Hackers have found a sneaky new way to infect Windows devices

By Sead Fadilpašić
published

Say goodbye to malicious Office macros, and hello to...shortcuts?

Magnifying glass enlarging the word 'malware' in computer machine code
(Image credit: Shutterstock)

The operators of Emotet, one of the world’s most dangerous malware variants, have moved away from using Microsoft Office macros for distribution, and towards Windows shortcut files (.lnk).

As per a BleepingComputer report, cybersecurity researchers have observed Emotet using PowerShell commands attached to the .lnk file to download and run a malicious script on the target endpoint (opens in new tab)

The script is said to be relatively well hidden, not showing in the file’s properties, under “Target”.

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022 (opens in new tab)

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022 (opens in new tab). Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey (opens in new tab) to get the bookazine, worth $10.99/£10.99.

Disabling macros

The shortcut file carries URLs for “several” compromised websites that store the malicious PowerShell script. If a victim runs the shortcut file, and the website still hosts the malware, it will download it to the system’s Temp folder with a random name, and then run it using regsvr32.exe.

Cybersecurity researchers from ESET are claiming that Emotet’s new distribution method works best in Mexico, Italy, Japan, Turkey, and Canada. 

Emotet was forced into abandoning macros after Microsoft made it impossible for users of Word, Excel, Access, PowerPoint, and Visio, to run any VBA macros in “untrusted” documents.

In an announcement made in early February this year, it was said that all files shared from outside the company network will be deemed “untrusted”, meaning all files coming from the same domain should still be able to keep their macros.

Read more

> Emotet might be gone – but malware is here to stay (opens in new tab)

> Microsoft Office is finally making this vital security change across Excel, Word and more (opens in new tab)

> Microsoft to disable old-school macros to shield users from attacks (opens in new tab)

Macros are a big deal, for both businesses, and cybercriminals. They are usually used to automate various tasks, such as importing or updating data coming from third-party sources. But the problem is that they can easily be abused by malicious actors to distribute ransomware (opens in new tab), malware, steal sensitive data, or for other nefarious deeds.

For years, criminal groups have been sharing macro-powered malicious Office documents, preying on gullible or exhausted workers. Payment receipts, warnings of failed payments, job offers, Covid-19 and vaccine information, are just some of the document types crooks would share to have people run macros and infect their endpoints with viruses.

Via BleepingComputer (opens in new tab)

Sead Fadilpašić
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

See more Computing news