The accrued security flaws affecting Microsoft Windows are being exploited by 11 state-sponsored groups from China, Iran, North Korea and Russia as part of data theft, spying and financially motivated campaigns dating back to 2017.
The zero-day vulnerability tracked by Trend Micro’s Zero Day Initiative (ZDI) as ZDI-CAN-25373 refers to an issue that allows bad actors to execute hidden malicious commands on the victim’s machine by leveraging crafted Windows shortcuts or shell links (.LNK) files.
“Attacks leverage hidden command line arguments in .lnk files to execute malicious payloads, complicating detection,” security researchers Peter Gilnus and Aliakbar Zaravi said in an analysis shared with Hacker News. “The exploitation of ZDI-CAN-25373 puts organizations at significant risk of data theft and cyber espionage.”
Specifically, this includes padding of arguments with line feed (\x0a) and carriage return (\x0d) characters to avoid detection.
1,000 .lnk file artifacts have been excavated to date that exploit ZDI-CAN-25373, with most samples linked to the evil corporation (Water Asena), Kimsky (Earsukumiho), Korni (Earsimp), Bitter (Ears Anansi), and Skulkult (Earth Mantic).
Of the 11 countries-sponsored threat actors found to abuse the flaws, nearly half of them are born from North Korea. In addition to exploiting flaws at different times, this finding serves as a sign of cross-collaboration between different threat clusters operating within Pyongyang cyber equipment.
Telemetry data shows that governments, private companies, financial institutions, think tanks, telecommunications service providers, and military/defense institutions in the US, Canada, Russia, South Korea, Vietnam and Brazil are the main targets of attacks that exploit vulnerability.
In the attack analyzed by ZDI, the .LNK file acts as a delivery vehicle for known malware families such as Lumma Stealer, Guloader, and Remcos Rat. Of these campaigns, what is noteworthy is the exploitation of ZDI-CAN-25373 by Evil Corp to distribute Raspberry Robin.
Microsoft classifies this issue as a low severity and does not plan to release any fixes.
“ZDI-CAN-25373 is an example of misrepresentation of important information (CWE-451) (user interface (UI),” the researchers said.
“By leveraging ZDI-CAN-25373, threat actors can prevent end users from viewing critical information (executing commands) related to assessing the risk level of a file.”
Source link
