At least 11 state-backed hacking groups from North Korea, Iran, Russia, and China have been exploiting a new Windows vulnerability in data theft and cyber espionage zero-day attacks since 2017. Security researchers Peter Girnus and Aliakbar Zahravi from Trend Micro’s Zero Day Initiative (ZDI) reported that Microsoft classified this vulnerability as “not meeting the bar for servicing” in late September, indicating that no security updates will be released to address it.
“We discovered nearly a thousand Shell Link (.lnk) samples that exploit ZDI-CAN-25373; however, it is probable that the total number of exploitation attempts is much higher,” the researchers noted. They submitted a proof-of-concept exploit through Trend ZDI’s bug bounty program, but Microsoft declined to issue a security patch for this vulnerability.
While Microsoft has not yet assigned a CVE-ID to this vulnerability, Trend Micro is tracking it internally as ZDI-CAN-25373. This flaw enables attackers to execute arbitrary code on affected Windows systems. The investigation revealed that the security flaw has been exploited in widespread attacks by various state-sponsored threat groups and cybercrime gangs, including Evil Corp, APT43 (Kimsuky), Bitter, APT37, Mustang Panda, SideWinder, RedHotel, and Konni, among others.
These campaigns have targeted victims globally, with a primary focus on North America, South America, Europe, East Asia, and Australia. Notably, nearly 70% of the analyzed attacks were linked to espionage and information theft, while only 20% aimed for financial gain.
Diverse malware payloads and loaders such as Ursnif, Gh0st RAT, and Trickbot have been associated with these campaigns, further complicating the threat landscape due to the prevalence of malware-as-a-service (MaaS) platforms.
The ZDI-CAN-25373 Windows zero-day
This newly identified Windows vulnerability, tracked as ZDI-CAN-25373, arises from a User Interface (UI) Misrepresentation of Critical Information (CWE-451) weakness. This allows attackers to exploit how Windows displays shortcut (.lnk) files, enabling them to evade detection and execute code on vulnerable devices without the user’s knowledge.
Threat actors exploit ZDI-CAN-25373 by concealing malicious command-line arguments within .LNK shortcut files, utilizing padded whitespaces added to the COMMANDLINEARGUMENTS structure. These whitespaces can take the form of hex codes for Space (x20), Horizontal Tab (x09), Linefeed (x0A), Vertical Tab (x0B), Form Feed (x0C), and Carriage Return (x0D), which serve as padding.
When a Windows user inspects such a .lnk file, the malicious arguments remain hidden from view due to the added whitespaces. Consequently, the command line arguments inserted by the attackers are not visible to the user.
“User interaction is required to exploit this vulnerability, as the target must visit a malicious page or open a malicious file,” a Trend Micro advisory stated. “Crafted data in an .LNK file can render hazardous content invisible to a user inspecting the file via the Windows-provided user interface. An attacker can leverage this vulnerability to execute code in the context of the current user.”
This vulnerability bears similarities to another flaw tracked as CVE-2024-43461, which allowed threat actors to use 26 encoded braille whitespace characters (%E2%A0%80) to camouflage HTA files capable of downloading malicious payloads disguised as PDFs. CVE-2024-43461 was discovered by Peter Girnus and subsequently patched by Microsoft during the September 2024 Patch Tuesday.
Notably, the Void Banshee APT hacking group exploited CVE-2024-43461 in zero-day attacks to deploy information-stealing malware against organizations across North America, Europe, and Southeast Asia.
Update March 18, 13:46 EDT: A Microsoft spokesperson provided a statement after the publication time, indicating that the company is considering addressing the flaw in the future:
“We appreciate the work of ZDI in submitting this report under a coordinated vulnerability disclosure. Microsoft Defender has detections in place to detect and block this threat activity, and Smart App Control provides an extra layer of protection by blocking malicious files from the Internet. As a security best practice, we encourage customers to exercise caution when downloading files from unknown sources, as indicated in security warnings designed to recognize and alert users about potentially harmful files. While the UI experience described in the report does not meet the bar for immediate servicing under our severity classification guidelines, we will consider addressing it in a future feature release.”