A wave of cybercriminals spreading malware families – including QakBot, IceID, Emotet, and RedLine Stealer – are shifting to shortcut (LNK) files for email malware delivery. Shortcuts are replacing Office macros – which are starting to be blocked by default in Office – as a way for attackers to get a foothold within networks by tricking users into infecting their PCs with malware.
Keeping up with changes in the email threat landscape
HP Wolf Security’s Q2 2022 Threat Insights Report – which provides analysis of real-world cyberattacks – shows an 11% rise in archive files containing malware, including LNK files. Attackers often place shortcut files in ZIP email attachments, to help them evade email scanners.
The team also spotted LNK malware builders available for purchase on hacker forums, making it easy for cybercriminals to shift to this “macro-free” code execution technique by creating weaponized shortcut files and spreading them to businesses.
“Organizations must take steps now to protect against techniques increasingly favored by attackers or leave themselves exposed as they become pervasive. We’d recommend immediately blocking shortcut files received as email attachments or downloaded from the web where possible,” says Alex Holland, Senior Malware Analyst, HP Wolf Security threat research team, HP Inc.
In addition to the increase in LNK files, the threat research team have highlighted the following malware delivery / detection evasion techniques employed by attackers:
HTML smuggling reaches critical mass – HP identified several phishing campaigns using emails posing as regional post services or major events like Doha Expo 2023 (which will attract 3M+ global attendees) that used HTML smuggling for malware delivery. Using this technique, dangerous file types that would otherwise be blocked by email gateways can be smuggled into organizations and lead to malware infections.
Attackers exploit the window of vulnerability created by the Follina CVE-2022-30190 zero-day vulnerability – Following its disclosure, multiple threat actors exploited the recent zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT) – dubbed “(