At least 11 state-backed hacking groups from North Korea, Iran, Russia, and China have been exploiting a new Windows vulnerability in data theft and cyber espionage zero-day attacks since 2017.
However, as security researchers Peter Girnus and Aliakbar Zahravi with Trend Micro’s Zero Day Initiative (ZDI) reported today, Microsoft tagged it as “not meeting the bar servicing” in late September and said it wouldn’t release security updates to address it.
“We discovered nearly a thousand Shell Link (.lnk) samples that exploit ZDI-CAN-25373; however, it is probable that the total number of exploitation attempts are much higher,” they said. “Subsequently, we submitted a proof-of-concept exploit through Trend ZDI’s bug bounty program to Microsoft, who declined to address this vulnerability with a security patch.”
A Microsoft spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today.
While Microsoft has yet to assign a CVE-ID to this vulnerability, Trend Micro is tracking it internally as ZDI-CAN-25373 and said it enables attackers to execute arbitrary code on affected Windows systems.
As the researchers found while investigating in-the-wild ZDI-CAN-25373 exploitation, the security flaw has been exploited in widespread attacks by many state-sponsored threat groups and cybercrime gangs, including Evil Corp, APT43 (Kimsuky), Bitter, APT37, Mustang Panda, SideWinder, RedHotel, Konni, and others.
Although the campaigns have targeted victims worldwide, they’ve been primarily focused on North America, South America, Europe, East Asia, and Australia. Out of all the attacks analyzed, nearly 70% were linked to espionage and information theft, while financial gain was the focus of only 20%.
”Diverse malware payloads and loaders like Ursnif, Gh0st RAT, and Trickbot have been tracked in these campaigns, with malware-as-a-service (MaaS) platforms complicating the threat landscape,” Trend Micro added.
The ZDI-CAN-25373 Windows zero-day
This newly discovered Windows vulnerability (tracked as ZDI-CAN-25373) is caused by a User Interface (UI) Misrepresentation of Critical Information (CWE-451) weakness, which allows attackers to exploit how Windows displays shortcut (.lnk) files to evade detection and execute code on vulnerable devices without the user’s knowledge.
Threat actors exploit ZDI-CAN-25373 by hiding malicious command-line arguments within .LNK shortcut files using padded whitespaces added to the COMMAND_LINE_ARGUMENTS structure.
The researchers say these whitespaces can be in the form of hex codes for Space (x20), Horizontal Tab (x09), Linefeed (x0A), Vertical Tab (x0B), Form Feed (x0C), and Carriage Return (x0D) that can be used as padding.
If a Windows user inspects such a .lnk file, the malicious arguments are not displayed in the Windows user interface because of the added whitespaces. As a result, the command line arguments added by the attackers remain hidden from the user’s view.
“User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file,” a Trend Micro advisory issued today explains.
“Crafted data in an .LNK file can cause hazardous content in the file to be invisible to a user who inspects the file via the Windows-provided user interface. An attacker can leverage this vulnerability to execute code in the context of the current user.”
This vulnerability is similar to another flaw tracked as CVE-2024-43461 that enabled threat actors to use 26 encoded braille whitespace characters (%E2%A0%80) to camouflage HTA files that can download malicious payloads as PDFs. CVE-2024-43461 was found by Peter Girnus, a Senior Threat Researcher at Trend Micro’s Zero Day, and patched by Microsoft during the September 2024 Patch Tuesday.
The Void Banshee APT hacking group exploited CVE-2024-43461 in zero-day attacks to deploy information-stealing malware in campaigns against organizations across North America, Europe, and Southeast Asia.
Update March 18, 13:46 EDT: A Microsoft spokesperson sent the following statement after publishing time, saying the company is considering to address the flaw in the future:
We appreciate the work of ZDI in submitting this report under a coordinated vulnerability disclosure. Microsoft Defender has detections in place to detect and block this threat activity, and the Smart App Control provides an extra layer of protection by blocking malicious files from the Internet. As a security best practice, we encourage customers to exercise caution when downloading files from unknown sources as indicated in security warnings, which have been designed to recognize and warn users about potentially harmful files. While the UI experience described in the report does not meet the bar for immediate servicing under our severity classification guidelines, we will consider addressing it in a future feature release.
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
