Microsoft’s move last year to block macros by default in Office applications is forcing miscreants to find other tools with which to launch cyberattacks, including the software vendor’s LNK files – the shortcuts Windows uses to point to other files.
“When Microsoft announced the changes to macro behavior in Office at the end of 2021, very few of the most prevalent malware families used LNK files as part of their initial infection chain,” Guilherme Venere, threat researcher at Talos, wrote in a report dated January 19. “In general, LNK files are used by worm type malware like Raspberry Robin in order to spread to removable disks or network shares.”
The files are also helping criminals gain initial access into victims’ systems before running such threats as the Qakbot backdoor malware, malware loader Bumblebee, and IcedID, a malware dropper, according to the Talos researchers.
The advanced persistent threat (APT) group Gamaredon has also put LNK files to work, including a campaign that started in August 2022 against organizations in Ukraine.
The shift to other techniques and tools in the wake of Microsoft’s VBA macros move was swift. Soon after the macros were blocked, Proofpoint researchers noted that cybercriminals were looking for alternatives, including ISO and RAR attachments, plus LNK files.
In December, Talos researchers said that some APT groups and malware families were moving to XLL files in Excel.
Microsoft closes off two avenues of attack: Office macros, RDP brute-forcing
Threat groups’ ability to