Attackers are making use of Windows shortcut (.lnk) files to dupe users into running malicious code on their systems.
Researchers with Trend Micro’s Zero Day Initiative (ZDI) said that threat actors around the globe have been taking advantage of the Windows shell link shortcut format to execute malicious code on target machines.
Dubbed ZDI-CAN-25373 (more on this designation below) the security risk concerns a condition in which an attacker can manipulate the metadata within a .lnk file to hide the presence of malicious code, which allows the threat actor to disguise otherwise malicious payloads as seemingly innocuous shortcut files. Users who are tricked into launching the files would possibly end up infecting their systems with malware.
Users unknowingly infecting their machines is exactly what is going on right now, according to the ZDI team. The researchers said that no fewer than 11 threat actor groups have been using this tactic to target organizations in the U.S. and Europe.
“These APT groups contain a mixture of state-sponsored, state-adjacent, and cybercrime groups," the Trend Micro ZDI team said.
Of the 1,000 observed attacks, the lion’s share appear to be the work of the North Korea-linked Evil Corp group. The government-backed attackers were blamed for 45% of the observed attacks, while the remaining incidents were credited in equal parts to state-sponsored groups in China, Russia and Iran.
It was found that 70% of the attacks were apparently espionage attempts aimed at collecting intelligence from the target agencies, while another 20% appeared to be intent on stealing financial records and account credentials. The remainder were chalked up to either general chaos or an unknown motive.
“It is noteworthy that a significant majority of North Korea's intrusion sets have targeted ZDI-CAN-25373 at various times,” the ZDI team said.
“This observation underscores a trend of cross-collaboration, technique, and tool sharing among different threat groups within North Korea’s cyber program.”
Whether the issue meets the criteria for a registered security vulnerability remains up in the air. The ZDI researchers say they have reported the issue to Microsoft, but the Redmond security giant has declined to classify it as a CVE-eligible software vulnerability or issue a patch.
“We discovered nearly a thousand Shell Link (.lnk) samples that exploit ZDI-CAN-25373; however, it is probable that the total number of exploitation attempts are much higher,” the ZDI researchers explained.
“Subsequently, we submitted a proof-of-concept exploit through Trend ZDI's bug bounty program to Microsoft, who declined to address this vulnerability with a security patch.”
This generally happens when the vendor decides that the software is working as designed, even though malicious activity is going on. In other words, a patch cannot protect you from your own foolishness.
Microsoft acknowledged it had declined to classify the issue as a security vulnerability but issued guidance to administrators seeking to minimize risk.
“We appreciate the work of ZDI in submitting this report under a coordinated vulnerability disclosure. Microsoft Defender has detections in place to detect and block this threat activity, and the Smart App Control provides an extra layer of protection by blocking malicious files from the Internet,” Microsoft said in a statement to SC Media.
“As a security best practice, we encourage customers to exercise caution when downloading files from unknown sources as indicated in security warnings, which have been designed to recognize and warn users about potentially harmful files. While the UI experience described in the report does not meet the bar for immediate servicing under our severity classification guidelines, we will consider addressing it in a future feature release.”
Trend Micro is supplying administrators with YARA rules and indicators of compromise to detect potential attacks, as well as updates to its own products and services that will block the observed attacks.
