Poisoned Windows shortcuts found to be a favorite of Chinese, Russian, N. Korean state hackers

Nearly a dozen nation-state groups from North Korea, China and Russia are exploiting a vulnerability affecting a commonly used feature of Microsoft Windows.

Researchers at the Zero Day Initiative (ZDI) said they have identified multiple campaigns exploiting the bug — which affects Windows shortcuts, or .lnk files — going back to 2017. 

Microsoft has not assigned a Common Vulnerabilities and Exposures (CVE) number, but ZDI — part of cybersecurity company Trend Micro — tagged it as ZDI-CAN-25373. 

The vulnerability arises in the way Windows displays the contents of shortcuts, according to ZDI. Those files, also known as shell links, allow Windows users to quickly click through to a file, folder or application in another part of the system.

Manipulated versions of the file type previously have been spotted in use by nation-state hackers from Russia and North Korea. Victims cannot tell that it contains any malicious content.  

“In attack campaigns that utilize .lnk files, threat actors will often change the icon to confuse and entice the victim into executing the shortcut,” the experts said in a report published on Tuesday.

“Since Windows always suppresses display of the .lnk extension, threat actors will often add a ‘spoof’ extension such as .pdf.lnk along with a matching icon to further trick users. A .lnk file will usually have an arrow on the lower-left side of the icon.”

They found almost 1,000 samples that exploit the bug but theorized that the total number of exploitation attempts “are much higher.”

ZDI says it approached Microsoft with a proof-of-concept exploit but the tech giant declined to create a patch for the vulnerability. The company said Microsoft “classified this as low severity and this will not be patched in the immediate future.”

In comments to Recorded Future News, a Microsoft spokesperson said their Defender cybersecurity product “has detections in place to detect and block this threat activity.” They added that the Smart App Control also blocks malicious files from the Internet.

“While the [user interface] experience described in the report does not meet the bar for immediate servicing under our severity classification guidelines, we will consider addressing it in a future feature release,” they said.

The spokesperson noted that Windows identifies shortcut files as potentially dangerous and attempting to open an .lnk file downloaded from the Internet automatically triggers a security warning advising users not to open files from unknown sources.

Microsoft claimed the tactics described by ZDI are of “limited practical use to attackers.” 

‘Cross-collaboration’

In total, threat hunters at ZDI said they spotted 11 state-sponsored groups from North Korea, Iran, Russia, and China using ZDI-CAN-25373 to steal data and conduct cyber espionage operations. It also saw quasi criminal groups like Evil Corp exploit the bug as a method of deploying its Raspberry Robin malware.

Nearly half of the state-sponsored groups exploiting the bug originate from North Korea, including well-known operations like Kimsuky and APT37, and ZDI said this indicates a level of “cross-collaboration, technique, and tool sharing among different threat groups within North Korea’s cyber program.”

Just 20% of the campaigns the researchers analyzed were focused on financial gain while about 70% were aimed at espionage and information theft. 

The hackers have primarily targeted government entities, cryptocurrency-related firms, think tanks, telecommunications companies, military and defense organizations and more, ZDI said. 

The vast majority of victims identified by ZDI — more than 300 — are based in the U.S. while dozens of others are spread across Canada, Russia, South Korea, Vietnam and Brazil. 

ZDI also tracked the tactics used by each group, noting that North Korea’s APT37 and other groups typically used large .lnk files with large amounts of whitespace and other junk content to further evade detection. 

The company warned that the bug was one example of nation-state groups increasingly relying on zero-day vulnerabilities in attacks on critical industries. 

“These vulnerabilities present substantial risks, as they target flaws that remain unknown to software vendors and lack corresponding security patches, thereby leaving governments and organizations vulnerable to exploitation,” they said. 

“As geopolitical tensions and conflicts escalate, an increase in the sophistication of threat actors and the utilization of zero-day vulnerabilities is anticipated to rise, as both nation-states and cybercriminals endeavor to gain a competitive advantage over their adversaries.”