Nation-state Actors and Cybercrime Gangs Abuse Malicious .lnk Files for Espionage and Data Theft

Nation-state Actors and Cybercrime Gangs Abuse Malicious .lnk Files for Espionage and Data Theft

In a disturbing revelation, Trend Micro's Zero Day Initiative (ZDI) has discovered that at least 11 state-sponsored threat groups have been exploiting Windows shortcut files, specifically malicious .lnk files, to carry out espionage and data theft operations. The attacks, which targeted organizations across various sectors in North America, Europe, Asia, South America, and Australia, demonstrate the sophisticated tactics employed by nation-state actors and cybercrime gangs.

According to ZDI researchers, nearly half of the threat actors exploiting this vulnerability are from North Korea (45.5%), with 70% focused on espionage and 20% on financial gain, often interlinked. The attacks aimed to execute hidden malicious commands on a victim's machine by exploiting the vulnerability ZDI-CAN-25373.

ZDI researchers discovered nearly 1,000 malicious .lnk files used in these attacks, with some proof-of-concept samples suggesting use in attack chain development. Trend Micro telemetry helped correlate recovered payloads, highlighting widespread abuse across various threat campaigns.

The vulnerability ZDI-CAN-25373 exploits how Windows handles .lnk files, enabling attackers to embed malicious commands in shortcuts. Victims see no obvious threat in the UI, as the .lnk file format allows embedding command-line arguments that can execute malicious payloads. Threat actors also manipulate icons and filenames (e.g., "document.pdf.lnk") to trick users into opening them.

The researchers noticed that some North Korean APTs, like Earth Manticore and Earth Imp, use oversized .lnk files (up to 70MB) to evade detection. This UI misrepresentation flaw (CWE-451) stops users from assessing file risks, aiding stealthy cyberattacks. The attacks carried out by these threat actors were designed to deliver diverse malware payloads, including MaaS and commodity malware.

"Among the 11 state-sponsored APT groups leveraging ZDI-CAN-25373, a majority have a documented history of exploiting zero-day vulnerabilities in attacks in the wild," concludes the report. "These vulnerabilities present substantial risks, as they target flaws that remain unknown to software vendors and lack corresponding security patches, thereby leaving governments and organizations vulnerable to exploitation."

Microsoft has been notified about this vulnerability, but it appears that the company has yet to address it with a security patch.

The Importance of Addressing Zero-Day Vulnerabilities

The discovery of ZDI-CAN-25373 highlights the importance of addressing zero-day vulnerabilities in software. These vulnerabilities can be exploited by attackers to gain unauthorized access to systems and steal sensitive data. The lack of corresponding security patches for these vulnerabilities leaves governments and organizations vulnerable to exploitation.

Stay Safe Online

To stay safe online, it is essential to keep your software up to date, use strong antivirus software, and be cautious when opening suspicious emails or attachments. Additionally, users should be aware of the risks associated with .lnk files and avoid opening them unless absolutely necessary.

Follow Me

Follow me on Twitter: @securityaffairs and Facebook and Mastodon (SecurityAffairs – hacking, malicious .lnk files)