The unobtrusive lack of security that affects Microsoft Windows was used by 11 state groups from China, Iran, North Korea and Russia as part of data theft, espionage and financially motivated companies dating from 2017.
A zero day vulnerability, tracked by Trend Micro’s Nero Day (Zdi) initiative as Appear-CAN-25373refers to a problem that allows bad actors to perform hidden malicious teams on the victim car using the created Windows or Shell Link (.lnk).
“Attacks use the hidden command line arguments in .lnk files to perform malicious loads, complicating the detection,” said security researchers Peter Girnus and allyakbar stuck in the analysis that shared with Hacker News. “The operation of the ZDI-CAN-25373 is subjected to significant risks of data theft and cyber-spyning.”
In particular, this includes upholstery of linear supplies (\ X0A) and the return of transportation (\ x0D) to avoid detection.
Almost 1000 .lnk of the artifacts that operate ZDI-CAN-25373 have been discovered today, most of the samples associated with the evil body (ASEN water), Kimzuk (Earth Kumikha), Horses (IMP land), bitter (Ananance Earth) and SkarkruTe (Earth Mantic).
Of the 11 state -owned threats that were abused, almost half of them arise from North Korea. In addition to the use of the lack at different times, the conclusion is a sign of cross-coloning among the different clusters threats acting in Pyongyang’s cyber.
Teleometry data show that governments, private structures, financial organizations, analytical centers, telecommunications service providers and military/defense agencies located in the USA, Canada, Russia, South Korea, Vietnam and Brazil have become the main goals of the attacks.
In the attacks, dissected by ZDI, the .lnk files act as delivery for famous families of malware such as Lumma Ctyler, Gulader and Remcos Rat, among others. These companies are characterized by ZDI-CAN-2005373 Eve corporations for distribution Raspine Robin.
Microsoft, for its part, classified this issue as a low gravity and does not plan to release the correction.
“ZDI-CAN-25373-Agree (UI (UI) Invalid Critical Information (CWE-451),” the researchers said.
“Using the ZDI-CAN-25373, the threatening actor can interfere with the final user to view important information (execution team).”