An unpatched security flaw impacting Microsoft Windows has been exploited by 11 state-sponsored groups from China, Iran, North Korea, and Russia as part of data theft, espionage, and financially motivated campaigns that date back to 2017.
The zero-day vulnerability, tracked by Trend Micro’s Zero Day Initiative (ZDI) as ZDI-CAN-25373, refers to an issue that allows bad actors to execute hidden malicious commands on a victim’s machine by leveraging crafted Windows Shortcut or Shell Link (.LNK) files.
“The attacks leverage hidden command line arguments within .LNK files to execute malicious payloads, complicating detection,” security researchers Peter Girnus and Aliakbar Zahravi said in an analysis shared with ZP Enterprises. “The exploitation of ZDI-CAN-25373 exposes organizations to significant risks of data theft and cyber espionage.”
Specifically, this involves the padding of the arguments with Space (0x20), Horizontal Tab (0x09), Line Feed (0x0A), Vertical Tab (\x0B), Form Feed (\x0C), and Carriage Return (0x0D) whitespace characters to evade detection.
Nearly a 1,000 .LNK file artifacts exploiting ZDI-CAN-25373 have been unearthed to date, with a majority of the samples linked to Evil Corp (Water Asena), Kimsuky (Earth Kumiho), Konni (Earth Imp), Bitter (Earth Anansi), and ScarCruft (Earth Manticore).
Of the 11 state-sponsored threat actors that have been found abusing the flaw, nearly half of them originate from North Korea. Besides exploiting the flaw at various times, the finding serves as an indication of cross-collaboration among the different threat clusters operating within Pyongyang’s cyber apparatus.
Telemetry data indicates that governments, private entities, financial organizations, think tanks, telecommunication service providers, and military/defense agencies located in the United States, Canada, Russia, South Korea, Vietnam, and Brazil have become the primary targets of attacks exploiting the vulnerability.
In the attacks dissected by ZDI, the .LNK files act as a delivery vehicle for known malware families like Lumma Stealer, GuLoader, and Remcos RAT, among others. Notable among these campaigns is the exploitation of ZDI-CAN-25373 by Evil Corp to distribute Raspberry Robin.
Microsoft, for its part, has classified the issue as low severity and does not plan to release a fix.
“ZDI-CAN-25373 is an example of (User Interface (UI) Misrepresentation of Critical Information (CWE-451),” the researchers said. “This means that the Windows UI failed to present the user with critical information.”
“By exploiting ZDI-CAN-25373, the threat actor can prevent the end user from viewing critical information (commands being executed) related to evaluating the risk level of the file.”
Update
A Microsoft spokesperson shared the below statement with The Hacker News following the publication of the story –
We appreciate the work of ZDI in submitting this report under a coordinated vulnerability disclosure. Microsoft Defender has detections in place to detect and block this threat activity, and the Smart App Control provides an extra layer of protection by blocking malicious files from the Internet. As a security best practice, we encourage customers to exercise caution when downloading files from unknown sources as indicated in security warnings, which have been designed to recognize and warn users about potentially harmful files. While the UI experience described in the report does not meet the bar for immediate servicing under our severity classification guidelines, we will consider addressing it in a future feature release.
It’s worth noting that .LNK is among the list of dangerous file extensions blocked across its products such as Outlook, Word, Excel, PowerPoint, and OneNote. As a result, attempting to open such files downloaded from the web automatically initiates a security warning advising users not to open files from unknown sources.
Microsoft further pointed out that the method outlined by ZDI is of limited practical use to an attacker, and that Microsoft Defender’s content scanning code has the ability to scan these files and recognize the technique to identify malicious files.