Sunday, June 16, 2024

Hackers Switching from Weaponized Office Documents to CHM & LNK Files

Malware distribution methods have changed significantly in the cyber threat landscape. Data analysis shows that Microsoft Office document files are no longer the preferred medium for delivering malware. 

Cybercriminals are using more complex and elusive methods, such as alternative file formats and evasive techniques, reads the ASEC report.


Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

The New Trend

MS Office document files have been used for a long time to spread malware, from simple information stealers to sophisticated APT attacks. 

However, there is a clear change in how malware is delivered, affecting the role of MS Office products in this scenario.

In the past, attackers used macros in Word and Excel documents to download more malware from malicious URLs. 

However, this method has changed to using compressed executables in formats like ZIP, R00, GZ, and RAR or disk image files like IMG as email attachments. 

This means that fewer Word and Excel files contain malware through hidden Office VBA macro code or Excel 4.0 (XLM) macros.

1-1. CHM (Windows Help Files)

There was a big increase in the use of Windows Help files (*.chm) to distribute malware in the second quarter of 2022. 

This happened at the same time as the decrease in the use of Word and Excel files for malware distribution. 

This shows that attackers are using different file formats that are not part of the MS Office suite to target users. 

These CHM files often have catchy names, such as ‘COVID-19 Positive Test Results Notice,’ to attract users’ attention.

1-2. LNK (Shortcut Files)

In the second quarter of 2022, the notorious Emotet malware also changed its distribution method from MS Office products to LNK files

Emotet had previously used VBA macro codes and Excel 4.0 (XLM) macros to spread malware, so this change is important for anti-malware solutions. 

The background of these attacks suggests that the same attacker switched from MS Office to LNK files, following a similar pattern as the malicious CHM distribution process.

The change from using Word and Excel files to deliver malware has two benefits for cybercriminals. 

It makes it harder to detect malware in document editing programs by static analysis, and it also makes it harder to identify the malware itself. 

Attackers are using normal Windows processes and running malware without creating any files when they load malicious data, which makes it more difficult for security measures.

MS Office files are less used for distributing malware due to Microsoft’s announcement in early to mid-2021 about disabling Excel macros by default.

As a result, attackers have looked for new ways to avoid detection by anti-malware products.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.


Latest articles

Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users

Hackers are targeting, attacking, and exploiting ML models. They want to hack into these...

SolarWinds Serv-U Vulnerability Let Attackers Access sensitive files

SolarWinds released a security advisory for addressing a Directory Traversal vulnerability which allows a...

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

Hackers often attack online banking platforms, e-commerce portals, and payment systems for illicit purposes.Resecurity...

Threat Actor Claiming Leak Of 5 Million Ecuador’s Citizen Database

A threat actor has claimed responsibility for leaking the personal data of 5 million...

Ascension Hack Caused By an Employee Who Downloaded a Malicious File

Ascension, a leading healthcare provider, has made significant strides in its investigation and recovery...

AWS Announced Malware Detection Tool For S3 Buckets

Amazon Web Services (AWS) has announced the general availability of Amazon GuardDuty Malware Protection...

Hackers Exploiting MS Office Editor Vulnerability to Deploy Keylogger

Researchers have identified a sophisticated cyberattack orchestrated by the notorious Kimsuky threat group.The...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles