A critical zero-day vulnerability, identified as ZDI-CAN-25373, has been exploited by state-sponsored hacking groups for several years, underscoring its severe security implications. This exploit leverages Windows shortcut (.lnk) files to execute malicious commands stealthily, bypassing detection. Security experts have linked this vulnerability to cyber-espionage and data theft campaigns targeting global organizations.

Understanding ZDI-CAN-25373

Since 2017, ZDI-CAN-25373 has been actively exploited by 11 nation-state actors from countries including North Korea, Iran, Russia, and China. Trend Micro’s Zero Day Initiative (ZDI) has identified nearly 1,000 malicious .lnk samples utilizing this exploit, suggesting many more remain undetected. Despite the risks, Microsoft has not released a security patch, citing it does not meet their criteria, urging organizations to adopt alternative defensive measures.

How the Exploit Works

Threat actors exploit ZDI-CAN-25373 using specially crafted .lnk files to conceal malicious command-line arguments. These hidden commands allow attackers to execute payloads without detection by traditional security measures.

  • Undetectable Commands: Malicious commands are embedded within shortcut files, making detection challenging.
  • Whitespace Padding: Attackers use whitespace padding in the COMMAND_LINE_ARGUMENTS structure to obscure execution details.
  • Deceptive Appearance: The ability to mimic legitimate files makes these attacks highly deceptive.

State-Sponsored Exploitation

Research indicates that state-sponsored Advanced Persistent Threat (APT) groups have primarily used ZDI-CAN-25373 for cyber espionage and data theft. North Korea leads with 45.5% of APT attacks, followed by Iran, Russia, and China. Additionally, some financially motivated cybercriminal organizations have leveraged this vulnerability for targeted intrusions.

Targeted Sectors

The industries most affected by these attacks include:

  • Government: 22.8% of attacks
  • Private Sector: 14% of attacks
  • Financial Institutions: 8.77% of attacks
  • Think Tanks, Telecommunications, Military and Defense, Energy: 8.77% each
  • Cryptocurrency: 5.26% of attacks
  • Education, Healthcare, Media: 3.51% each
  • Critical Infrastructure, Nuclear Sectors: 1.75% each

Malware Payloads Associated with ZDI-CAN-25373

Various malware strains have been deployed in campaigns exploiting this vulnerability. Key categories include:

  • RATs and Loaders: Xeno RAT, Quasar RAT, PupyRAT, Warzone RAT, Remcos
  • Banking Trojans and InfoStealers: Gozi, Snake Keylogger, Lumma Stealer, Racoon Stealer
  • Malware-as-a-Service (MaaS): Extensively exploited with 79 tracked samples
  • Cobalt Strike and Sliver: Common penetration testing tools repurposed for malicious use

Microsoft's Response and Security Recommendations

Despite the submission of a Proof-of-Concept (PoC) exploit for ZDI-CAN-25373 to Microsoft, no patch has been issued. Organizations must adopt alternative mitigation strategies to defend against this threat.

  • Restrict .lnk File Usage: Limit execution of shortcut files from untrusted sources.
  • Implement Endpoint Protection: Ensure security solutions can detect and block suspicious shortcut files.
  • Conduct Network Monitoring: Log and analyze anomalous activities related to .lnk files.
  • Regularly Update Software: Keep Windows systems updated to mitigate other vulnerabilities.
  • Train Employees on Phishing Risks: Educate staff on identifying suspicious attachments and links.
  • Inspect Shortcut Files: Use forensic tools to analyze shortcut metadata.
  • Use Behavioral Analysis: Employ advanced detection mechanisms focusing on behavioral indicators.
  • Restrict Script Execution: Disable unnecessary scripting capabilities to reduce risk.
The link has been copied!