Hackers Switching from Weaponized Office Documents to CHM & LNK Files

Malware distribution methods have changed significantly in the cyber threat landscape. Data analysis shows that Microsoft Office document files are no longer the preferred medium for delivering malware. 

Cybercriminals are using more complex and elusive methods, such as alternative file formats and evasive techniques, reads the ASEC report.

Document
FREE Demo

Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

The New Trend

MS Office document files have been used for a long time to spread malware, from simple information stealers to sophisticated APT attacks. 

However, there is a clear change in how malware is delivered, affecting the role of MS Office products in this scenario.

In the past, attackers used macros in Word and Excel documents to download more malware from malicious URLs. 

However, this method has changed to using compressed executables in formats like ZIP, R00, GZ, and RAR or disk image files like IMG as email attachments. 

This means that fewer Word and Excel files contain malware through hidden Office VBA macro code or Excel 4.0 (XLM) macros.

1-1. CHM (Windows Help Files)

There was a big increase in the use of Windows Help files (*.chm) to distribute malware in the second quarter of 2022. 

This happened at the same time as the decrease in the use of Word and Excel files for malware distribution. 

This shows that attackers are using different file formats that are not part of the MS Office suite to target users. 

These CHM files often have catchy names, such as ‘COVID-19 Positive Test Results Notice,’ to attract users’ attention.

1-2. LNK (Shortcut Files)

In the second quarter of 2022, the notorious Emotet malware also changed its distribution method from MS Office products to LNK files

Emotet had previously used VBA macro codes and Excel 4.0 (XLM) macros to spread malware, so this change is important for anti-malware solutions. 

The background of these attacks suggests that the same attacker switched from MS Office to LNK files, following a similar pattern as the malicious CHM distribution process.

The change from using Word and Excel files to deliver malware has two benefits for cybercriminals. 

It makes it harder to detect malware in document editing programs by static analysis, and it also makes it harder to identify the malware itself. 

Attackers are using normal Windows processes and running malware without creating any files when they load malicious data, which makes it more difficult for security measures.

MS Office files are less used for distributing malware due to Microsoft’s announcement in early to mid-2021 about disabling Excel macros by default.

As a result, attackers have looked for new ways to avoid detection by anti-malware products.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Lumma Stealer Attacking Users To Steal Login Credentials From Browsers

Researchers observed Lumma Stealer activity across multiple online samples, including PowerShell scripts and a disguised…

4 hours ago

New ‘OtterCookie’ Malware Attacking Software Developers Via Fake Job Offers

Palo Alto Networks reported the Contagious Interview campaign in November 2023, a financially motivated attack…

4 hours ago

NjRat 2.3D Pro Edition Shared on GitHub: A Growing Cybersecurity Concern

The recent discovery of the NjRat 2.3D Professional Edition on GitHub has raised alarms in…

4 hours ago

Palo Alto Networks Vulnerability Puts Firewalls at Risk of DoS Attacks

A critical vulnerability, CVE-2024-3393, has been identified in the DNS Security feature of Palo Alto…

4 hours ago

Araneida Scanner – Hackers Using Cracked Version Of Acunetix Vulnerability Scanner

Threat Analysts have reported alarming findings about the "Araneida Scanner," a malicious tool allegedly based…

1 day ago

A Dark Web Operation Acquiring KYC Details TO Bypass Identity Verification Systems

A major dark web operation dedicated to circumventing KYC (Know Your Customer) procedures, which involves…

1 day ago