Office macros have long been a favorite attack method for cybercriminals but now that Microsoft has started blocking them by default the bad guys have started to turn to other methods.
A new report from HP Wolf Security shows a shift to shortcut (LNK) files being used to deliver malware. Attackers often place shortcut files in ZIP email attachments, to help them evade email scanners.
The latest global HP Wolf Security Threat Insights Report shows an 11 percent rise in archive files containing malware, including LNK files. The team also spotted LNK malware builders available for purchase on hacker forums, making it easy for cybercriminals to shift to this ‘macro-free’ code execution technique by creating weaponized shortcut files and spreading them to businesses.
“As macros downloaded from the web become blocked by default in Office, we’re keeping a close eye on alternative execution methods being tested out by cybercriminals. Opening a shortcut or HTML file may seem harmless to an employee but can result in a major risk to the enterprise,” says Alex Holland, senior malware analyst on the HP Wolf Security threat research team. “Organizations must take steps now to protect against techniques increasingly favored by attackers or leave themselves exposed as they become pervasive. We’d recommend immediately blocking shortcut files received as email attachments or downloaded from the web where possible.”
Other findings of the report include an increase in ‘HTML smuggling’, using emails posing as regional post services or major events to get dangerous file types that would otherwise be blocked by email gateways into organizations.
The report is based on data from endpoints running HP Wolf Security, it finds 14 percent of email malware captured bypassed at least one email gateway scanner. Threat actors used 593 different malware families in their attempts to infect organizations, compared to 545 in the previous quarter. Spreadsheets remain the top malicious file type.
“Attackers are testing new malicious file formats or exploits at pace to bypass detection, so organizations must prepare for the unexpected. This means taking an architectural approach to endpoint security, for example by containing the most common attack vectors like email, browsers, and downloads, so threats are isolated regardless of whether they can be detected,” says Dr Ian Pratt, global head of security for personal systems at HP. “This will eliminate the attack surface for entire classes of threats, while also giving the organization the time needed to coordinate patch cycles securely without disrupting services.”
The full report is available on the HP site.