Sunday, November 10, 2024
HomeCyber Security NewsHackers Switching from Weaponized Office Documents to CHM & LNK Files

Hackers Switching from Weaponized Office Documents to CHM & LNK Files

Published on

Malware protection

Malware distribution methods have changed significantly in the cyber threat landscape. Data analysis shows that Microsoft Office document files are no longer the preferred medium for delivering malware. 

Cybercriminals are using more complex and elusive methods, such as alternative file formats and evasive techniques, reads the ASEC report.

Document
FREE Demo

Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

- Advertisement - SIEM as a Service

The New Trend

MS Office document files have been used for a long time to spread malware, from simple information stealers to sophisticated APT attacks. 

However, there is a clear change in how malware is delivered, affecting the role of MS Office products in this scenario.

In the past, attackers used macros in Word and Excel documents to download more malware from malicious URLs. 

However, this method has changed to using compressed executables in formats like ZIP, R00, GZ, and RAR or disk image files like IMG as email attachments. 

This means that fewer Word and Excel files contain malware through hidden Office VBA macro code or Excel 4.0 (XLM) macros.

1-1. CHM (Windows Help Files)

There was a big increase in the use of Windows Help files (*.chm) to distribute malware in the second quarter of 2022. 

This happened at the same time as the decrease in the use of Word and Excel files for malware distribution. 

This shows that attackers are using different file formats that are not part of the MS Office suite to target users. 

These CHM files often have catchy names, such as ‘COVID-19 Positive Test Results Notice,’ to attract users’ attention.

1-2. LNK (Shortcut Files)

In the second quarter of 2022, the notorious Emotet malware also changed its distribution method from MS Office products to LNK files. 

Emotet had previously used VBA macro codes and Excel 4.0 (XLM) macros to spread malware, so this change is important for anti-malware solutions. 

The background of these attacks suggests that the same attacker switched from MS Office to LNK files, following a similar pattern as the malicious CHM distribution process.

The change from using Word and Excel files to deliver malware has two benefits for cybercriminals. 

It makes it harder to detect malware in document editing programs by static analysis, and it also makes it harder to identify the malware itself. 

Attackers are using normal Windows processes and running malware without creating any files when they load malicious data, which makes it more difficult for security measures.

MS Office files are less used for distributing malware due to Microsoft’s announcement in early to mid-2021 about disabling Excel macros by default.

As a result, attackers have looked for new ways to avoid detection by anti-malware products.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

CISA Warns of Critical Palo Alto Networks Vulnerability Exploited in Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warns organizations of a critical vulnerability...

Cisco Desk Phone Series Vulnerability Lets Remote Attacker Access Sensitive Information

A significant vulnerability (CVE-2024-20445) has been discovered in Cisco Desk Phone 9800 Series, IP...

Cisco Flaw Let Attackers Run Command as Root User

A critical vulnerability has been discovered in Cisco Unified Industrial Wireless Software, which affects...

Researchers Detailed Credential Abuse Cycle

The United States Department of Justice has unsealed an indictment against Anonymous Sudan, a...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

CISA Warns of Critical Palo Alto Networks Vulnerability Exploited in Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warns organizations of a critical vulnerability...

Cisco Desk Phone Series Vulnerability Lets Remote Attacker Access Sensitive Information

A significant vulnerability (CVE-2024-20445) has been discovered in Cisco Desk Phone 9800 Series, IP...

Cisco Flaw Let Attackers Run Command as Root User

A critical vulnerability has been discovered in Cisco Unified Industrial Wireless Software, which affects...