A Microsoft Surface Laptop is seen during a Microsoft launch event, May 2, 2017, in New York City. (Photo by Drew Angerer/Getty Images)

Researchers from Cisco Talos on Thursday detailed how Microsoft’s decision last year to block macros sparked threat actors to shift from malicious macros to exploiting Shell Link (LNK) files.

In a blog post, Cisco Talos researchers explained that LNK files are the way the Microsoft Windows Operating System references file objects in local or remote disk locations. They can either point to an actual file or folder, or to a command that needs to be executed with specific parameters.

Threat actors abuse these features to activate or instrument their malware by using LNK files that purport as benign files of interest to their targets, say the researchers.

Guilherme Venere, a threat researcher at Cisco Talos, said threat actors are usually motivated by two objectives: they either look for financial gain or in the case of nation-state actors, obtaining information for espionage. Venere said successful infections of victims are paramount to these malicious campaigns.

“Therefore, threat actors will quickly adapt and experiment with new techniques and discard old methods in favor of something new or more efficient,” explained Venere. “The takeaway from this research is that sometimes these actors forget to cover their tracks. A quick turnaround time and ever-changing techniques lead to residual indicators in malicious artifacts that can be leveraged by defenders to track and block such threats.”

Mike Parkin, senior technical engineer at Vulcan Cyber, said we’ve seen threat actors evolve rapidly in response to changes in their target’s defenses or to changes in attack surface. Parkin said Office macros had been a favorite vector, so it was no surprise attackers found something else to use in the form of LNK files. 

“These files link to various ‘objects’ and are often used as shortcuts, but can contain quite a bit of additional information,” Parkin said. “By carefully crafting these LNK files, threat actors can get them to bypass some of the safeguards in place and have them execute download and execute malicious code, among other things. The attackers quick change of approach from macros to LNK files points out that we are dealing with adversaries who can be quite creative in finding new ways to abuse existing functionality."

Phil Neray, vice president of cyber defense strategy at CardinalOps, added that initial access via malicious LNK files is a clever technique that's been used for years, including in the Stuxnet attacks that were first uncovered in 2010. Neray said It's an effective technique because it exploits a fundamental feature of Windows, which is automatically launching executables using the metadata stored in the LNK file.

“In these examples, the executable is a PowerShell script that then downloads and executes a malicious binary from a remote, adversary-controlled host,” Neray said. “To protect against this type of adversary playbook, organizations should use endpoint controls to restrict access to LNK files and prevent suspicious execution of PowerShell code, along with email security to scan attachments for malicious files, and network monitoring to prevent access to suspicious hosts.”

Jerrod Piker, competitive intelligence analyst at Deep Instinct, said attackers are using many methods to trick users into launching LNK files that point to malware, such as Emotet and Trickbot, among other nasty families.

“Phishing emails and malicious URLs have been used in recent months by threat actors to this end,” Piker said. “Because LNK files can include command parameters in their launch properties or point to scripting applications such as PowerShell, a user may not even be aware of what’s happening when they interact with a LNK file.”