Windows Zero-Day Vulnerability Exploited Against Diplomats During LNK Display

A Zero-Day Vulnerability in the Display of LNK Files in Windows became known at the end of August this year. Microsoft currently plans no fix and does not classify it as highly risky, unlike Trend Micro's Zero Day Initiative (ZDI). The IT security company Arctic Wolf has observed attacks against European diplomats exploiting this vulnerability.

In an analysis by Arctic Wolf, the IT researchers write that the China-linked cyber group UNC6384 has carried out an active espionage campaign against European diplomats and diplomatic institutions in countries such as Belgium, Italy, the Netherlands, Serbia, and Hungary, as well as the broader European diplomatic community. The campaign exploits the LNK display vulnerability in Windows and ran in September and October of this year. Additionally, the attackers employ customized social engineering.

The attack chain begins with spearphishing emails containing a URL that represents the first of several stages. Ultimately, it leads to the delivery of a malicious LNK file, which is named after topics related to EU Commission meetings, NATO-related workshops, and multilateral diplomatic coordination events.

LNK files lead to Malware Installation

“These files exploit the recently disclosed Windows security vulnerability to execute obfuscated PowerShell commands. These unpack and distribute a multi-stage malware chain, which ultimately leads to the distribution of the PlugX remote access trojan (RAT) through DLL side-loading of legitimate, signed Canon printer helper utilities,” explain the IT researchers from Arctic Wolf.

The vulnerability, which Microsoft does not consider fixable, is actively being exploited in criminal attacks. Therefore, no patch is available from Microsoft as a countermeasure. Arctic Wolf recommends, among other things, blocking and restricting the use of .lnk files from questionable sources. Disabling automatic resolution in Windows Explorer is suitable for this. This should be implemented on all Windows endpoints. However, Arctic Wolf does not elaborate on how this can be done most easily or if there is a group policy for it.

The IT researchers also mention some indicators of compromise (IOCs) that administrators can search for. These include some URLs of the command-and-control infrastructure. Furthermore, searching for Canon printer helper utilities, specifically the file “cnmpaui.exe,” in unusual locations such as user AppData directories can provide clues.

The exploitation of the vulnerability on the internet may lead Microsoft to correct its initial assessment. Then the company could close the security gap and fulfill its given promise to prioritize IT security as the highest priority. Currently, however, it looks more like “security theater.”

Microsoft reacted with a statement to this threat: "We appreciate the work of the research community in sharing their findings. Microsoft Defender has detections in place to identify and block this threat activity, and Smart App Control provides an additional layer of protection by blocking malicious files from the Internet. As a security best practice, we strongly encourage customers to heed security warnings and avoid opening files from unknown sources", said a Microsoft spokesperson.

(dmk)