Getty Images
Researchers said Tuesday that threat actors had been using the malware to launch zero-day attacks against Windows users for more than a year before Microsoft patched the vulnerability.
The vulnerability exists in both Windows 10 and 11 and causes the device to open Internet Explorer, the legacy browser provided by Microsoft. Obsolete In 2022, Windows ended support for the browser because its aging codebase had made it more vulnerable to exploits. The change made it difficult, and in some cases impossible, for Windows to open the browser, which was first introduced in the mid-1990s, in normal operation.
Old tricks and new tricks
According to the researchers who discovered and reported the vulnerability to Microsoft, malicious code exploiting the vulnerability dates back to at least January 2023 and was in the wild as early as May of this year. Repaired The vulnerability, tracked as CVE-2024-CVE-38112, was disclosed on Tuesday as part of the company’s Patch Tuesday program. The vulnerability, which is in the Windows MSHTML engine, has a severity rating of 7.0 out of 10.
Researchers at security firm Check Point said the exploit employed “a new (or previously unknown) trick to lure Windows users into remote code execution.” The links that supposedly open PDF files added a .url extension to the end of the file. For example, one file had the extension Books_A0UJKO.pdf.url. Malicious Code Samples.
When viewed in Windows, the file displayed an icon indicating it was a PDF file rather than a .url file, which are files designed to open with the application specified in the link.
Checkpoint
The link within the file calls msedge.exe, the file that runs Edge. However, the link incorporates two attributes (mhtml: and !x-usc:), an “old trick” that threat actors have used for years to open applications like MS Word on Windows. It also contained a link to a malicious website. When clicked, the .url file, disguised as a PDF, opens the site in Internet Explorer instead of Edge.
“From there (where the website opens in IE), an attacker can do a lot of bad things since IE is insecure and outdated,” wrote Haifei Li, the Check Point researcher who discovered the vulnerability. “For example, if an attacker has a zero-day exploit for IE (which is much easier to find compared to Chrome/Edge), they can hit the victim and perform remote code execution right away. However, in the samples we analyzed, the threat actors did not use an IE remote code execution exploit. Instead, they used a different trick for IE, which to our knowledge was probably not publicly known before, to trick the victim into performing remote code execution.”
IE will then display a dialog box to the user, asking if they want to open the file disguised as a PDF.[開く]If you click, Windows will display a second dialog box with a vague notification that continuing will open the content on your Windows device.[許可]When clicked, IE loads any file ending in .hta, which causes Windows to open the file in Internet Explorer and execute the embedded code.
Checkpoint
Checkpoint
“To summarize the attacks from an exploitation standpoint, the first technique used in these campaigns is the ‘mhtml’ trick, which allows the attackers to invoke IE instead of the more secure Chrome/Edge,” Li wrote. “The second technique is an IE trick that tricks the victim into believing they’re opening a PDF file, but they’re actually downloading and running a dangerous .hta application. The overall goal of these attacks is to trick the victim into believing they’re opening a PDF file, and using these two tricks allows them to do just that.”
Check Point’s post includes cryptographic hashes of the six malicious .url files used in the campaign: Windows users can use the hashes to check if they’ve been targeted.
