HP Wolf Security Warns of Malware Shift to LNK Files

Shortcuts are replacing Office macros – which are starting to be blocked by default in Office – as a way for attackers to get a foothold within networks by tricking users into infecting their PCs with malware.

Businesses need to watch out as cybercriminals spreading malware families are shifting to shortcut (LNK) files to deliver their malicious threats.

According to HP Wolf Security’s quarterly Threat Insights Report, the latest techniques and phishing lures are targeting employees and putting companies at risk.

Shortcuts are replacing Office macros – which are starting to be blocked by default in Office – as a way for attackers to get a foothold within networks by tricking users into infecting their PCs with malware.

This access can be used to steal company data, or sold on to ransomware groups, leading to large-scale breaches that could stall business operations and result in “significant remediation costs”.

HP points out that the malware families include QakBot, IceID, Emotet and RedLine Stealer.

Its latest Threat Insights Report – which provides analysis of real-world cyberattacks – shows an 11% rise in archive files containing malware, including LNK files. Attackers often place shortcut files in ZIP email attachments, to help them evade email scanners.

The team also spotted LNK malware builders available for purchase on hacker forums, making it easy for cybercriminals to shift to this “macro-free” code execution technique by creating weaponised shortcut files and spreading them to businesses.

Alex Holland, Senior Malware Analyst, HP Wolf Security threat research team, says: “We’d recommend immediately blocking shortcut files received as email attachments or downloaded from the web where possible.”

  • HP Wolf Security Investigation Reveals Plague of Cheap Malware Kits – read the alarming results here

In addition to the increase in LNK files, the threat research team has highlighted other issues.

HTML smuggling has reached critical mass as HP identified several phishing campaigns using emails posing as regional post services or – “as predicted by HP” – major events like Doha Expo 2023 (which will attract over three million global attendees) that used HTML smuggling to deliver malware.

Attackers exploited the window of vulnerability created by the Follina (CVE-2022-30190) zero-day vulnerability. Following its disclosure, multiple threat actors exploited the recent zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT) – dubbed “Follina” – to distribute QakBot, Agent Tesla and the Remcos RAT (Remote Access Trojan) before a patch was available.

The vulnerability is particularly dangerous because it lets attackers run arbitrary code to deploy malware, and requires little user interaction to exploit on target machines.

On top of all that, a novel execution technique sees shellcode hidden in documents spread SVCReady malware. HP uncovered a campaign distributing a new malware family called SVCReady, notable for the unusual way it is delivered to target PCs – through shellcode hidden in the properties of Office documents.

The malware – mainly designed to download secondary malware payloads to infected computers after collecting system information and taking screenshots – is still in an early stage of development, having been updated several times in recent months.

The findings are based on data from “millions of endpoints” running HP Wolf Security. The company explains that it runs risky tasks like opening email attachments, downloading files and clicking links in isolated, micro-virtual machines (micro-VMs) to protect users, capturing traces of attempted infections.

There are plenty of other key findings in its report.

Threat actors used 593 different malware families in their attempts to infect organisations, compared to 545 in the previous quarter.

Spreadsheets remained the top malicious file type, but as noted above, the threat research team saw an 11% rise in archive threats – suggesting attackers are increasingly placing files in archive files before sending them to evade detection.

HP adds that 69% of malware detected was delivered via email, while web downloads were responsible for 17%.

This data was anonymously gathered within HP Wolf Security customer virtual machines from April-June 2022.

Last month, HP Wolf Security Team revealed the findings of its three-month dark web investigation. This uncovered the widespread use of inexpensive “plug-and-play” malware kits which can make it easier to launch cybercrime attacks.

The report showed how these kits can be used to harm businesses, government institutions and other organisations.

Antony Peyton
Antony Peyton
Antony Peyton is the Editor of eWeek UK. He has 18 years' journalism and writing experience. His career has taken him to China, Japan and the UK - covering tech, fintech and business. Follow on Twitter @TonyFintech.

Popular Articles