IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Leading malware campaigns are abusing genuine Windows shortcuts to bypass Microsoft's VBA macro block

The likes of Emotet and Qakbot, as well as Russia-linked state-sponsored hackers, have all pivoted to the new infection technique

A number of the world’s most pervasive malware campaigns have switched infection tactics after Microsoft blocked VBA macros by default.

The likes of Emotet and Qakbot have both been observed abusing Windows Explorer and LNK files as an alternative infection exploit, from the second quarter of 2022 onwards.

Microsoft's ban on VBA macros in February was welcomed almost universally, and was considered a long-overdue move from the company in light of cyber attackers having abused the feature to distribute malware for years.

Blocking VBA macros meant Microsoft prevented the execution of commands from untrusted sources such as an Excel document downloaded from an email, so hackers have pivoted to abusing trusted contexts like Windows Explorer instead, the researchers said.

Windows Explorer is the most popular living-off-the-land binary (LOLbin) abused in these types of attacks, Sentinel Labs researchers said, and attackers are abusing it to distribute malicious Windows shortcut files (LNK files).

Windows Explorer was the most-abused LOLbin by far, according to the cyber security company’s figures, with 87.2% prevalence. This was followed by Powershell at 7.3%, then Windows Script Host (wscript) at 4.4%, and rundll32 at 0.5%.

A total of 27,510 malicious LNK samples were analysed from open source security intelligence platform VirusTotal, the company said, and research co-author said a surprising observation was that Microsoft Malware Protection Engine (msmpeng) wasn’t more widely abused.

MsMpEng has previously been used by the likes of the now-shuttered REvil ransomware operation in its supply chain attack on Kaseya to side-load malware.

In almost all of the malicious LNK samples that were analysed (92,526%), Windows Command prompt was the target which then executed Windows commands and/or attacker-provided files.

These commands typically spanned tasks like flow control, file manipulation, executing attacker-supplied code in LOLbins like Explorer, information gathering and reconnaissance, and controlling the output of the command interpreter.

Graph showing LOLbin prevalence in malicious LNK shortcuts

LOLbin prevalence in malicious LNK shortcuts

Sentinel Labs

The shift towards LNK files over VBA macros is a relatively new one, but one that’s being made by many threat actors. 

Sentinel Labs said tools like NativeOne’s mLNK tool, a malicious LNK generator, have been released recently to help cyber criminals more easily create LNK-abusing malware campaigns. 

QuantumBuilder is another tool that’s similar to mLNK that features an intuitive user interface. Advertising campaigns for this tool first surfaced in May 2022, the researchers said.

Additionally, Russian state-sponsored cyber criminals have been found abusing the brand-new penetration testing tool Brute Ratel C4. The latest red teaming tool to gain popularity has been dubbed ‘the next Cobalt Strike’ and also uses LNK files to infect victims with malware.

In March, Google Threat Analysis Group (TAG) identified initial access broker (IAB) Exotic Lily using LNK shortcuts to drop malicious ISO files in ransomware-for-hire campaigns.

The new tools and techniques have all surfaced after Microsoft first announced that it would block VBA macros by default. Since then, it  temporarily backtracked on the decision, but recently said they will be blocked for good.

Featured Resources

The Total Economic Impact™ Of Turbonomic Application Resource Management for IBM Cloud® Paks

Business benefits and cost savings enabled by IBM Turbonomic Application Resource Management

Free Download

The Total Economic Impact™ of IBM Watson Assistant

Cost savings and business benefits enabled by Watson Assistant

Free Download

The field guide to application modernisation

Moving forward with your enterprise application portfolio

Free Download

AI for customer service

Discover the industry-leading AI platform that customers and employees want to use

Free Download

Recommended

Hackers could use new Wslink malware in highly targeted cyber attacks
malware

Hackers could use new Wslink malware in highly targeted cyber attacks

1 Nov 2021
FBI raids Chinese POS business following cyber attack claims
malware

FBI raids Chinese POS business following cyber attack claims

27 Oct 2021
Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021

Most Popular

Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
The benefits of a hardware update for SMBs
Sponsored

The benefits of a hardware update for SMBs

2 Aug 2022