Malicious LNK Disguised as Credit Card Security Email Authentication Pop-up
AhnLab SEcurity intelligence Center (ASEC) has recently identified a case where a malicious LNK file is disguised as the credit card security email authentication pop-up to steal user information. The identified malicious LNK file has the following file name, disguising itself as the credit card company.
- **card_detail_20250610.html.lnk
The threat actor has been using PowerShell scripts for keylogging and data exfiltration, but this time a DLL file is downloaded to perform these tasks. Additionally, a legitimate file is executed along with the LNK file to prevent users from realizing the file is malicious. The legitimate file executed in this case is called a decoy file. In the past, legitimate decoy files were usually in a document format, but in this case, an HTML file was used.
When a user executes the LNK file, an additional HTA file and a bait document (HTML) are downloaded from the threat actor’s server and executed in the temp folder. The bait document is shown below.
Figure 1. Bait document disguised as credit card company’s security email authentication pop-up
When the HTA file is executed, a malicious DLL file (sys.dll) and a text file (user.txt) containing the URL for downloading a malicious file are created in the C:\Users\{username}\AppData\Local directory. Then, the malicious DLL is executed via rundll32.exe, manifesting the malicious behavior.
Figure 2. URL for downloading additional files
sys.dll refers to the URL included in user.txt to download 3 DLL files (app, net, notepad.log). All 3 DLL files are executed through the Reflective technique, and the app file among them is injected into the running chrome.exe process. The Reflective technique is commonly used in malware, because it maps DLLs directly into memory for execution, making detection extremely difficult. In this context, ‘app’ and ‘net’ function as Infostealer, while ‘notepad.log’ serves as a type of backdoor. The key features of each file are as follows.
| File Name | Function |
| app | Steals information from Chrome, Brave, and Edge browsers |
| net | Steals information from Chrome, Opera, Firefox, Google, Yahoo, Facebook, and Outlook |
| notepad.log | Executes remote shell command |
| Collects file list | |
| Exfiltrates file | |
| Downloads file | |
| Sends keylogging data |
Table 2. Features by file
notepad.log saves the keylogging data in the C:\Users\{username}\AppData\Local\netkey directory. The Figure 3 below shows keylogging data found in the memory.
Figure 3. Keylogging data in memory
Malicious LNK files disguised as legitimate documents or emails are continuously being distributed, and the techniques used to prompt users to execute the files without suspicious are becoming more sophisticated. Recently, it is crucial for users to pay extra attention as threat actors are impersonating highly reputable organizations.
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
