Skip to main content

LNK’s Awakening: Cybercriminals Moving from Macros to Shortcut Files to Access Business PCs

HP Wolf Security report highlights the latest techniques and phishing lures targeting employees and putting companies at risk

PALO ALTO, Calif., Aug. 15, 2022 (GLOBE NEWSWIRE) — HP Inc. (NYSE: HPQ) today issued its quarterly Threat Insights Report revealing that a wave of cybercriminals spreading malware families – including QakBot, IceID, Emotet, and RedLine Stealer – are shifting to shortcut (LNK) files to deliver malware. Shortcuts are replacing Office macros – which are starting to be blocked by default in Office – as a way for attackers to get a foothold within networks by tricking users into infecting their PCs with malware. This access can be used to steal valuable company data, or sold on to ransomware groups, leading to large-scale breaches that could stall business operations and result in significant remediation costs.

The latest global HP Wolf Security Threat Insights Report – which provides analysis of real-world cyberattacks – shows an 11% rise in archive files containing malware, including LNK files. Attackers often place shortcut files in ZIP email attachments, to help them evade email scanners. The team also spotted LNK malware builders available for purchase on hacker forums, making it easy for cybercriminals to shift to this “macro-free” code execution technique by creating weaponized shortcut files and spreading them to businesses.

“As macros downloaded from the web become blocked by default in Office, we’re keeping a close eye on alternative execution methods being tested out by cybercriminals. Opening a shortcut or HTML file may seem harmless to an employee but can result in a major risk to the enterprise,” explains Alex Holland, Senior Malware Analyst, HP Wolf Security threat research team, HP Inc. “Organizations must take steps now to protect against techniques increasingly favored by attackers or leave themselves exposed as they become pervasive. We’d recommend immediately blocking shortcut files received as email attachments or downloaded from the web where possible.”

By isolating threats on PCs that have evaded detection tools, HP Wolf Security has specific insight into the latest techniques being used by cybercriminals. In addition to the increase in LNK files, the threat research team have highlighted the following insights this quarter:

  • HTML smuggling reaches critical mass – HP identified several phishing campaigns using emails posing as regional post services or – as predicted by HP – major events like Doha Expo 2023 (which will attract 3M+ global attendees) that used HTML smuggling to deliver malware. Using this technique, dangerous file types that would otherwise be blocked by email gateways can be smuggled into organizations and lead to malware infections.
  • Attackers exploit the window of vulnerability created by the Follina (CVE-2022-30190) zero-day vulnerability – Following its disclosure, multiple threat actors exploited the recent zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT) – dubbed “Follina” – to distribute QakBot, Agent Tesla, and the Remcos RAT (Remote Access Trojan) before a patch was available. The vulnerability is particularly dangerous because it lets attackers run arbitrary code to deploy malware, and requires little user interaction to exploit on target machines.
  • Novel execution technique sees shellcode hidden in documents spread SVCReady malware – HP uncovered a campaign distributing a new malware family called SVCReady, notable for the unusual way it is delivered to target PCs – through shellcode hidden in the properties of Office documents. The malware – mainly designed to download secondary malware payloads to infected computers after collecting system information and taking screenshots – is still in an early stage of development, having been updated several times in recent months.

The findings are based on data from millions of endpoints running HP Wolf Security. HP Wolf Security runs risky tasks like opening email attachments, downloading files and clicking links in isolated, micro-virtual machines (micro-VMs) to protect users, capturing detailed traces of attempted infections. HP’s application isolation technology mitigates threats that can slip past other security tools, and provides unique insights into novel intrusion techniques and threat actor behavior. To date, HP customers have clicked on over 18 billion email attachments, web pages, and downloaded files with no reported breaches.

Further key findings in the report include:

  • 14% of email malware captured by HP Wolf Security bypassed at least one email gateway scanner.
  • Threat actors used 593 different malware families in their attempts to infect organizations, compared to 545 in the previous quarter.
  • Spreadsheets remained the top malicious file type, but the threat research team saw an 11% rise in archive threats – suggesting attackers are increasingly placing files in archive files before sending them in order to evade detection.
  • 69% of malware detected was delivered via email, while web downloads were responsible for 17%.
  • The most common phishing lures were business transactions such as “Order”, “Payment”, “Purchase”, “Request” and “Invoice”.

“Attackers are testing new malicious file formats or exploits at pace to bypass detection, so organizations must prepare for the unexpected. This means taking an architectural approach to endpoint security, for example by containing the most common attack vectors like email, browsers, and downloads, so threats are isolated regardless of whether they can be detected,” comments Dr. Ian Pratt, Global Head of Security for Personal Systems, HP Inc. “This will eliminate the attack surface for entire classes of threats, while also giving the organization the time needed to coordinate patch cycles securely without disrupting services.”

About the data

This data was anonymously gathered within HP Wolf Security customer virtual machines from April-June 2022.

About HP

HP Inc. is a technology company that believes one thoughtful idea has the power to change the world. Its product and service portfolio of personal systems, printers, and 3D printing solutions helps bring these ideas to life. Visit http://www.hp.com

About HP Wolf Security

HP Wolf Security is a new breed1 of endpoint security. HP’s portfolio of hardware-enforced security and endpoint-focused security services are designed to help organizations safeguard PCs, printers, and people from circling cyber predators. HP Wolf Security provides comprehensive endpoint protection and resiliency that starts at the hardware level and extends across software and services. Visit https://www.hp.com/uk-en/security/endpoint-security-solutions.html.

©Copyright 2022 HP Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

__________________________________________
1 HP Security is now HP Wolf Security. Security features vary by platform, please see product data sheet for details.

Media contact:
Vanessa Godsal / vgodsal@hp.com

Disclaimer & Cookie Notice

Welcome to GOLDEA services for Professionals

Before you continue, please confirm the following:

Professional advisers only

I am a professional adviser and would like to visit the GOLDEA CAPITAL for Professionals website.

Important Notice for Investors:

The services and products offered by Goldalea Capital Ltd. are intended exclusively for professional market participants as defined by applicable laws and regulations. This typically includes institutional investors, qualified investors, and high-net-worth individuals who have sufficient knowledge, experience, resources, and independence to assess the risks of trading on their own.

No Investment Advice:

The information, analyses, and market data provided are for general information purposes only and do not constitute individual investment advice. They should not be construed as a basis for investment decisions and do not take into account the specific investment objectives, financial situation, or individual needs of any recipient.

High Risks:

Trading in financial instruments is associated with significant risks and may result in the complete loss of the invested capital. Goldalea Capital Ltd. accepts no liability for losses incurred as a result of the use of the information provided or the execution of transactions.

Sole Responsibility:

The decision to invest or not to invest is solely the responsibility of the investor. Investors should obtain comprehensive information about the risks involved before making any investment decision and, if necessary, seek independent advice.

No Guarantees:

Goldalea Capital Ltd. makes no warranties or representations as to the accuracy, completeness, or timeliness of the information provided. Markets are subject to constant change, and past performance is not a reliable indicator of future results.

Regional Restrictions:

The services offered by Goldalea Capital Ltd. may not be available to all persons or in all countries. It is the responsibility of the investor to ensure that they are authorized to use the services offered.

Please note: This disclaimer is for general information purposes only and does not replace individual legal or tax advice.