Microsoft’s campaign against malicious macros has given rise to new, dangerous attacks

With Office macros no longer being the best way to deliver malicious payloads to endpoints around the world, cybercriminals are turning toward novel strategies, including using shortcut (.lnk) files. 

Findings from HP Wolf Security based on data from millions of endpoints claimed there has been an 11% rise in archive files containing malware, including .lnk files, compared to the previous quarter. Sometimes, threat actors would place these shortcuts in .zip files before mailing them, in order to avoid being detected by any antivirus solutions, or email protection measures. 

There are two key elements to shortcut files that make them an ideal weapon for malware distribution: they can be made to run pretty much any file, and they can have any icon that comes preinstalled with Windows. That being said, threat actors can give it an icon of a .pdf file, and have it run a .exe, .log, or a .dll file, which could load pretty much any virus. In some cases, the hackers would even abuse legitimate Windows applications, such as the good old Calculator, for their nefarious purposes.

Distributing RedLine Stealer

Most of the time, the report further states, threat actors are using shortcut files to spread QakBot, IceID, Emotet, and RedLine Stealer. They also abuse the Follina zero-day vulnerability (CVE-2022-30190), the researchers added.

“As macros downloaded from the web become blocked by default in Office, we’re keeping a close eye on alternative execution methods being tested out by cybercriminals. Opening a shortcut or HTML file may seem harmless to an employee but can result in a major risk to the enterprise,” explains Alex Holland, Senior Malware Analyst, HP Wolf Security threat research team, HP Inc. 

“Organizations must take steps now to protect against techniques increasingly favored by attackers or leave themselves exposed as they become pervasive. We’d recommend immediately blocking shortcut files received as email attachments or downloaded from the web where possible.”

Besides .lnk files, Holland also mentions HTML files. The company identified a couple of phishing campaigns in which threat actors pose as regional post services and use HTML files to deliver malware. These files are good at hiding malicious types which would otherwise be picked up by email gateways and malware protection services.