to infiltrate not just the infected system but also shared folders located within the connected local network, the company warned in a blog post on Thursday. It is designed to steal login credentials and other browser-based information, as well as to collect keystrokes and system information.

Moreover, the info stealer is wormable, Trend Micro reported, propagating itself by creating copies of itself, "including shortcut files, a non-malicious AutoIt executable, and a malicious AutoIt script into the affected system's root directory, i.e., C:WinddowsUpdated<file copy>".

AutoIT is a scripting language that automates the Windows graphical user interface and general scripting, but here the malware abuses it to run a secondary file that contains malicious commands, Trend Micro explains. Meanwhile, the LNK shortcut files are disguised as browser and Windows updates, a web 3D creation tool, and links to the Downloads and Games folder. 

According to Trend Micro, the samples it has looked at so far each contained four malicious LNK files and were "highly obfuscated, with payloads hidden under layers of encryption, for instance."

Dianne Lagrimas, Trend Micro researcher, told SC Media via email that there is no "clear advantage" to using LNK files, "but perhaps we should point to accessibility. IT's relatively easy to be tricked into clicking on shortcut (LNK) files because these are visible icons to computer users. This clicking action allows malware to execute and spread fairly easily."

Update 6/30: The story was updated with a quote from Trend Micro.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.