Cyber-criminals Shift From Macros to Shortcut Files to Hack Business PCs, HP Report

  • Cyber-criminals spreading malware families are shifting to shortcut (LNK) files to deliver malware, HP Wolf Security’s latest report suggests.

    According to the new research, shortcuts are gradually replacing Office macros (which are starting to be blocked by default by Microsoft) as a way for attackers to get a foothold within networks by tricking users into infecting their PCs with malware.

    Specifically, the report shows an 11% rise in archive files containing malware, including LNK files. Further, the data suggests that 69% of malware detected was delivered via email, while web downloads were responsible for 17%.

    HP said its security team noted attackers often placed shortcut files in ZIP email attachments, to help them evade email scanners. The company also spotted LNK malware builders available for purchase on hacker forums.

    Among the vulnerabilities exploited via shortcut files, HP said it was Follina, which was used to distribute QakBot, Agent Tesla, and the Remcos RAT (remote access trojan) on unpatched systems.

    “Opening a shortcut or HTML file may seem harmless to an employee but can result in a major risk to the enterprise,” explained Alex Holland, senior malware analyst at HP Wolf Security.

    “Organizations must take steps now to protect against techniques increasingly favored by attackers or leave themselves exposed as they become pervasive,” he added.

    To do this, Holland recommended companies immediately block shortcut files received as email attachments or downloaded from the web whenever possible.

    More generally, Dr. Ian Pratt, global head of security for personal systems at HP, said that since attackers are testing new malicious file formats to bypass detection, organizations need to take an architectural approach to endpoint security.

    “For example by containing the most common attack vectors like email, browsers, and downloads, so threats are isolated regardless of whether they can be detected,” Pratt said.

    “This will eliminate the attack surface for entire classes of threats, while also giving the organization the time needed to coordinate patch cycles securely without disrupting services.”

    This is not the first time hackers have been observed to move away from macros and towards other attack vectors. A July report from Proofpoint suggested macro-enabled attachments by threat actors decreased by around 66% between October 2021 and June 2022 in favor of container files.