State-sponsored threat actors and cybercrime groups from North Korea, Iran, Russia, and China have been exploiting a zero-day Windows vulnerability with no fix in sight for the last eight years, researchers with Trend Micro’s Zero Day Initiative have warned on Tuesday.
The vulnerability, which doesn’t have a CVE number but is being tracked as ZDI-CAN-25373 by ZDI researchers, allowed attackers to surreptitiously execute malicious commands on a victim’s machine and deliver a variety of malware payloads.
About ZDI-CAN-25373
The attackers exploited ZDI-CAN-25373 by creating malicious .lnk (Windows shortcut) files with command line arguments embedded in their Target field. These arguments are passed to target machines when the shortcut file is run, and result in code execution.
Unfortunately, users are unable to spot anything suspicious, as the Target field is padded with whitespace or other characters so that Windows will not be able to show the malicious arguments within the allotted space in the user interface:
The Target field seems empty because of whitespace padding (Source: Trend Micro)
“By exploiting ZDI-CAN-25373, the threat actor can prevent the end user from viewing critical information (commands being executed) related to evaluating the risk level of the file,” the researchers explained.
And while users are often warned not to open shortcut (.lnk) files received from unverified sources, the fact of the matter is that attackers often change the file’s icon to make it look like another type of file.
“Since Windows always suppresses display of the .lnk extension, threat actors will often add a ‘spoof’ extension such as .pdf.lnk along with a matching icon to further trick users,” the researchers noted.
Who’s been targeted and what to do?
ZDI-CAN-25373 has been exploited across a variety of campaigns since 2017, mostly by state-sponsored cyber espionage groups from North Korea, Iran, Russia, and China, but also non-state-sponsored APT groups for cybercrime purposes.
ZDI researchers have recovered and analyzed nearly a thousand .lnk files that have been submitted by targets in US and Canada (predominantly), and Russia, South Korea, Vietnam, Brazil, and other countries.
The analysis revealed that targets were government organizations, organizations in the private sector, think tanks and NGOs, telcos, financial orgs (cryptocurrency-related), and orgs in the energy and defense sectors.
The researchers have notified Microsoft of the existence of the flaw and have submitted a proof-of-concept exploit, but the company said it does not meet the bar for immediate servicing, though they might address the issue in a future feature release.
“Organizations that fall within [the targeted] sectors are at higher risk for exploitation and should scan and ensure security mitigations for ZDI-CAN-25373 immediately, as well as remain vigilant of .lnk files in general. Additionally, organizations are encouraged to investigate potential compromise or attempts to compromise systems use ZDI-CAN-25373 as an intrusion vector,” ZDI researchers advised.
