LNK files is one of the most common way of hacking into enterprise environment

HP has highlighted a new wave of cybercriminals who spread families of ‘malware’ in business environments using files with shortcuts or links (so-called LNK) to distribute ‘malware’. It is one of the conclusions reached in its latest global report, which provides an analysis of cyber attacks in the real world and focuses on the methods most used to threaten companies and companies.

Specifically, the technology company points out that there has been a wave of cyberattacks whose protagonists are families of ‘malware’ such as QakBot, IceID, Emotet and RedLine Stealer, using files with the nomenclature ‘.lnk’.

LNKs are Windows shortcut files that can contain malicious code and are used to abuse legitimate system tools, such as running Microsoft HTML application files. According to HP, shortcuts are replacing Office macros as they require too much user intervention and risk alerts to overcome. In this way, shortcuts are a trap through which attackers trick their victims into infecting their PCs. This access to company systems can be used to steal relevant company information or sell it to ‘ransomware’ groups. ‘, which can lead to large-scale data breaches.

It is not surprising then that, after carrying out an analysis, HP has verified an 11 percent increase in compressed files containing ‘malware’, among which those of the LNK type stand out. Specifically, it is common for attackers to place shortcut files in ZIP attachments, in order to evade email security scanners in business environments.

Additionally, the research team has detected LNK malware available for purchase on hacker forums, making it easier for cybercriminals to opt for this technique of executing malicious code. Separately, HP has exposed another case where attackers took advantage of the flaw created by the zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT), also called ‘Follina’, to distribute OakBot, Agent Tesla and the Remcos RAT remote access Trojan before a patch was available.

Likewise, a new execution technique has been identified that spreads the SVCReady malware in the shellcode hidden in documents. This campaign stands out precisely because of the unusual way in which it is distributed to PCs.   

HP has highlighted other conclusions reached in this analysis and has pointed out that threat actors used a greater number of malware families in their attempts to infect organizations (593 compared to 545 in the previous quarter).

Likewise, the technology company has put the focus on new malicious file formats used to evade detection, since its collected data indicates that 14 percent of email malware evaded at least one gateway scanner by email.

HP has also highlighted that 69 percent of detected malware was sent via email, while web downloads were responsible for 17 percent of cyberattacks. Likewise, it has been pointed out that the most common ‘phishing’ scams were transactions such as ‘Order’, ‘Payment’, ‘Purchase’, ‘Request’ and ‘Invoice’.