Microsoft has fixed a zero-day Windows vulnerability that had been actively exploited in attacks for 18 months to launch malicious scripts while circumventing built-in security features.
This defect is CVE-2024-38112is a major problem with MHTML spoofing, July 2024 Patch Tuesday Security Updates.
Haifei Li of Check Point Research discovered the vulnerability and disclosed it to Microsoft in May 2024.
but, Report by LiThe researchers note that they have found samples exploiting this flaw dating back to January 2023.
Internet Explorer is gone, but not really gone
Haifei Li found that threat actors are distributing Windows Internet shortcut files (.url) to disguise themselves as legitimate files, such as PDFs, and then download and launch HTA files to install malware that steals passwords.
An Internet Shortcut file is a text file that contains various configuration settings such as which icon to display, which link to open when double-clicked, etc. If you save it as a .url file and double-click it, Windows will open the configured URL in your default web browser.
However, threat actors have discovered that they can force Internet Explorer to open specific URLs by: mhtml: URI handlers in URL directives, as shown below.
Source: Checkpoint
MHTML is a “MIME Encapsulation of Aggregate HTML Documents” file, a technology introduced in Internet Explorer that encapsulates an entire webpage, including images, into a single archive.
If the URL is mhtml: For URIs, Windows will automatically launch Internet Explorer instead of the default browser.
According to vulnerability researcher Will Dorman, opening web pages in Internet Explorer provides an added benefit to threat actors, as it results in fewer security warnings when downloading malicious files.
“First, IE allows .HTA files to be downloaded from the Internet without warning you.” Dolman explained. On Mastodon.
“Then, once downloaded, the .HTA file is stored in the INetCache directory, but without an explicit MotW. At this point, the only protection the user has is a warning that a ‘website’ is trying to open web content using a program on their computer.”
“If the user believes they trust ‘this’ website, without saying which website, the code will be executed.”
Essentially, the threat actors are taking advantage of the fact that Windows 10 and Windows 11 still include Internet Explorer by default.
Despite Microsoft Announces retirement Although Edge replaced it with all practical functionality about two years ago, the outdated browser can still be invoked and exploited for malicious purposes.
According to Check Point, the threat actors are creating internet shortcut files with icon indexes that appear as links to PDF files.
When clicked, the specified web page opens in Internet Explorer and automatically attempts to download a file that appears to be a PDF file but is actually an HTA file.
Source: Checkpoint
However, the threat actor can hide the HTA extension and make it appear as if a PDF is being downloaded by embedding Unicode characters in the filename to hide the .hta extension, as shown below.
Source: BleepingComputer
When Internet Explorer downloads an HTA file, it will ask if it wants to save or open it, and if a user tries to open it thinking it’s a PDF, because it doesn’t contain the Webmark, they will only see a generic warning that content is being opened from a website.
Source: BleepingComputer
Because the target expects to download a PDF, the user trusts the alert and the file is allowed to run.
Check Point Research has found that if you allow an HTA file to run, Atlantida Stealer malware Password-stealing malware on your computer.
Once the malware is executed, it steals all the credentials stored in your browsers, cookies, browser history, cryptocurrency wallets, Steam credentials, and other sensitive data.
Microsoft has fixed the CVE-2024-38112 vulnerability, mhtml: Because the URI comes from Internet Explorer, it will now open in Microsoft Edge instead.
CVE-2024-38112 is CVE-2021-40444North Korean hackers exploited a zero-day vulnerability in MHTML to Attacks targeting security researchers in 2021.
