Beware of LNK Attachments and Malicious SVG Files

JavaScript attachments are still used to infect computers with malware and ransomware, but a new trend has emerged that is seeing cybercriminals switch to malicious SVG files. Malicious LNK files are also growing in popularity. The reasoning behind the switch in file types is clear. They are much less likely to arouse suspicion; therefore, they are more likely to be opened.

JavaScript has been extensively used over the past 12 months as a malware downloader. Malicious email attachments containing JavaScript code – or JavaScript files – have been highly effective. However, for most computer users, JavaScript files are rarely encountered. A zip file may be extracted if the email recipient is made to believe that the file is benign, but many individuals would think twice about double clicking on a .js file.

Cybercriminals often obfuscate JavaScript using a variety of techniques – the use of double file extensions for instance. However, anti-virus and anti-spam solutions are now much more widely used and they are better at detecting and blocking malicious attachments. It is becoming much harder to sneak these malicious files past malware detection systems and also to get end users to open these attachments.

Google has also announced that it will soon be blocking JavaScript on Gmail. Users will not be able to send or receive JavaScript files, and the contents of ZIP files will also be scanned for JavaScript. The natural step for cybercriminals is to use alternative file types to infect end users. That is exactly what is happening.

Last week, Microsoft’s Malware Protection Center issued a warning about a new trend for malware distribution. There was an increase in malicious SVG files and LNK files were also becoming more popular. LNK files are Windows shortcut files. They usually point to an executable file stored elsewhere. Rather than combine LNK files with malicious JavaScript, cybercriminals are using PowerShell scripts. These are attached to LNK files. If the files are opened, the PowerShell scripts run and download malware or ransomware.

SVG files – or Scalable Vector Graphics files to give them their full name – are image files. In the case of malicious SVG files, obfuscated JavaScript is included. If the malicious SVG files are opened, the JavaScript downloads the malicious payload.

Malicious LNK files are easy to block with a spam filtering solution as it is unusual for these files to be sent via email. The SVG image format is more commonly used, so while these files could be blocked by an antispam solution, doing so would likely have an impact on some end users.

Given the change in the file types used to spread malware and ransomware, organizations should take action to prevent infection. End users should be warned about these file types and told to exercise caution. Policies should also be introduced that prohibit the sending of these file types via email. Better still, both file types should be blocked by a spam filter. If they are needed, an alternative method of transferring these files should be used: Google Drive or Dropbox for example.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of