Microsoft took its macros and went home, so miscreants turned to Windows LNK files

Microsoft's move past twelvemonth to artifact macros by default successful Office applications is forcing miscreants to find different devices pinch which to motorboat cyberattacks, including nan package vendor's LNK files – nan shortcuts Windows uses to constituent to different files.

"When Microsoft announced nan changes to macro behaviour successful Office astatine nan extremity of 2021, very fewer of nan astir prevalent malware families utilized LNK files arsenic portion of their first infection chain," Guilherme Venere, threat interrogator astatine Talos, wrote successful a study dated January 19. "In general, LNK files are utilized by worm type malware for illustration Raspberry Robin successful bid to dispersed to removable disks aliases web shares."

The files are besides helping criminals summation first entree into victims' systems earlier moving specified threats arsenic nan Qakbot backdoor malware, malware loader Bumblebee, and IcedID, a malware dropper, according to nan Talos researchers.

The precocious persistent threat (APT) group Gamaredon has besides put LNK files to work, including a run that started successful August 2022 against organizations successful Ukraine.

The displacement to different techniques and devices successful nan aftermath of Microsoft's VBA macros move was swift. Soon aft nan macros were blocked, Proofpoint researchers noted that cybercriminals were looking for alternatives, including ISO and RAR attachments, positive LNK files.

In December, Talos researchers said that immoderate APT groups and malware families were moving to XLL files successful Excel.

Threat groups' expertise to accommodate isn't surprising, according to Mike Parkin, elder method technologist astatine Vulcan Cyber. "We've seen threat actors germinate quickly successful consequence to changes successful their target's defenses aliases to changes successful onslaught surface," he told The Register. "Office macros had been a favourite vector, truthful it was nary astonishment attackers recovered thing other to usage successful nan shape of LNK (link) files."

Using malicious LNK record for first entree "is a clever method that's been utilized for years, including successful nan Stuxnet attacks that were first uncovered successful 2010," Phil Neray, vice president of cyber defense strategy astatine CardinalOps, told The Register. "It's an effective method because it exploits a basal characteristic of Windows, which is to automatically motorboat executables utilizing nan metadata stored successful nan LNK file."

• Crims bargain information connected 40 cardinal T-Mobile US customers
• Finally, ransomware victims are refusing to salary up
• Mailchimp 'fesses up to 2nd integer burglary successful 5 months
• Ransomware severs 1,000 ships from on-shore servers

It was while search commodity malware groups that Talos analysts saw nan expanding fame of malicious LNK files arsenic nan method utilized for gaining first entree to download and executive payloads, Venere wrote.

The very quality of LNK files makes them charismatic to miscreants. In particular, nan LNK format stores a batch of accusation astir nan target entity and astir nan exertion behaviour and metadata of nan strategy successful which nan LNK record was created. The metadata itself contains different information astir nan target file's attributes.

There besides are devices disposable to nan nationalist for parsing and analyzing nan LNK building – specified arsenic Google's free LNK Parser – that besides tin beryllium utilized by criminals.

In addition, attackers are processing their ain malicious LNK files done publically disposable builder devices for illustration MLNK Builder, Quantum Builder, and RustLNKBuilder, which thief them evade detection.

"By cautiously crafting these LNK files, threat actors tin get them to bypass immoderate of nan safeguards successful spot and person them execute download and execute malicious code, amongst different things," Vulcan Cyber's Parkin said. "Attackers' speedy alteration of attack from macros to LNK files points retired that we are dealing pinch adversaries who tin beryllium rather imaginative successful uncovering caller ways to maltreatment existing functionality."

Many of nan devices utilized by nan criminals time off accusation successful nan metadata that tin thief threat researchers nexus them to nan malicious groups, Talos' Venere wrote, adding that nan Talos researchers saw galore of nan builders wiped disconnected nan metadata from nan file, an denotation of suspicious behavior.

That said, Talos utilized nan metadata successful samples to place galore of nan threat groups utilizing malicious LNK files and to observe relationships – including Bumblebee's relationship to some Qakbot and IcedID – done specified tells arsenic usage of nan aforesaid Drive Serial Number and hashes by nan different groups.

"By analyzing and search accusation leaked done metadata, and correlating this accusation pinch different actors' tactics, techniques and procedures, defenders tin create amended detections and moreover foretell early behavior, to hole for an attack," he wrote. ®