Researchers from Trend Micro have discovered a malware attack targeting two Israeli hospitals with highly obfuscated information-stealing malware that abuses LNK shortcut files.
The malware, named WORM_RETADUP.A, attempts to infiltrate not just the infected system but also shared folders located within the connected local network, the company warned in a blog post on Thursday. It is designed to steal login credentials and other browser-based information, as well as to collect keystrokes and system information.
Moreover, the info stealer is wormable, Trend Micro reported, propagating itself by creating copies of itself, "including shortcut files, a non-malicious AutoIt executable, and a malicious AutoIt script into the affected system's root directory, i.e., C:\WinddowsUpdated\<file copy>".
AutoIT is a scripting language that automates the Windows graphical user interface and general scripting, but here the malware abuses it to run a secondary file that contains malicious commands, Trend Micro explains. Meanwhile, the LNK shortcut files are disguised as browser and Windows updates, a web 3D creation tool, and links to the Downloads and Games folder.
According to Trend Micro, the samples it has looked at so far each contained four malicious LNK files and were "highly obfuscated, with payloads hidden under layers of encryption, for instance."
Dianne Lagrimas, Trend Micro researcher, told SC Media via email that there is no "clear advantage" to using LNK files, "but perhaps we should point to accessibility. IT's relatively easy to be tricked into clicking on shortcut (LNK) files because these are visible icons to computer users. This clicking action allows malware to execute and spread fairly easily."
Update 6/30: The story was updated with a quote from Trend Micro.