Microsoft’s move last year to block macros by default in Office applications is forcing miscreants to find other tools with which to launch cyberattacks, including the software vendor’s LNK files – the shortcuts Windows uses to point to other files.
“When Microsoft announced the changes to macro behavior in Office at the end of 2021, very few of the most prevalent malware families used LNK files as part of their initial infection chain,” Guilherme Venere, threat researcher at Talos, wrote in a report dated January 19. “In general, LNK files are used by worm type malware like Raspberry Robin in order to spread to removable disks or network shares.”
The files are also helping criminals gain initial access into victims’ systems before running such threats as the Qakbot backdoor malware, malware loader Bumblebee, and IcedID, a malware dropper, according to the Talos researchers.
The advanced persistent threat (APT) group Gamaredon has also put LNK files to work, including a campaign that started in August 2022 against organizations in Ukraine.
The shift to other techniques and tools in the wake of Microsoft’s VBA macros move was swift. Soon after the macros were blocked, Proofpoint researchers noted that cybercriminals were looking for alternatives, including ISO and RAR attachments, plus LNK files.
In December, Talos researchers said that some APT groups and malware families were moving to XLL files in Excel.
Microsoft closes off two avenues of attack: Office macros, RDP brute-forcing
Threat groups’ ability to adapt isn’t surprising, according to Mike Parkin, senior technical engineer at Vulcan Cyber. “We’ve seen threat actors evolve rapidly in response to changes in their target’s defenses or to changes in attack surface,” he told The Register. “Office macros had been a favorite vector, so it was no surprise attackers found something else to use in the form of LNK (link) files.”
Using malicious LNK file for initial access “is a clever technique that’s been used for years, including in the Stuxnet attacks that were first uncovered in 2010,” Phil Neray, vice president of cyber defense strategy at CardinalOps, told The Register. “It’s an effective technique because it exploits a fundamental feature of Windows, which is to automatically launch executables using the metadata stored in the LNK file.”
It was while tracking commodity malware groups that Talos analysts saw the increasing popularity of malicious LNK files as the method used for gaining initial access to download and executive payloads, Venere wrote.
The very nature of LNK files makes them attractive to miscreants. In particular, the LNK format stores a lot of information about the target object and about the application behavior and metadata of the system in which the LNK file was created. The metadata itself contains other data about the target file’s attributes.
There also are tools available to the public for parsing and analyzing the LNK structure – such as Google’s free LNK Parser – that also can be used by criminals.
In addition, attackers are developing their own malicious LNK files through publicly available builder tools like MLNK Builder, Quantum Builder, and RustLNKBuilder, which help them evade detection.
“By carefully crafting these LNK files, threat actors can get them to bypass some of the safeguards in place and have them execute download and execute malicious code, amongst other things,” Vulcan Cyber’s Parkin said. “Attackers’ quick change of approach from macros to LNK files points out that we are dealing with adversaries who can be quite creative in finding new ways to abuse existing functionality.”
Many of the tools used by the criminals leave information in the metadata that can help threat researchers link them to the malicious groups, Talos’ Venere wrote, adding that the Talos researchers saw many of the builders wiped off the metadata from the file, an indication of suspicious behavior.
That said, Talos used the metadata in samples to identify many of the threat groups using malicious LNK files and to detect relationships – including Bumblebee’s connection to both Qakbot and IcedID – through such tells as use of the same Drive Serial Number and hashes by the different groups.
“By analyzing and tracking information leaked through metadata, and correlating this information with other actors’ tactics, techniques and procedures, defenders can develop better detections and even predict future behavior, to prepare for an attack,” he wrote. ®