Threat actors have been exploiting a zero-day vulnerability in Windows, targeting users with malware for over a year. This vulnerability affected both Windows 10 and 11, causing devices to open Internet Explorer, an outdated browser that Microsoft had decommissioned in 2022 due to its susceptibility to exploits.
The malicious code that exploited this vulnerability was first detected in January 2023 and was still circulating as recently as May of this year. Researchers from security firm Check Point reported the vulnerability to Microsoft, who fixed it as part of their monthly patch release program. The vulnerability, known as CVE-2024-CVE-38112, had a severity rating of 7.0 out of 10 and resided in the MSHTML engine of Windows.
The attack code used novel tricks to lure Windows users into executing remote code. For example, a link that appeared to open a PDF file actually appended a .url extension, leading users to believe they were opening a harmless document. This link would then call msedge.exe to run Edge but incorporated attributes that forced Windows to open Internet Explorer instead.
Once in Internet Explorer, users were presented with a dialog box asking if they wanted to open the file. If they clicked “open,” a second dialog box appeared, vaguely stating that content would be opened on the device. Clicking “allow” would load a file with a .hta extension, running embedded code in Internet Explorer.
The ultimate goal of these attacks was to deceive users into thinking they were opening a PDF file, while actually downloading and executing a dangerous application. The attackers utilized the “mhtml” trick to call IE instead of more secure browsers like Chrome or Edge, as well as an IE trick to disguise the malicious file as a PDF.
Check Point provided cryptographic hashes for six malicious .url files used in this campaign, allowing Windows users to check if they have been targeted. It’s crucial for users to stay vigilant and ensure their systems are up to date with the latest security patches to protect against such exploits. By understanding the tactics used by threat actors, users can better protect themselves from falling victim to similar attacks in the future.