Malicious LNK File Posing as Credit Card Security Email Steals User Data

Threat actors have deployed a malicious LNK file masquerading as a credit card company’s security email authentication pop-up to pilfer sensitive user information.

The file, named “card_detail_20250610.html.lnk,” cleverly disguises itself as a legitimate HTML document from a financial institution, exploiting user trust in routine security procedures.

Historically, these actors relied on PowerShell scripts for keylogging and data exfiltration, but this variant shifts to a downloaded DLL for enhanced stealth.

Infection Mechanism

To evade detection, the LNK file executes alongside a decoy file a legitimate HTML document mimicking a credit card authentication interface diverting user attention from the malicious activity.

This represents an evolution from traditional document-based decoys, such as PDFs or Word files, to HTML formats that blend seamlessly with web-based interactions.

Upon execution, the LNK file fetches an additional HTA (HTML Application) file and the bait HTML document from the attacker’s server, storing and running them in the system’s temporary folder.

The bait document displays a convincing pop-up that prompts users to interact, further masking the infection.

The HTA script then generates a malicious DLL named “sys.dll” and a text file “user.txt” containing URLs for further payloads, placing them in the C:Users{username}AppDataLocal directory.

This DLL is invoked via rundll32.exe, initiating the core malicious behaviors. By referencing the URLs in user.txt, sys.dll downloads three additional DLLs app, net, and notepad.log employing Reflective DLL Injection to map them directly into memory.

This technique, prevalent in advanced malware, bypasses disk-based forensics and complicates endpoint detection and response (EDR) systems.

Notably, the “app” DLL is injected into an active chrome.exe process, enabling persistent operations within a trusted browser environment.

Malware Functions

The downloaded components exhibit specialized infostealer and backdoor capabilities.

The “app” DLL targets browser data from Chrome, Brave, and Edge, extracting credentials, cookies, and session information.

Complementing this, the “net” DLL broadens the scope by harvesting data from Chrome, Opera, Firefox, as well as services like Google, Yahoo, Facebook, and Outlook, focusing on login artifacts and email contents.

Meanwhile, “notepad.log” functions as a multifaceted backdoor, capable of executing remote shell commands, compiling file lists, exfiltrating documents, downloading additional files, and transmitting keylogging data.

Keylogging outputs are stored in the C:Users{username}AppDataLocalnetkey directory, with traces also observable in memory, as evidenced by ASEC’s analysis of captured samples.

This campaign underscores the escalating sophistication of LNK-based attacks, where adversaries impersonate reputable organizations to lure executions.

Users are advised to scrutinize unexpected files, enable advanced threat protection, and verify sources before interaction.

ASEC notes that such malware distributions are ongoing, with techniques refining to exploit human psychology and system vulnerabilities.

Indicators of Compromise (IOCs)

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now