Quarterly HP Wolf Security Threat Insights Report highlights growing use of shortcut files to deliver malware

Published: Thursday, 11 August 2022 08:37

HP Inc.  has released its quarterly Threat Insights Report revealing that cybercriminals are shifting to shortcut (LNK) files to deliver malware. Shortcuts are replacing Office macros – which are starting to be blocked by default in Office – as a way for attackers to get a foothold within networks by tricking users into infecting their PCs with malware. This access can be used to steal valuable company data, or sold on to ransomware groups, leading to large-scale breaches that could stall business operations and result in significant remediation costs.

The global Threat Insights Report – which provides analysis of real-world cyber attacks – shows an 11 percent rise in archive files containing malware, including LNK files. Attackers often place shortcut files in ZIP email attachments, to help them evade email scanners. The team also spotted LNK malware builders available for purchase on hacker forums, making it easy for cybercriminals to shift to this ‘macro-free’ code execution technique by creating weaponized shortcut files and spreading them to businesses.

“As macros downloaded from the web become blocked by default in Office, we’re keeping a close eye on alternative execution methods being tested out by cybercriminals. Opening a shortcut or HTML file may seem harmless to an employee but can result in a major risk to the enterprise,” explains Alex Holland, Senior Malware Analyst, HP Wolf Security threat research team, HP Inc.

“Organizations must take steps now to protect against techniques increasingly preferred by attackers or leave themselves exposed as they become pervasive. We’d recommend immediately blocking shortcut files received as email attachments or downloaded from the web where possible.”

In addition to the increase in LNK files, the HP Wolf Security threat research team have highlighted the following insights this quarter:

HTML smuggling reaches critical mass – HP identified several phishing campaigns using emails posing as regional post services or – as predicted by HP – major events like Doha Expo 2023 (which will attract 3M+ global attendees) that used HTML smuggling to deliver malware. Using this technique, dangerous file types that would otherwise be blocked by email gateways can be smuggled into organizations and lead to malware infections.

Attackers exploit the window of vulnerability created by the Follina (CVE-2022-30190) zero-day vulnerability – Following its disclosure, multiple threat actors exploited the recent zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT) – dubbed ‘Follina’ – to distribute QakBot, Agent Tesla, and the Remcos RAT (Remote Access Trojan) before a patch was available. The vulnerability is particularly dangerous because it lets attackers run arbitrary code to deploy malware, and requires little user interaction to exploit on target machines.

Novel execution technique sees shellcode hidden in documents spread SVCReady malware – HP uncovered a campaign distributing a new malware family called SVCReady, notable for the unusual way it is delivered to target PCs – through shellcode hidden in the properties of Office documents. The malware – mainly designed to download secondary malware payloads to infected computers after collecting system information and taking screenshots – is still in an early stage of development, having been updated several times in recent months.

This data for the report was anonymously gathered within HP Wolf Security customer virtual machines from April-June 2022.

More details.