New Attack Uses Windows Shortcut Files to Install REMCOS Backdoor

Security firm Point Wild has exposed a new malware campaign using malicious LNK files to install the REMCOS backdoor. This report details how attackers disguise files to gain full system control.

A new and deceptive multi-stage malware campaign has been identified by the Lat61 Threat Intelligence team at security firm Point Wild. The attack uses a clever technique involving malicious Windows Shortcut, or LNK, files, a simple pointer to a program or file, to deliver a dangerous remote-access trojan (RAT) known as REMCOS.

The research, led by Dr. Zulfikar Ramzan, the CTO of Point Wild, and shared with Hackread.com, reveals that the campaign starts with a seemingly harmless shortcut file, possibly attached to an email, with a filename like “ORDINE-DI-ACQUIST-7263535.”

When a user clicks on it, the LNK file discreetly runs a PowerShell command in the background. For your information, PowerShell is a powerful command-line tool Windows utilises for ...