Cyberattacks with LNK files on the rise in business environments

HP has noted, in its latest global HP Wolf Security Threat Insights report on real-world cyberattacks, that the most common attacks are via files with shortcuts (LNK). In fact, they have become the most used method to threaten businesses and companies.

The technology company points out that there has been a wave of cyberattacks whose protagonists are families of ‘malware’ such as QakBot, IceID, Emotet and RedLine Stealer, using files with the nomenclature ‘.lnk’.

LNKs are Windows shortcut files that can contain malicious code and are used to abuse legitimate system tools, such as running Microsoft HTML application files.

According to HP, shortcuts are replacing Office macros as they require too much user intervention and risk alerts to overcome. Thus, shortcuts are a trap through which attackers trick their victims into infecting their PCs.

This access to company systems can be used to steal relevant company information or sell it to ransomware groups, which can lead to large-scale breaches.

It is not surprising then that, after carrying out an analysis, HP has verified an 11 percent increase in compressed files containing ‘malware’, among which those of the LNK type stand out.

Specifically, it is common for attackers to place shortcut files in ZIP attachments, in order to evade email security scanners in business environments.

In addition, the research team has detected LNK malware creators available for purchase on hacker forums, making it easier for cybercriminals to opt for this technique of executing malicious code.

In this sense, HP Wolf Security has pointed out the identification of several ‘phishing’ campaigns that used emails that pretended to be regional postal services. Among them, those warned in the run-up to Expo 2023 in Doha, when cybercriminals used the sending of massive HTML files to carry out their attacks.

Separately, HP has exposed another case where attackers took advantage of the flaw created by the zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT), also called ‘Follina’, to distribute OakBot, Agent Tesla and the Remcos RAT remote access Trojan before a patch was available.

Likewise, a new execution technique has been identified that spreads the SVCReady malware in the shellcode hidden in documents. This campaign stands out precisely because of the unusual way in which it is distributed to PCs.

The number of malware families grows

HP has highlighted other conclusions reached in this analysis and has pointed out that threat actors used a greater number of ‘malware’ families in their attempts to infect organizations (593 compared to 545 in the quarter previous).

Likewise, the technology company has put the focus on new malicious file formats used to evade detection, since its collected data indicates that 14 % of email malware evaded at least one gateway scanner. by email.

HP has also highlighted that 69 % of detected malware was sent via email, while web downloads were responsible for 17 % of cyberattacks. Likewise, it has pointed out that the most common phishing scams were transactions such as ‘Order’, ‘Payment’, ‘Purchase’, ‘Request’ and ‘Invoice’.

Click the link to subscribe for free to our news and media group on Telegram: https://t.me/G_ELSUMARIO_News

Source: dpa