An exploitation avenue found by Trend Micro has been used in an eight-year-long spying campaign, but there’s no sign of a fix from Microsoft, which apparently considers this a low priority.

The attack method is low-tech but effective, relying on malicious .LNK shortcut files rigged with commands to download malware. While appearing to point to legitimate files or executables, these shortcuts quietly include extra instructions to fetch malicious payloads.

Ordinarily, the shortcut’s target and command-line arguments would be clearly visible in Windows, making suspicious commands easy to spot. But Trend’s Zero Day Initiative said it observed North Korea-backed crews padding out the command-line arguments with megabytes of whitespace, burying the actual commands deep out of sight.

Trend reported this to Microsoft in September last year and estimates that it has been used since 2017. It said it had found nearly 1,000 tampered .LNK files in circulation but estimates the actual number of attacks could have been higher.

“This is one of many bugs that the attackers are using, but this is one that is not patched and that’s why we reported it as a zero day,” Dustin Childs, head of threat awareness at the Zero Day Initiative, told The Register.

“We told Microsoft but they consider it a UI issue, not a security issue. So it doesn’t meet their bar for servicing as a security update, but it might be fixed in a later OS version, or something along those lines.”

After scanning attack patterns, the security shop said it found the vast majority of cases from state-sponsored attackers (around 70 percent) were using this espionage or information theft, with another 20 percent going after financial gain. Among the state-sponsored crews, 46 percent of attacks came from North Korea, while Russia, Iran, and China each accounted for around 18 percent of the activity.

You can read its full report on the Windows Shortcut Exploit here.

Unsurprisingly, government targets were the most popular, followed by the private sector, and then financial institutions, think tanks, and telecommunications companies. Military and energy targets were the next most popular.

Trend said that it had decided to go public with the issue after Microsoft refused to consider the attack vector a security risk. Clicking on a dodgy .LNK file would only grant an attacker local code execution, he pointed out, but chain it with a privilege escalation flaw – and there’s no shortage of those – and the system can be compromised relatively easily.

“We consider that a security thing. Again, not a critical security thing, but certainly worth addressing through a security update,” Childs opined.

“I think part of the reason is, I think the technical fix may be incredibly difficult, and it might be more than what can just be done in a security update. So that may be part of their reasoning behind it, as well, why they’re pushing back so vehemently on fixing it with a patch.”

A Microsoft spokesperson echoed what it told ZDI about approaching the problem as a UI issue, telling The Reg: “While the UI experience described in the report does not meet the bar for immediate servicing under our severity classification guidelines, we will consider addressing it in a future feature release.”

They added that the Windows-maker appreciated “the work of ZDI in submitting this report under a coordinated vulnerability disclosure.”

The spokesperson added: “As a security best practice, we encourage customers to exercise caution when downloading files from unknown sources as indicated in security warnings, which have been designed to recognize and warn users about potentially harmful files.” ®