Trend Micro uncovered an eight-year-long spying campaign exploiting a Windows vulnerability involving malicious .LNK shortcut files, which attackers padded with whitespace to conceal commands. Despite being reported to Microsoft in 2023, the company considers it a UI issue rather than a security risk and has not prioritized a fix. The Register reports:
The attack method is low-tech but effective, relying on malicious .LNK shortcut files rigged with commands to download malware. While appearing to point to legitimate files or executables, these shortcuts quietly include extra instructions to fetch or unpack and attempt to run malicious payloads. Ordinarily, the shortcut’s target and command-line arguments would be clearly visible in Windows, making suspicious commands easy to spot. But Trend’s Zero Day Initiative said it observed North Korea-backed crews padding out the command-line arguments with megabytes of whitespace, burying the actual commands deep out of sight in the user interface.
Trend reported this to Microsoft in September last year and estimates that it has been used since 2017. It said it had found nearly 1,000 tampered .LNK files in circulation but estimates the actual number of attacks could have been higher. “This is one of many bugs that the attackers are using, but this is one that is not patched and that’s why we reported it as a zero day,” Dustin Childs, head of threat awareness at the Zero Day Initiative, told The Register. “We told Microsoft but they consider it a UI issue, not a security issue. So it doesn’t meet their bar for servicing as a security update, but it might be fixed in a later OS version, or something along those lines.”
After poring over malicious .LNK samples, the security shop said it found the vast majority of these files were from state-sponsored attackers (around 70 percent), used for espionage or information theft, with another 20 percent going after financial gain. Among the state-sponsored crews, 46 percent of attacks came from North Korea, while Russia, Iran, and China each accounted for around 18 percent of the activity.
How can I use this to install Solitaire on my work PC?
What’s creating these shortcuts though, and why isn’t that considered a risk?
You could create one with the normal shortcut editor, which is built right into Windows. As for considering Windows a risk, well yes it is.
But Trend’s Zero Day Initiative said it observed North Korea-backed crews padding out the command-line arguments with megabytes of whitespace, burying the actual commands deep out of sight in the user interface.
A multi-megabyte shortcut file (which is usually a file less than 1 KB) would be very suspicious to me, but I guess I’m not the target audience of this particular exploit.
To be fair, even a skilled users may just not notice something like this. There are many things we do in our day to day life without paying enough attention, particularly when it’s routine / something we feel adept using.
You check your shortcut file size before opening it every time? Why would you even be suspicious in the first place?
Using shellcode it’s possible to get persistent RCE using less then 100 bytes, don’t let one bad attempt at obfuscation cloud your judgement. Size does not matter.
Two things can be true at once.
I’m simply saying that if I see a
.lnkfile that’s 2.5 MB, I’m going to be more than a little suspicious since pretty much all shortcut files are like 800-some bytes.How would you notice? Do you always see the filesize of every link you open? Surely an attacker could replace one you already use with a compromised one with a simpler exploit.
Oh for sure, I’m saying malicious .lnk’s won’t all be this badly obfuscated
It somewhat annoys me that a eight year old bug is referred to as „zero day vulnerability“.
It’s also not really a bug. It’s just understanding that whitespace characters are often ignored and can be used to push a command past the end of the textbox in the “edit shortcut” form. I’m not sure I really see a fix for it either. Granted, I think always showing file extensions would be a good start; but, that horse is so long out of the barn it’s grown old and died in the woods. Much like hyperlinks, I think people just need to learn to be careful where they put their click.
Correct me if I’m wrong but doesn’t zero day just mean there is no patch or mitigation available?
I think it’s more that it’s recently discovered. If they sit on it and don’t patch it, it’s not really a zero day anymore.
“Despite developers’ goal of delivering a product that works entirely as intended, virtually all software and hardware contain bugs.[7] If a bug creates a security risk, it is called a vulnerability. Vulnerabilities vary in their ability to be exploited by malicious actors. Some are not usable at all, while others can be used to disrupt the device with a denial of service attack. The most valuable allow the attacker to inject and run their own code, without the user being aware of it.[8] Although the term “zero-day” initially referred to the time since the vendor had become aware of the vulnerability, zero-day vulnerabilities can also be defined as the subset of vulnerabilities for which no patch or other fix is available.[9][10][11] A zero-day exploit is any exploit that takes advantage of such a vulnerability.[8]”
That’s the definition straight from Wikipedia.
Although the term “zero-day” initially referred to the time since the vendor had become aware of the vulnerability […]
Yes, this is the original definition that made sense. It doesn’t make sense to me that this definition apparently has been adjusted to include all unpatched vulnerabilities.
True. However, if a vulnerability is well known and nobody is bothering to patch it, I doubt most would call it a zero day. At that point it goes back to being an unpatched vulnerability.
So I’d call something a zero day between discovery and an official response from the vendor (either a patch or confirmation that it’s not getting patched). That’s how I use it, not sure about others.
