Attackers are increasingly leveraging Windows shortcut (.lnk) files to execute malicious code on unsuspecting users’ systems. Researchers from Trend Micro’s Zero Day Initiative (ZDI) have identified a troubling trend where threat actors exploit the Windows shell link format to conceal harmful payloads within seemingly harmless shortcut files. This tactic, referred to as ZDI-CAN-25373, allows attackers to manipulate the metadata of .lnk files, effectively disguising their malicious intent.
Current Threat Landscape
The ZDI team has reported that at least 11 different threat actor groups are employing this strategy to target organizations across the U.S. and Europe. These groups range from state-sponsored entities to cybercriminal organizations. Notably, the North Korea-linked Evil Corp group has been responsible for a significant portion of these attacks, accounting for 45% of the 1,000 observed incidents. The remaining attacks were attributed equally to state-sponsored groups from China, Russia, and Iran.
Interestingly, 70% of these attacks appear to be espionage-related, aimed at gathering intelligence from targeted agencies. Additionally, 20% of the incidents seem focused on stealing financial records and account credentials, while the rest are attributed to either general chaos or unknown motives. The ZDI team highlighted a concerning trend: many of North Korea’s intrusion sets have targeted ZDI-CAN-25373, indicating a level of collaboration and tool-sharing among various threat groups within the nation’s cyber program.
Response from Microsoft
Whether this issue qualifies as a registered security vulnerability remains uncertain. The ZDI researchers have reported their findings to Microsoft; however, the tech giant has chosen not to classify it as a CVE-eligible vulnerability or to issue a patch. The ZDI team discovered nearly 1,000 Shell Link (.lnk) samples exploiting ZDI-CAN-25373, but they suspect that the actual number of exploitation attempts is much higher.
Microsoft acknowledged the report but stated that the software functions as designed, despite the malicious activities occurring. As a result, the company has not deemed a patch necessary, emphasizing that users must exercise caution when downloading files from unknown sources. Microsoft has, however, implemented detection measures through Microsoft Defender and Smart App Control to help mitigate risks associated with this threat.
Proactive Measures
In light of these developments, Trend Micro is equipping administrators with YARA rules and indicators of compromise to help detect potential attacks. The company is also updating its products and services to block the observed threats effectively. As the landscape of cyber threats continues to evolve, vigilance and proactive measures remain crucial for organizations seeking to safeguard their systems against such sophisticated tactics.
