The Awakening of LNK Files

The awakening of the LNK files

HP Wolf Security Report reveals new techniques and phishing lures used to deceive employees.

According to the latest edition of the HP Wolf Security Threat Insights Report, cyber criminals who use malware families such as QakBot, IceID, Emotet and RedLine Stealer for their attacks are increasingly relying on shortcut files. They use the LNK files to spread their malware. Until now, mainly Office macros were used as a gateway for malware to enter the corporate network. However, these are now blocked by Office by default.

Link files hidden in ZIP email attachments

The number of archive files infected with malware, including LNK files, has increased by eleven percent. In order to circumvent email scanners, attackers place the link files in ZIP email attachments. Hacker forums offer LNK malware construction kits for this purpose: Cyber criminals are thus able to create malicious shortcut files and use them to target organisations – thus enabling attackers to easily switch to a “macro-free” code execution technique.

“Opening a shortcut or HTML file may seem harmless to an employee, but it can pose a major risk to the organisation,” said Alex Holland, senior malware analyst, HP Wolf Security Threat Research Team. “We recommend blocking link files received as email attachments or downloaded from the Internet immediately if possible.”

Increased HTML smuggling to spread malware

HP continued to identify several phishing campaigns that used emails purporting to come from regional postal services. In addition, the report found an increase in the use of HTML smuggling to spread malware during major events such as the Doha Expo 2023. Using this technique, dangerous file types that are normally blocked by email gateways are infiltrated into companies – resulting in a malware infestation.

After the current zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT) – called “Follina” – was announced, numerous threat actors exploited it to spread QakBot, Agent Tesla and the Remcos RAT (Remote Access Trojan) even before a patch was available. The shortcoming gives attackers the ability to execute any code to spread malware. In addition, hardly any interaction with the user is necessary to install malware on the target computers – this makes the deficit particularly dangerous.

New malware family SVCReady

HP has uncovered a campaign that spreads a new malware family called SVCReady via shellcode hidden in Office documents. The malware collects system information and then loads secondary malware payloads onto infected PCs. The malware is still in an early stage of development and has been updated several times in recent months.