MS Windows Zero Day Vulnerability Widely Exploited

Uploaded on 2025-03-31 in TECHNOLOGY--Hackers, INTELLIGENCE-Hot Spots-North Korea, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

A security flaw in Microsoft Windows has been used by at least many state-sponsored groups including China, Iran, North Korea, and Russia as part of data theft and espionage since 2017.

The zero-day vulnerability, tracked by Trend Micro's Zero Day Initiative (ZDI), and called ZDI-CAN-25373, allows hackers to execute hidden malicious commands on a victim's machine by leveraging crafted Windows Shortcut or Shell Link (.LNK) files.

Specifically, this involves the padding of the arguments with Space (0x20), Horizontal Tab (0x09), Line Feed (0x0A), Vertical Tab (\x0B), Form Feed (\x0C), and Carriage Return (0x0D) whitespace characters to evade detection.

Nearly a 1,000 .LNK file artifacts exploiting ZDI-CAN-25373 have been unearthed to date, with a majority of the samples linked to Evil Corp (Water Asena), Kimsuky (Earth Kumiho), Konni (Earth Imp), Bitter (Earth Anansi), and ScarCruft (Earth Manticore).

Fifty percent of the hackers come from the Democratic People’s Republic of Korea (DPRK) and, besides exploiting the flaw at various times, the finding serves as an indication of collaboration across the various units operating in the malign cyber apparatus of which has been built up by the North Korean regime.

In expert comment, Craig Watt, Threat Intelligence Consultant at Quorum Cyber, said, "The fact that approximately half of the state actors involved in these campaigns have been attributed to the DPRK likely demonstrates cross-collaboration between threat clusters operating within Pyongyang's cyber apparatus."

"Although zero-day exploits have regularly been targeted by DPRK cyber actors for initial access, the deployment of LNK files reflects a tradecraft expansion within Pyongyang’s cyber programme, with previous attacks relying on document-based payloads... These operations are likely designed to enhance North Korea’s cyber espionage capabilities as the DPRK seeks to bridge gaps within its weapons programs, as well as to enhance its state survival in response to isolation from the international community due to sanctions."

"The indications are that governments, private entities, financial organisations, think tanks, telecommunication service providers, and military agencies located in the United States, Canada, Russia, South Korea, Vietnam, and Brazil have become the primary targets of attacks exploiting the vulnerability." Watt concludes.

Microsoft has classified the issue as low severity and has no plan to release a fix since .LNK is amongst the list that has been blocked across its products such as Outlook, Word, Excel, PowerPoint, and OneNote. As a result, attempting to open such files downloaded from the web automatically initiates a security warning, advising users not to open files from unknown sources.

Furthermore, Microsoft has pointed out that the method outlined by ZDI is of limited practical use to an attacker, and that Microsoft Defender's content scanning code has the ability to scan these files and recognise the technique to identify malicious files.

Although the campaigns have targeted victims worldwide, they have focused on North America, South America, Europe, East Asia, and Australia. Out of all the attacks analysed, nearly 70% were linked to espionage and data theft, while financial gain accounted for 20%.

Image: @thezdi

You Might Also Read:

Hackers Use Windows Backdoor To Deliver BadSpace:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.