A recently identified unpatched vulnerability in Microsoft Windows has been exploited by a coalition of eleven state-sponsored hacking groups from nations including China, Iran, North Korea, and Russia. This ongoing cyber threat campaign, dating back to 2017, focuses on data theft, espionage, and financially motivated activities.
The zero-day vulnerability, cataloged by Trend Micro’s Zero Day Initiative (ZDI) as ZDI-CAN-25373, permits malicious actors to execute concealed commands on compromised machines through specially crafted Windows Shortcut or Shell Link (.LNK) files. According to security researchers Peter Girnus and Aliakbar Zahravi, this exploitation utilizes hidden command line arguments contained within .LNK files, complicating detection efforts.
The exploitation of the ZDI-CAN-25373 vulnerability represents a significant risk for organizations, exposing them to tactics often associated with data theft and cyber espionage. Investigations so far have uncovered nearly a thousand .LNK file artifacts directly associated with this vulnerability, primarily attributed to threat actors like Evil Corp, Kimsuky, Konni, Bitter, and ScarCruft.
Of the eleven identified state-sponsored entities, nearly half are based in North Korea. This suggests a pattern of collaboration among North Korean hacking groups, further indicating their combined efforts to exploit this vulnerability over time. As flagged by telemetry data, the primary targets of these attacks include governments, financial institutions, think tanks, telecommunication providers, and military entities across the United States, Canada, Russia, South Korea, Vietnam, and Brazil.
In the context of the MITRE ATT&CK framework, the tactics highlighted in these attacks include initial access through spear-phishing or exploitation of the zero-day vulnerability, persistence by maintaining access through established footholds, and execution via the delivery of known malware families like Lumma Stealer, GuLoader, and Remcos RAT. One particularly notable campaign involved Evil Corp exploiting this vulnerability to distribute a new strain of malware called Raspberry Robin.
In its assessment, Microsoft has classified ZDI-CAN-25373 as low severity and has no immediate plans for a fix, citing that the vulnerability relates to critical user interface misrepresentation. This relates to the failure of the Windows UI to adequately present important information necessary for evaluating the risks associated with files being executed. By manipulating this vulnerability, threat actors can obscure important command execution details from end-users, complicating their ability to assess risks accurately.
In response to the publication of these findings, a Microsoft spokesperson emphasized that Microsoft Defender is equipped with detection capabilities to block potential threats associated with this vulnerability. They also encourage users to exercise caution when downloading files from untrusted sources, which aligns with established security best practices. While the current user interface issue does not trigger an immediate servicing requirement under Microsoft’s severity guidelines, the company has indicated that considerations for future updates may address the matter.
It should be noted that .LNK files are classified as dangerous file extensions within a multitude of Microsoft products like Outlook and Word, prompting automatic security warnings when such files are downloaded from the internet. Microsoft also clarified that the method of attack detailed by ZDI has limited effectiveness for attackers, asserting that the content scanning algorithms of Microsoft Defender can identify and neutralize such malicious files effectively.
