Windows Shortcut exploit abused in active hacker and state-sponsored attack campaigns

Trend Zero Day Initiative™ (ZDI) is reporting a vulnerability in Windows shortcut (.lnk) files that has been actively exploited by multiple state-sponsored threat actors and cybercriminal groups since 2017. 

The vulnerability, tracked as ZDI-CAN-25373 (no CVE), enables attackers to execute hidden malicious commands on victims' machines by leveraging specially crafted shortcut files.

The vulnerability, relates to the way Windows displays the contents of shortcut (.lnk) files. Attackers can create malicious .lnk files that appear legitimate when inspected through the Windows UI, as the malicious command line arguments are completely hidden from the user's view.

Attackers exploit ZDI-CAN-25373 by padding the COMMAND_LINE_ARGUMENTS structure within .lnk files with excessive whitespace characters, including:

• Space (\x20)
• Horizontal Tab (\x09)
• Line Feed (\x0A)
• Vertical Tab (\x0B)
• Form Feed (\x0C)
• Carriage Return (\x0D)

Threat actors often change the icon of these malicious shortcuts to confuse and entice victims into execution. Since Windows suppresses the display of the .lnk extension by default, attackers frequently add "spoof" extensions (e.g., .pdf.lnk) along with matching icons to further trick users.

ZDI researchers identified nearly 1,000 malicious .lnk samples exploiting this vulnerability, though they believe the actual number of exploitation attempts is much higher. Their analysis revealed that 11 state-sponsored APT groups from North Korea, Iran, Russia, and China have employed ZDI-CAN-25373 in operations primarily motivated by cyber espionage and data theft.

Organizations in the following sectors have been specifically targeted:

• Government
• Private sector
• Financial (including cryptocurrency-related)
• Think tanks and NGOs
• Telecommunications
• Military and defense
• Energy

The majority of victims are located in North America, particularly the United States (with over 300 identified cases) and Canada. Exploitation extends across Europe, Asia, South America, Australia, and Africa.

North Korean threat actors, particularly Earth Manticore (APT37) and Earth Imp (Konni), used extremely large .lnk files with substantial amounts of whitespace and junk content to evade detection:

• Earth Imp: median file size of 3.32MB, maximum 70.1MB
• Earth Manticore: median file size of 33.33MB, maximum 55.16MB

The cybercriminal group Water Asena (Evil Corp) has also been observed exploiting ZDI-CAN-25373 in their Raspberry Robin malware campaigns.

Despite ZDI submitting a proof-of-concept exploit through Trend ZDI's bug bounty program, Microsoft has declined to address this vulnerability with a security patch. Microsoft classified it as low severity and stated it "will not be patched in the immediate future."

Microsoft claims that their Defender cybersecurity product "has detections in place to detect and block this threat activity" and that Smart App Control also blocks malicious files from the Internet. They noted that Windows identifies shortcut files as potentially dangerous and that attempting to open an .lnk file downloaded from the Internet automatically triggers a security warning.

Microsoft has indicated they may consider addressing the issue in a future feature release but believes the tactics described are of "limited practical use to attackers."

Trend Micro has released multiple protection rules and filters for their customers, including network security, endpoint security, and detection signatures. They've also provided hunting queries and a YARA rule to help organizations detect files exploiting this vulnerability.

Organizations are advised to implement and maintian endpoint and network protection measures are in place to detect be careful and aware about any unexpected attachments and linked files.