An unpatched security flaw impacting Microsoft Windows has been exploited by 11 state-sponsored groups from China, Iran, North Korea, and Russia as part of data theft, espionage, and financially motivated campaigns that date back to 2017.
The zero-day vulnerability, tracked by Trend Micro’s Zero Day Initiative (ZDI) as ZDI-CAN-25373, refers to an issue that allows bad actors to execute hidden malicious commands on a victim’s machine by leveraging crafted Windows Shortcut or Shell Link (.LNK) files.
“The attacks leverage hidden command line arguments within .LNK files to execute malicious payloads, complicating detection,” security researchers Peter Girnus and Aliakbar Zahravi said in an analysis shared with The Hacker News. “The exploitation of ZDI-CAN-25373 exposes organizations to significant risks of data theft and cyber espionage.”
Specifically, this involves the padding of the arguments with Line Feed (x0A) and Carriage Return (x0D) characters to evade detection.
Nearly a 1,000 .LNK file artifacts exploiting ZDI-CAN-25373 have been unearthed to date, with a majority of the samples linked to Evil Corp (Water Asena), Kimsuky (Earth Kumiho), Konni (Earth Imp), Bitter (Earth Anansi), and ScarCruft (Earth Manticore).
Of the 11 state-sponsored threat actors that have been found abusing the flaw, nearly half of them originate from North Korea. Besides exploiting the flaw at various times, the finding serves as an indication of cross-collaboration among the different threat clusters operating within Pyongyang’s cyber apparatus.
Telemetry data indicates that governments, private entities, financial organizations, think tanks, telecommunication service providers, and military/defense agencies located in the United States, Canada, Russia, South Korea, Vietnam, and Brazil have become the primary targets of attacks exploiting the vulnerability.
In the attacks dissected by ZDI, the .LNK files act as a delivery vehicle for known malware families like Lumma Stealer, GuLoader, and Remcos RAT, among others. Notable among these campaigns is the exploitation of ZDI-CAN-25373 by Evil Corp to distribute Raspberry Robin.
Microsoft, for its part, has classified the issue as low severity and does not plan to release a fix.
“ZDI-CAN-25373 is an example of (User Interface (UI) Misrepresentation of Critical Information (CWE-451),” the researchers said. “This means that the Windows UI failed to present the user with critical information.”
“By exploiting ZDI-CAN-25373, the threat actor can prevent the end user from viewing critical information (commands being executed) related to evaluating the risk level of the file.”
