Advice a short time ago was to tell your clients not to click on .EXE files, and email server security allowed people to reject emails with those attachments. Not to be undone, cybercriminals found other ways in.
A SentinelOne article explains that to bypass those security measures, attackers began delivering malware via file types, such as .LNK, since email servers would not block them. .LNK files are, after all, commonly shortcut files that allow users to link to the executable file, instead of navigating through a file structure to find it each time it’s needed.
Trend Micro points out that using .LNK files to deliver malware really isn’t new. It emerged as an attack vector as early as 2013, and last year, as Trend Micro reports, “Trojan downloaders used a .zip within a .zip to disguise a .LNK file attachment that lead to Locky ransomware.”
According to recent findings, .LNK is still a go-to strategy for cyberattacks. McAfee reports a 24 percent increase in attacks using .LNK files in Q1 2018.
How to Know when a .LNK file is a Malicious .LNK file
In his article for Infosecurity, John Cloonan, director of products for Lastline, explains a great deal of antimalware is signature-based. This method of detection identifies known malware based on its unique signature. An algorithm scans an object to determine its signature, and, therefore what it is. Antimalware solution providers keep databases of millions of signatures of known malicious objects. When the algorithm finds one, it stops it, providing protection from known threats.
The problem with only using signature-based malware detection is that they don’t flag common file types, such as .LNK, as malicious, so a cybercriminal can find ways to use them to slip through. And by the time a file is identified as malicious and entered into the solution provider’s database, it can spread, literally virally, and wreak a lot of havoc. The Cisco 2017 Annual Cybersecurity Report states 95 percent of the malware files Cisco analyzed were less than 24 hours old, too new to have been caught by a signature-based detection system.
A better type of antimalware for defending against attacks using file types such as .LNK is behavior-based. A behavior-based malware detection engine uses patterns of malicious behaviors to spot malicious files. Finjan cybersecurity explains this heuristic approach, more problem-solving in nature than comparing the signature to a list of known threats, can look for behaviors such as sending out a high volume of emails, modifying keystrokes, or attempting to alter host files. Behavior-based malware detection also has value defending against malware with polymorphic signatures – since behavior-based antimalware doesn’t rely on specific signatures, the malware’s behavior will flag it even if the signature changes.
We Know What You’re Thinking, and the Answer is Not Anytime Soon
As an ISV, you can count on one thing. The problem of protecting your clients from malware attacks disguised as benign files is not going away — as long as they’re successful at delivering malware and cyberattackers can monetize these tactics. Behavior-based malware detection isn’t a perfect solution, but it will provide a higher level of defense than signature-based detection alone. Equip your clients with all possible tools to keep them safe.