{"id":58324,"date":"2025-03-18T00:00:00","date_gmt":"2025-03-18T00:00:00","guid":{"rendered":"urn:uuid:8714d1f4-0dab-9114-e42d-b332dbbf3c2d"},"modified":"2025-03-18T00:00:00","modified_gmt":"2025-03-18T00:00:00","slug":"zdi-can-25373-windows-shortcut-exploit-abused-as-zero-day-in-widespread-apt-campaigns","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/zdi-can-25373-windows-shortcut-exploit-abused-as-zero-day-in-widespread-apt-campaigns\/","title":{"rendered":"ZDI-CAN-25373: Windows Shortcut Exploit Abused as Zero-Day in Widespread APT Campaigns"},"content":{"rendered":"

<\/p>\n

<\/div>\n

During our analysis, we discovered that some North Korean threat actors, such as Earth Manticore (APT37) and Earth Imp (Konni), tended to use extremely large .lnk files with large amounts of whitespace and other junk content to further evade detection. Earth Imp used files with a median size of 3.32MB, with a maximum file size of 70.1MB. Earth Manticore used files with a median size of 33.33MB, with a maximum file size of 55.16MB.<\/p>\n

ZDI-CAN-25373 is an example of (User Interface (UI) Misrepresentation of Critical Information (CWE-451). This means that the Windows UI failed to present the user with critical information. Similar to a previous discovery<\/a> we made, it is a failure to properly represent security-critical information to the user. By exploiting ZDI-CAN-25373, the threat actor can prevent the end user from viewing critical information (commands being executed) related to evaluating the risk level of the file.<\/p>\n

Conclusion <\/span><\/p>\n

The threat posed by APTs originating from nation-states, as well as from sophisticated cybercriminals, poses a significant risk to the confidentiality, integrity, and availability of data maintained by governments, critical infrastructure, and private organizations globally. Among the 11 state-sponsored APT groups leveraging ZDI-CAN-25373, a majority have a documented history of exploiting zero-day vulnerabilities in attacks in the wild. These vulnerabilities present substantial risks, as they target flaws that remain unknown to software vendors and lack corresponding security patches, thereby leaving governments and organizations vulnerable to exploitation. As geopolitical tensions and conflicts escalate, an increase in the sophistication of threat actors and the utilization of zero-day vulnerabilities is anticipated to rise, as both nation-states and cybercriminals endeavor to gain a competitive advantage over their adversaries. This growing prevalence of zero-day exploitation necessitates the implementation of comprehensive security solutions to safeguard critical assets and industries effectively. This vulnerability was disclosed to Microsoft via Trend ZDI’s bug bounty program; Microsoft classified this as low severity and this will not be patched in the immediate future.<\/p>\n

To make software more secure and protect customers from zero-day attacks, Trend ZDI\u202fworks with security researchers and vendors to patch and responsibly disclose software vulnerabilities before APT groups can deploy them in attacks. The Trend ZDI threat hunting team also proactively hunts for zero-day attacks in the wild to safeguard the industry. <\/p>\n

Proactive security with Trend Vision One\u2122<\/a><\/span><\/p>\n

Organizations can protect themselves from attacks such as those employed by APT groups with Trend Vision One<\/a>\u2122<\/a> \u2013 the only AI-powered enterprise cybersecurity platform that centralizes cyber risk exposure management, security operations, and robust layered protection. This comprehensive approach helps you predict and prevent threats, accelerating proactive security outcomes across your entire digital estate. Backed by decades of cybersecurity leadership and Trend Cybertron, the industry’s first proactive cybersecurity AI, it delivers proven results: a 92% reduction in ransomware risk and a 99% reduction in detection time. Security leaders can benchmark their posture and showcase continuous improvement to stakeholders. With Trend Vision One, you\u2019re enabled to eliminate security blind spots, focus on what matters most, and elevate security into a strategic partner for innovation.<\/p>\n

When faced with uncertain intrusions, behaviors, and routines, organizations should assume that their system is already compromised or breached and work to immediately isolate affected data or toolchains. With a broader perspective and rapid response, organizations can address breaches and protect its remaining systems, especially with robust Endpoint and Network Security solutions. The platform\u2019s security operations capabilities stop adversaries with unrivalled visibility\u2014enriched by native sensors and third-party telemetry. Detect, investigate, and respond proactively with the power of XDR, SIEM, and SOAR. Leaving attackers with no place left to hide.<\/i><\/p>\n

Trend rules and filters for ZDI-CAN-25373<\/span><\/p>\n

The following protections have been available to Trend Micro customers:<\/p>\n

Trend Vision One\u2122 \u2013 Network Security<\/b><\/p>\n