LNK files Archives

Winsage

March 24, 2025

Critical Vulnerability in Microsoft Windows Exposed: State-Sponsored Hackers Exploit Link Files for Espionage

A vulnerability in Microsoft Windows' handling of link files (.lnk) has been exploited by state-sponsored hackers from North Korea, Russia, Iran, and China for espionage and data theft. This flaw allows malicious payloads to be embedded in seemingly harmless links, enabling remote execution of arbitrary code and unauthorized access to compromised systems. Nearly 1,000 malicious .lnk files have been identified, with around 70% of attacks focused on espionage and information theft, particularly targeting government and financial institutions. The malicious commands are difficult to detect, complicating protection efforts for organizations. ZDI recommends increased awareness and the use of endpoint and network protection tools to mitigate the threat.

Winsage

March 22, 2025

Windows Shortcut Zero-Day Under Active Attack

A zero-day vulnerability in Windows shortcut (.lnk) files has been exploited by state-sponsored hacking groups since 2017, allowing attackers to execute arbitrary code on compromised systems. Microsoft has classified this vulnerability as “not meeting the bar servicing,” meaning no security updates will be issued. Trend Micro tracks it as ZDI-CAN-25373 and has linked it to cyber-espionage campaigns involving 11 nation-state actors from countries like North Korea, Iran, Russia, and China. Nearly 1,000 malicious .lnk samples exploiting this flaw have been identified, with many more potentially undetected. Attackers often use phishing emails to deliver these malicious files, which can download additional malware, granting full control over the compromised machine. Organizations are advised to scan their systems and implement security measures against this vulnerability.

Winsage

March 21, 2025

Nation-state groups hit hundreds of organizations with Microsoft Windows zero-day

Trend Micro has identified a zero-day vulnerability in Microsoft Windows, tracked as ZDI-CAN-25373, which allows attackers to execute hidden malicious commands through .lnk files. This vulnerability has been exploited since 2017, primarily by state-sponsored groups, affecting at least 300 organizations and thousands of devices. North Korean groups APT43 and APT37 are mainly responsible for these exploits, with nearly half of the attacks linked to them. Other state-backed groups from Iran, Russia, and China account for about 20% of the attacks. Microsoft has advised users to be cautious with files from unverified sources but does not classify the issue as severe enough for immediate action. Trend Micro's research shows that attackers disguise malicious .lnk files as different file types, using hidden command line arguments. Microsoft acknowledges the research but downplays the implications, while experts suggest that addressing the vulnerability may require significant changes to .lnk file functionality.

Winsage

March 20, 2025

China, Russia, North Korea Hackers Exploit Windows Security Flaw

Almost a dozen state-sponsored threat groups from nations including China, Russia, Iran, and North Korea are exploiting a security vulnerability in Microsoft Windows, identified as ZDI-CAN-25373, to conduct espionage and gather sensitive information. This vulnerability affects how Windows handles .lnk files, allowing attackers to execute hidden malicious commands. Since 2017, these groups have targeted government, military, and critical infrastructure organizations globally, with 11 state-sponsored groups identified, primarily focusing on espionage (70%) and financial motives (20%). North Korea accounts for 45.5% of the exploitation, with Iran and Russia at 18.2% each, and China at 18.1%. The United States has experienced the most attacks (343 incidents), followed by Canada (39), Russia (25), and South Korea (23). Despite being notified, Microsoft does not plan to issue a patch for this vulnerability, categorizing it as "low severity."

Winsage

March 20, 2025

11 nation-state groups exploit unpatched Microsoft zero-day

Since 2017, at least 11 state-sponsored threat groups have exploited a Microsoft zero-day vulnerability in Windows shortcut files for data theft and cyber espionage. Researchers from Trend Micro's Trend Zero Day Initiative have identified nearly 1,000 malicious .lnk files utilizing this flaw, designated as ZDI-CAN-25373, which allows attackers to execute hidden commands on victims' devices. The attacks involve various payloads, including the Lumma infostealer and Remcos remote access Trojan, with North Korean operatives responsible for over 45% of the incidents, while Iran, Russia, and China account for approximately 18% each. Notable advanced persistent threat groups involved include Evil Corp, Kimsuky, Bitter, and Mustang Panda. Microsoft has not yet released a patch for this vulnerability, which is considered unusual, and while Microsoft Defender can detect and block related threats, organizations are advised to remain vigilant and implement protective measures against potential exploitation.

Winsage

March 20, 2025

Flaw in Windows shortcut abused by at least 11 threat groups

Attackers are using Windows shortcut (.lnk) files to execute malicious code, with at least 11 threat actor groups exploiting this method, including the North Korea-linked Evil Corp group, which is responsible for 45% of 1,000 observed incidents. The majority of these attacks (70%) are espionage-related, while 20% focus on stealing financial records. Microsoft has been informed of the issue but does not classify it as a CVE-eligible vulnerability and has not issued a patch, stating that the software functions as designed. Trend Micro is providing YARA rules and indicators of compromise to help detect potential attacks.

Tech Optimizer

February 3, 2025

Coyote Malware Launches Stealthy Attack on Windows Systems via LNK Files

FortiGuard Labs has raised an alarm about the Coyote Banking Trojan, a sophisticated malware targeting Microsoft Windows users, particularly in Brazil. Researchers discovered malicious LNK files that use PowerShell commands to execute scripts and connect to remote servers, initiating a multi-stage attack aimed at extracting sensitive information from over 70 financial applications and more than 1,000 websites. The attack begins with an LNK file that triggers a PowerShell command to download and execute additional malicious scripts. The malware employs loaders, shellcode, and Windows registry modifications, with a DLL file named “bmwiMcDec” injecting payloads into processes. It gathers system information and transmits it to remote servers, while the main payload enables keylogging, screenshot capture, phishing overlays, and window manipulation. The Coyote Trojan communicates with command-and-control servers via port 443 and adapts its actions based on server directives. Fortinet's security solutions, including FortiGuard Antivirus and Web Filtering Service, can detect and block threats associated with this malware. Users are advised to keep security systems updated and engage in cybersecurity training.

Tech Optimizer

December 19, 2024

LNK Files And SSH Commands: A New Cyber Attack Trend In 2024

Cyber attackers are increasingly using malicious LNK files, which disguise themselves as harmless shortcuts, as an infection vector in 2024. Security experts, particularly Cyble Research and Intelligence Labs (CRIL), have noted a significant rise in this tactic. Attackers leverage LNK files to gain access to systems, triggering malicious actions that can deploy advanced malware. This method reflects a shift in attack vectors aimed at bypassing traditional security measures. One primary technique in these attacks is the exploitation of Living-off-the-Land Binaries (LOLBins), which are trusted system binaries manipulated to execute harmful commands without external malware. Attackers have refined their methods to evade detection by endpoint detection and response (EDR) solutions. Recent campaigns have incorporated SSH commands within malicious LNK files, allowing attackers to establish persistent connections and download malicious files from remote servers. This use of SSH is concerning as it is not typically associated with Windows systems, making it harder for conventional security measures to detect. Threat actors have also used SSH commands to execute malicious PowerShell or CMD commands indirectly through LNK files. For example, a malicious LNK file was found to trigger a PowerShell script that downloaded a malicious payload. Advanced Persistent Threat (APT) groups, known for their long-term cyber espionage, are increasingly utilizing these techniques, with groups like Transparent Tribe deploying stealer malware using similar methods. The combination of LNK files and SSH commands presents a significant threat to organizations, necessitating enhanced monitoring and detection systems to identify abnormal activities. Security teams must evolve EDR solutions to recognize malicious SSH and SCP activity, especially in environments where SSH is not commonly used. Additionally, organizations should restrict the use of legitimate SSH utilities and disable unnecessary features to minimize the attack surface.

Winsage

December 17, 2024

Hackers Exploit Microsoft Management Console to Drop Backdoor Payloads on Windows

The Securonix Threat Research team has identified a phishing campaign called the “FLUX#CONSOLE campaign,” which targets tax-related themes using Microsoft Common Console Document (MSC) files to deliver a backdoor payload. The attack begins with a phishing email containing a decoy PDF titled “Income-Tax-Deduction-and-Rebates202441712.pdf,” which conceals an MSC file that executes malicious payloads. The campaign employs various tactics, including tax-themed lures, exploitation of MSC files, DLL sideloading using DISM.exe, persistence through scheduled tasks, and advanced obfuscation techniques. The attack chain involves tricking users into opening a malicious MSC file disguised as a PDF, which contains XML commands to download or extract a malicious DLL named DismCore.dll. The DLL is sideloaded using Dism.exe, and the malware communicates with a Command-and-Control server at “hxxps://siasat[.]top,” exfiltrating data via encrypted HTTPS traffic. The attackers maintained access for about 24 hours, targeting victims in Pakistan. The tactics used do not align with known advanced persistent threat groups, highlighting the growing threat of MSC files as a delivery method for malware. Indicators of Compromise (IOCs) include the C2 address siasat[.]top and analyzed file hashes for the malicious files involved in the campaign.

Winsage

August 6, 2024

Bad apps bypass Windows alerts for six years using LNK files

Elastic Security Labs has identified techniques that malicious actors may use to bypass Windows security alerts, particularly targeting Windows SmartScreen and Smart App Control (SAC). One method, known as "LNK Stomping," exploits a flaw in how Windows handles shortcut files (.LNK) to nullify the Mark of the Web (MotW) tag, which indicates potentially dangerous files. This technique allows malware to evade detection since SmartScreen only scans files with the MotW tag. The technique involves creating LNK files with unconventional target paths, prompting Windows Explorer to correct these discrepancies and remove the MotW tag. Desimone noted that this vulnerability has been present for over six years, with samples found in VirusTotal. Other methods to bypass reputation-based protections include signing malicious applications with code-signing certificates, Reputation Hijacking, Reputation Seeding, and Reputation Tampering. These methods manipulate legitimate programs or create seemingly trustworthy binaries to exploit vulnerabilities in the system.