Criminals switch from macros to shortcut files to access business PCs

A wave of cybercriminals propagating malware families, including QakBot, IceID, Emotet, and RedLine Stealer, are switching to shortcut (LNK) files to deliver malware, according to HP Inc.’s quarterly Threat Insights Report.

Shortcuts are taking the place of Office macros, which are increasingly being blocked by default in Office, as a means for attackers to gain a foothold within networks by tricking users into infecting their PCs with malware. This access can be used to steal valuable company data or sold to ransomware groups, resulting in large-scale breaches that can halt business operations and cost a lot of money to fix.

 “As macros downloaded from the web become blocked by default in Office, we’re keeping a close eye on alternative execution methods being tested out by cybercriminals. Opening a shortcut or HTML file may seem harmless to an employee but can result in a major risk to the enterprise,” explains Alex Holland, Senior Malware Analyst, HP Wolf Security threat research team, HP Inc. “Organizations must take steps now to protect against techniques increasingly favored by attackers or leave themselves exposed as they become pervasive. We’d recommend immediately blocking shortcut files received as email attachments or downloaded from the web where possible.”

The latest global HP Wolf Security Threat Insights Report, which analyzes real-world cyberattacks, shows an 11 percent increase in malware-containing archive files, including LNK files. To avoid email scanners, attackers frequently include shortcut files in ZIP email attachments. The team also discovered LNK malware builders for sale on hacker forums, allowing cybercriminals to easily transition to this “macro-free” code execution technique by creating weaponized shortcut files and spreading them to businesses. 

“Attackers are testing new malicious file formats or exploits at pace to bypass detection, so organizations must prepare for the unexpected. This means taking an architectural approach to endpoint security, for example by containing the most common attack vectors like email, browsers, and downloads, so threats are isolated regardless of whether they can be detected,” comments Dr. Ian Pratt, Global Head of Security for Personal Systems, HP Inc. “This will eliminate the attack surface for entire classes of threats, while also giving the organization the time needed to coordinate patch cycles securely without disrupting services.”

HP Wolf Security has specific insight into the latest cybercriminal techniques by isolating threats on PCs that have evaded detection tools. The threat research team has highlighted the following insights this quarter, in addition to the increase in LNK files:

• HTML smuggling reaches critical mass – HP identified several phishing campaigns that used emails posing as regional post services or – as predicted by HP – major events such as Doha Expo 2023 (which will attract 3M+ global attendees) to deliver malware via HTML smuggling. Dangerous file types that would otherwise be blocked by email gateways can be smuggled into organizations and lead to malware infections using this technique.
• Attackers exploit the window of vulnerability created by the Follina (CVE-2022-30190) zero-day vulnerability – Following its disclosure, multiple threat actors used the “Follina” zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT) to distribute QakBot, Agent Tesla, and the Remcos RAT (Remote Access Trojan) before a patch was available. The vulnerability is particularly dangerous because it allows attackers to run arbitrary code on target machines to deploy malware and requires little user interaction to exploit.
• Novel execution technique sees shellcode hidden in documents spread SVCReady malware – HP discovered a campaign distributing SVCReady malware, which is notable for the unusual way it is delivered to target PCs – via shellcode hidden in the properties of Office documents. The malware is still in its early stages of development, having been updated several times in recent months. It is primarily designed to download secondary malware payloads to infected computers after collecting system information and taking screenshots.

The findings are based on data from millions of HP Wolf Security-enabled endpoints. To protect users, HP Wolf Security performs risky tasks such as opening email attachments, downloading files, and clicking links in isolated, micro-virtual machines (micro-VMs), capturing detailed traces of attempted infections. HP’s application isolation technology protects against threats that can evade other security tools and provides unique insights into novel intrusion techniques and threat actor behavior. HP customers have clicked on more than 18 billion email attachments, web pages, and downloaded files to date, with no reported breaches.

Further key findings in the report include:

• 14% of email malware captured by HP Wolf Security bypassed at least one email gateway scanner.
• Threat actors used 593 different malware families in their attempts to infect organizations, compared to 545 in the previous quarter.
• Spreadsheets remained the top malicious file type, but the threat research team saw an 11% rise in archive threats – suggesting attackers are increasingly placing files in archive files before sending them in order to evade detection.
• 69% of malware detected was delivered via email, while web downloads were responsible for 17%.
• The most common phishing lures were business transactions such as “Order”, “Payment”, “Purchase”, “Request” and “Invoice”.