Security News > 2023 > January > Microsoft took its macros and went home, so miscreants turned to Windows LNK files

Microsoft's move last year to block macros by default in Office applications is forcing miscreants to find other tools with which to launch cyberattacks, including the software vendor's LNK files - the shortcuts Windows uses to point to other files.

The files are also helping criminals gain initial access into victims' systems before running such threats as the Qakbot backdoor malware, malware loader Bumblebee, and IcedID, a malware dropper, according to the Talos researchers.

The advanced persistent threat group Gamaredon has also put LNK files to work, including a campaign that started in August 2022 against organizations in Ukraine.

Using malicious LNK file for initial access "Is a clever technique that's been used for years, including in the Stuxnet attacks that were first uncovered in 2010," Phil Neray, vice president of cyber defense strategy at CardinalOps, told The Register.

It was while tracking commodity malware groups that Talos analysts saw the increasing popularity of malicious LNK files as the method used for gaining initial access to download and executive payloads, Venere wrote.

That said, Talos used the metadata in samples to identify many of the threat groups using malicious LNK files and to detect relationships - including Bumblebee's connection to both Qakbot and IcedID - through such tells as use of the same Drive Serial Number and hashes by the different groups.

News URL

https://go.theregister.com/feed/www.theregister.com/2023/01/23/threat_groups_malicious_lnk/