In a recent revelation, cybersecurity firm Trend Micro has identified a significant zero-day vulnerability in Microsoft Windows, tracked as ZDI-CAN-25373. This flaw allows attackers to execute hidden malicious commands by exploiting the way Windows displays shortcut files, known as .lnk files. The report, released on Tuesday, highlights that this vulnerability has been actively exploited since 2017, primarily by state-sponsored groups targeting a wide array of sectors, including government, finance, and telecommunications.
Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, noted that at least 300 organizations have been compromised due to this vulnerability, with thousands of devices infected across various entities. The ongoing exploits are predominantly attributed to North Korean groups APT43 and APT37, with Childs indicating that the actual number of attacks could be two to three times higher than currently observed.
According to Trend Micro’s findings, nearly half of the attacks linked to nation-state actors are associated with North Korean cybercriminals, who often pursue financially motivated targets, particularly in the cryptocurrency sector. Other state-backed groups from Iran, Russia, and China account for roughly 20% of the observed attacks, while groups from India and Pakistan are also implicated in mutual cyber confrontations.
As a precautionary measure, Microsoft has advised users to exercise caution when downloading files from unverified sources. A spokesperson stated that while the user interface issue does not meet their severity classification for immediate action, they will consider addressing it in a future update.
Exploits Date Back to 2017
The longevity of this vulnerability is noteworthy, as it has been exploited for several years without detection. Childs remarked on the unusual nature of multiple groups leveraging the same flaw for various purposes, emphasizing that the more widely a secret is shared, the more likely it is to be exposed.
Trend Micro has traced the exploitation of this vulnerability to several cybercriminal entities, including the notorious Russian group Evil Corp and the South Asian espionage group known as Bitter. The attacks have primarily focused on espionage and data theft, outpacing financially motivated attacks by a significant margin.
Novel Malware Payload
Trend Micro’s research illustrates the innovative tactics employed by cybercriminals to exploit ZDI-CAN-25373. Attackers disguise malicious .lnk files as different file types, tricking users into executing harmful code. The hidden command line arguments are cleverly concealed in whitespace padding, making them invisible in the Windows user interface.
Childs expressed surprise at the ingenuity of these methods, noting that this particular exploit is unprecedented in its execution.
Researchers Question Microsoft’s Response
While Microsoft acknowledged the research conducted by Trend Micro, it downplayed the practical implications of the described methods for attackers. The company maintains that shortcut files are inherently risky and that Windows provides warnings for .lnk files downloaded from the internet.
Andrew Grotto, a research scholar at Stanford University, highlighted the challenge of balancing corporate responsibility with user accountability in cybersecurity. He pointed out that despite Microsoft’s classification of the issue, the ongoing exploitation indicates a significant problem within the product.
Addressing this vulnerability may require fundamental changes to how .lnk files function, a task that Childs believes Microsoft has been reluctant to undertake. He expressed hope that the publication of these findings would empower defenders and encourage Microsoft to take action.
