New Windows zero-day exploited by 11 state hacking groups since 2017

At least 11 state-backed hacking groups from North Korea, Iran, Russia, and China have been exploiting a new Windows vulnerability in data theft and cyber espionage zero-day attacks since 2017.

However, as security researchers Peter Girnus and Aliakbar Zahravi with Trend Micro’s Zero Day Initiative (ZDI) reported today, Microsoft tagged it as “not meeting the bar servicing” in late September and said it wouldn’t release security updates to address it.

“We discovered nearly a thousand Shell Link (.lnk) samples that exploit ZDI-CAN-25373; however, it is probable that the total number of exploitation attempts are much higher,” they said. “Subsequently, we submitted a proof-of-concept exploit through Trend ZDI’s bug bounty program to Microsoft, who declined to address this vulnerability with a security patch.”

A Microsoft spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today.

While Microsoft has yet to assign a CVE-ID to this vulnerability, Trend Micro is tracking it internally as ZDI-CAN-25373 and said it enables attackers to execute arbitrary code on affected Windows systems.

As the researchers found while investigating in-the-wild ZDI-CAN-25373 exploitation, the security flaw has been exploited in widespread attacks by many state-sponsored threat groups and cybercrime gangs, including Evil Corp, APT43 (Kimsuky), Bitter, APT37, Mustang Panda, SideWinder, RedHotel, Konni, and others.

Although the campaigns have targeted victims worldwide, they’ve been primarily focused on North America, South America, Europe, East Asia, and Australia. Out of all the attacks analyzed, nearly 70% were linked to espionage and information theft, while financial gain was the focus of only 20%.

​”Diverse malware payloads and loaders like Ursnif, Gh0st RAT, and Trickbot have been tracked in these campaigns, with malware-as-a-service (MaaS) platforms complicating the threat landscape,” Trend Micro added.

The ZDI-CAN-25373 Windows zero-day

The Windows zero-day, tracked as ZDI-CAN-25373, is caused by a User Interface (UI) Misrepresentation of Critical Information (CWE-451) weakness, which allows attackers to exploit how Windows displays shortcut (.lnk) files to evade detection and execute code on vulnerable devices without the user’s knowledge.

Threat actors exploit ZDI-CAN-25373 by hiding malicious command-line arguments within .LNK shortcut files using padded whitespaces added to the COMMAND_LINE_ARGUMENTS structure.

The researchers say these whitespaces can be in the form of hex codes for Space (x20), Horizontal Tab (x09), Linefeed (x0A), Vertical Tab (x0B), Form Feed (x0C), and Carriage Return (x0D) that can be used as padding.

If a Windows user inspects such a .lnk file, the malicious arguments are not displayed in the Windows user interface because of the added whitespaces. As a result, the command line arguments added by the attackers remain hidden from the user’s view.

“User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file,” a Trend Micro advisory issued today explains. 

“Crafted data in an .LNK file can cause hazardous content in the file to be invisible to a user who inspects the file via the Windows-provided user interface. An attacker can leverage this vulnerability to execute code in the context of the current user.”

This vulnerability is similar to another flaw tracked as CVE-2024-43461 that enabled threat actors to use 26 encoded braille whitespace characters (%E2%A0%80) to camouflage HTA files that can download malicious payloads as PDFs. CVE-2024-43461 was found by Peter Girnus, a Senior Threat Researcher at Trend Micro’s Zero Day​​​, and patched by Microsoft during the September 2024 Patch Tuesday.

The Void Banshee APT hacking group exploited CVE-2024-43461 in zero-day attacks to deploy information-stealing malware in campaigns against organizations across North America, Europe, and Southeast Asia.