State-sponsored hackers working of laptop exploit Windows shortcut files

Numerous State-Sponsored Hackers Exploit Windows Shortcut Files for Cyber Espionage

State-sponsored hackers from traditional U.S. adversaries are exploiting Windows shortcut files to steal data in a cyber espionage campaign dating back to at least 2017.

Trend Micro researchers Peter Girnus and Aliakbar Zahravi detailed how 11 state-linked advanced persistent threat actors (APTs) from Russia, China, Iran, and North Korea are exploiting the security flaw dubbed ZDI-CAN-25373 to execute malicious commands.

The report warns that the cyber espionage campaign has affected various organizations across “the government, financial, telecommunications, military, and energy sectors” in “North America, Europe, Asia, South America, and Australia.”

How state-sponsored hackers leverage Windows shortcut file for cyber espionage

ZDI-CAN-25373 from Trend Micro’s Zero Day Initiative pertains to how the Windows operating system displays the contents of shortcut files ‘.lnk’ via the Windows UI. Trend Micro researchers have identified nearly 1,000 malicious Windows shortcut files exploiting the vulnerability.

They explained how state-sponsored hackers exploit the vulnerability by specially preparing the contents of the Windows shortcut files to deceive victims by embedding malicious content.

“Upon examining the file using the Windows-provided user interface, the victim will not be able to tell that the file contains any malicious content,” the researchers said.

The state-sponsored hackers succeed because many users recognize Windows shortcut files as common UI elements and can embed command-line arguments, making them capable of malicious command execution.

Subsequently, the attackers specifically craft Windows shortcut files with whitespaces in relevant fields to prevent the Windows operating systems from displaying their contents in the Properties Window.

“In this case, exploiting the vulnerability involves manipulating how Windows displays shortcut files by padding command-line arguments with whitespace characters,” said Jason Soroko, Senior Fellow at Sectigo. “If this method requires a chain of specific conditions or user interactions that are unlikely in everyday scenarios, Microsoft may view it as lower risk. If the ability to do this requires the attacker to elevate privileges using an endpoint compromise, I have seen Microsoft in the past express a similar viewpoint.”

The exploit hinges on CWE-451, a vulnerability that allows the Windows operating to misrepresent critical security information, allowing attackers to misrepresent erroneous data. This exploit prevents security-conscious potential victims from viewing the embedded content without a third-party tool, such as a hex editor.

Ironically, the malicious Windows shortcut files still display some obvious red flags that could raise alarms for security-conscious users.

For example, while ‘.lnk’ files are small, usually containing a few kilobytes of data, the malicious Windows shortcut files are extremely large, packing up to 70mbs.

However, since the malicious files require victims to click on them, the state-sponsored hackers use alluring icons and text to trick the victims into executing them.

Examining the motive of the cyber attacks, the researchers found that more than two-thirds (70%) of the cyber attacks were geared toward cyber espionage, while 20% were intended for financial gain.

“In some instances, threat actors with a primary motivation towards espionage may fund their espionage efforts with financially motivated campaigns,” they stated.

The state-sponsored hackers primarily targeted government (22.8%), private (14.0%), financial (8.8%), think tanks (8.8%), and telecommunications (8.8%) sectors.

The top countries that exploited ZDI-CAN-25373 Windows shortcut file vulnerability were North Korea (45.5%), Iran (18.2%), Russia (18.2%), and China (18.1%), with DPRK state-sponsored hackers specifically showing a high degree of cooperation.

“This observation underscores a trend of cross-collaboration, technique, and tool sharing among different threat groups within North Korea’s cyber program.”

Actively exploited vulnerability will not be immediately fixed by Microsoft

Meanwhile, Trend Micro has disclosed the Windows shortcut file vulnerability via Microsoft’s bounty program. However, Redmond categorized the security vulnerability as low severity, suggesting that it would not likely be patched soon.

“This vulnerability was disclosed to Microsoft via Trend ZDI’s bug bounty program; Microsoft classified this as low severity and this will not be patched in the immediate future,” the researchers stated.

The tech giant also claims that its default Windows security solution Microsoft Defender has inbuilt security features to protect against these types of threats. Additionally, Smart App Control blocks malicious files downloaded from the internet.

Nonetheless, Microsoft also advises users to avoid downloading files from unknown sources, of which the Smart App Control will warn them. The tech colossus also promised to address the security vulnerability in the future although it fails to meet the threshold for immediate response.

“Actively exploited vulnerabilities are usually patched within a short period of time,” noted Thomas Richards, Principal Consultant, Network and Red Team Practice Director at Black Duck. “It’s unusual for Microsoft to refuse to release a security patch in this situation given that it is actively being exploited by nation-state groups. Microsoft should address the vulnerability immediately to manage software risk and prevent further attacks and compromises of systems throughout the world.”