State-sponsored hackers from North Korea, Iran, Russia, and China are crafting malicious links that compromise governments, military, and other critical organizations, leading to espionage and data theft. Yet, Microsoft declined to address the vulnerability with a security patch, Trend Micro has said in a report.
Microsoft link (LNK) files fail to present users with critical information, and malicious actors exploit this flaw to embed malicious packages into them.
LNK files are supposed to provide quick access to files, apps, or folders on a computer. However, the Trend Zero Day Initiative (ZDI) threat-hunting team identified nearly 1,000 malicious .lnk files and estimates that the total number of exploitation attempts is much higher.
“This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file,” ZDI explains.
The flaw lies in the way Windows handles .lnk files – hazardous content in the file is invisible to users even if they have suspicions and inspect the file via the Windows-provided user interface.
For the victim, the malicious file may look like a simple link to a text document or any other icon designed to confuse and lure the victim into the execution.
One of the analyzed link files reached a maximum file size of 55.16 megabytes, which is more than many widespread malware packages.
Most of the analyzed malicious samples (343) were submitted from the US, followed by Canada (39 files). However, the victimology is likely “much broader” due to multiple hacking groups already exploiting the flaw.
“The attacks leverage hidden command line arguments within .lnk files to execute malicious payloads, complicating detection,” the researchers warn in the report.
Nearly 70% of analyzed malicious .lnk files are primarily focused on espionage and information theft, while over 20% are directed toward achieving financial gain.
“We discovered the widespread abuse of this vulnerability by numerous threat actors and APT groups. These threats include a mix of state-sponsored as well as non-state-sponsored APT groups,” the ZDI researchers said.
“Many of these groups demonstrated a high degree of sophistication in their attack chains and have a history of abusing zero-day vulnerabilities in the wild.”
Microsoft refused to patch immediately
ZDI reported the vulnerability, tracked as ZDI-CAN-25373, to the Redmont giant on September 20th, 2024. Microsoft acknowledged the report and a week later assessed the case as “not meeting the bar servicing.”
ZDI followed up with additional information about the case. However, after multiple exchanges, the situation remained unchanged. Almost three weeks ago, ZDI informed Microsoft they’d go public.
“Microsoft classified this as low severity and this will not be patched in the immediate future,” the researchers said.
Cybernews has reached out to Microsoft for a comment and will include their response.
According to the ZDI, restricting interaction with the application is currently the only way to mitigate the vulnerability. The researchers recommend remaining vigilant about .lnk files in general and using endpoint and network protection measures to detect and respond to this threat.
Link files can be recognized by an arrow on the lower-left side of the icon.
“In attack campaigns that utilize .lnk files, threat actors will often change the icon to confuse and entice the victim into executing the shortcut,” the report reads.
Hackers will often add a “spoof” extension such as .pdf.lnk along with a matching icon to trick users further. Windows hides the ‘.lnk’ part, so the document may appear as a PDF file.
If a user checks the properties of a malicious .lnk file, Windows will not be able to show the malicious arguments within the allotted limited space due to inserted whitespaces or other special characters.
Microsoft is considering an update
Microsoft confirmed to Cybernews that it is considering to address the flaw in a future release.
“While the UI experience described in the report does not meet the bar for immediate servicing under our severity classification guidelines, we will consider addressing it in a future feature release,” a Microsoft spokesperson said in a statement.
“We appreciate the work of ZDI in submitting this report under a coordinated vulnerability disclosure.”
They also noted that Microsoft Defender has detections in place to detect and block this threat activity, and the Smart App Control provides an extra layer of protection by blocking malicious files from the Internet.
“As a security best practice, we encourage customers to exercise caution when downloading files from unknown sources as indicated in security warnings, which have been designed to recognize and warn users about potentially harmful files,” the spokesperson said.
Windows identifies shortcut files (.lnk) as a potentially dangerous file type. If users attempt to open a .lnk file downloaded from the Internet, they receive a security warning advising them not to open files from unknown sources. That limits the practical use of the described method to attackers.
Russian and North Korean hackers are the main abusers
Eleven state-sponsored hacking groups are already exploiting the link vulnerability, and the first campaigns date back to 2017.
Evil Corp (a.k.a Water Asena, I), a notorious Russian cybercrime gang, has developed the most samples of malicious .lnk files, followed by North Korean state-sponsored hackers Kimsuky and Earth Imp (Konni).
“Nearly half of the state-sponsored threat actors that exploit ZDI-CAN-25373 are reported to originate from North Korea,” the report reads.
The vast majority of North Korea’s threat actors have targeted this flaw at different times, which suggests close collaboration and technique sharing within their cyber program.
The most monitored attacks targeted government, pirate, and financial sectors, think tanks, and telecommunications.
Trend Micro warns that the flaw presents substantial risks to organizations worldwide and exposes them to significant risks of data theft and cyber espionage.
Updated on March 19th [03:15 p.m. GMT] with a statement from Microsoft.
Your email address will not be published. Required fields are markedmarked