Microsoft’s campaign against malicious macros has given rise to new, dangerous attacks

By Scott Marlette Last updated Aug 10, 2022

With Office macros no longer being the best way to deliver malicious payloads to endpoints (opens in new tab) around the world, cybercriminals are turning toward novel strategies, including using shortcut (.lnk) files.

Findings from HP Wolf Security based on data from millions of endpoints claimed there has been an 11% rise in archive files containing malware, including .lnk files, compared to the previous quarter. Sometimes, threat actors would place these shortcuts in .zip files before mailing them, in order to avoid being detected by any antivirus (opens in new tab) solutions, or email protection measures.

There are two key elements to shortcut files that make them an ideal weapon for malware (opens in new tab) distribution: they can be made to run pretty much any file, and they can have any icon that comes preinstalled with Windows. That being said, threat actors can give it an icon of a .pdf file, and have it run a .exe, .log, or a .dll file, which could load pretty much any virus. In some cases, the hackers would even abuse legitimate Windows applications, such as the good old Calculator, for their nefarious purposes.

Distributing RedLine Stealer

Most of the time, the report further states, threat actors are using shortcut files to spread QakBot, IceID, Emotet, and RedLine Stealer. They also abuse the Follina zero-day vulnerability (CVE-2022-30190), the researchers added.

“As macros downloaded from the web become blocked by default in Office, we’re keeping a close eye on alternative execution methods being tested out by cybercriminals. Opening a shortcut or HTML file may seem harmless to an employee but can result in a major risk to the enterprise,” explains Alex Holland, Senior Malware Analyst, HP Wolf Security threat research team, HP Inc.

“Organizations must take steps now to protect against techniques increasingly favored by attackers or leave themselves exposed as they become pervasive. We’d recommend immediately blocking shortcut files received as email attachments or downloaded from the web where possible.”

Besides .lnk files, Holland also mentions HTML files. The company identified a couple of phishing campaigns in which threat actors pose as regional post services and use HTML files to deliver malware. These files are good at hiding malicious types which would otherwise be picked up by email gateways and malware protection services.

For all the latest Technology News Click Here

For the latest news and updates, follow us on Google News.

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.