Exploiting Windows Shortcut (lnk) Zero-Day Vulnerabilities: ZDI-CAN-25373 Analysis

By /

Listen to this Post

Featured Image

Source:

Trend Micro Report on Windows Shortcut Zero-Day Exploit

You Should Know: How Attackers Abuse .lnk Files

Windows Shortcut (.lnk) files are a common attack vector for malware delivery. The ZDI-CAN-25373 vulnerability allows attackers to execute hidden commands via malicious .lnk files, bypassing security measures.

Proof of Concept (PoC) Exploitation Steps

1. Crafting a Malicious .lnk File

  • Attackers use tools like msfvenom or custom scripts to generate malicious shortcuts. 
    msfvenom -p windows/exec CMD="calc.exe" -f lnk -o malicious.lnk
  • The `.lnk` file points to a malicious payload while disguising itself as a legitimate document.

2. Exploiting via Phishing or Removable Drives

  • Attackers distribute `.lnk` files via:
  • Phishing emails (e.g., “Invoice.lnk”)
  • USB drives (AutoRun or disguised as folders)

3. Bypassing Detection

  • Many AV solutions fail to scan `.lnk` files properly.
  • Attackers use obfuscation (e.g., Unicode characters, hidden extensions).

Detection & Mitigation Commands

Windows (PowerShell) – Check Suspicious .lnk Files

Get-ChildItem -Path C:\ -Include .lnk -Recurse -Force | Select-Object FullName, LastAccessTime

Linux (Using `file` and `exiftool` for Analysis)

file suspicious_file.lnk  Check file type 
exiftool suspicious_file.lnk  Extract metadata

YARA Rule to Detect Malicious .lnk Files

rule Malicious_LNK_File {
strings:
$lnk_header = { 4C 00 00 00 01 14 02 00 }  .lnk file signature
$cmd_exec = "cmd.exe" nocase
condition:
$lnk_header at 0 and $cmd_exec
}

Mitigation Steps

1. Disable AutoRun for Removable Drives

Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name "NoDriveTypeAutoRun" -Value 255

2. Enable Attack Surface Reduction (ASR) Rules

Set-MpPreference -AttackSurfaceReductionRules_Ids "BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550" -AttackSurfaceReductionRules_Actions Enabled

3. Monitor Process Creation from .lnk Files

Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688} | Where-Object {$_.Message -like "cmd.exe"}

What Undercode Say

Microsoft’s reluctance to patch reported vulnerabilities leaves enterprises exposed. The ZDI-CAN-25373 exploit demonstrates how attackers leverage .lnk files for initial access. Security teams must:
– Audit .lnk files in critical directories.
– Restrict PowerShell & CMD execution via GPO.
– Deploy behavioral detection (e.g., Sysmon logging).

Expected Output:

  • A malicious.lnk file executing `calc.exe` as a test payload.
  • Sysmon logs showing `.lnk` file execution.
  • Blocked AutoRun attempts via Group Policy.

Stay vigilant—.lnk exploits remain a silent killer in Windows environments.

References:

Reported By: Graham Gold – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: