Microsoft’s campaign against malicious macros has given rise to new, dangerous attacks
Goodbye macros, hello shortcuts
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
With Office macros no longer being the best way to deliver malicious payloads toendpointsaround the world, cybercriminals are turning toward novel strategies, including using shortcut (.lnk) files.
Findings fromHPWolf Security based on data from millions of endpoints claimed there has been an 11% rise in archive files containing malware, including .lnk files, compared to the previous quarter. Sometimes, threat actors would place these shortcuts in .zip files before mailing them, in order to avoid being detected by anyantivirussolutions, or email protection measures.
There are two key elements to shortcut files that make them an ideal weapon formalwaredistribution: they can be made to run pretty much any file, and they can have any icon that comes preinstalled with Windows. That being said, threat actors can give it an icon of a .pdf file, and have it run a .exe, .log, or a .dll file, which could load pretty much any virus. In some cases, the hackers would even abuse legitimate Windows applications, such as the good old Calculator, for their nefarious purposes.
Distributing RedLine Stealer
Most of the time, the report further states, threat actors are using shortcut files to spread QakBot, IceID, Emotet, and RedLine Stealer. They also abuse the Follina zero-day vulnerability (CVE-2022-30190), the researchers added.
“As macros downloaded from the web become blocked by default in Office, we’re keeping a close eye on alternative execution methods being tested out by cybercriminals. Opening a shortcut or HTML file may seem harmless to an employee but can result in a major risk to the enterprise,” explains Alex Holland, Senior Malware Analyst, HP Wolf Security threat research team, HP Inc.
Uh oh, malicious Windows shortcuts are making a return>Cybercriminals have found a cunning new way to evade security protections>These are the best free and paid options for the best firewall software
“Organizations must take steps now to protect against techniques increasingly favored by attackers or leave themselves exposed as they become pervasive. We’d recommend immediately blocking shortcut files received as email attachments or downloaded from the web where possible.”
Besides .lnk files, Holland also mentions HTML files. The company identified a couple of phishing campaigns in which threat actors pose as regional post services and use HTML files to deliver malware. These files are good at hiding malicious types which would otherwise be picked up by email gateways and malware protection services.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
This new malware utilizes a rare programming language to evade traditional detection methods
A new form of macOS malware is being used by devious North Korean hackers
Arcane season 2 confirms the hit series isn’t just one of the best Netflix shows ever made – it’s an animated legend that’ll stand the test of time
