Threat Research

Zero-day Tricks in Internet Shortcut File Used by Threat Actors to Lure Victims (CVE-2024-38112)

Checkpoint

Threat actors are leveraging Windows Internet Shortcut files (.url) to force IE to open attacker-controlled URLs, hiding an .hta payload and aiming for remote code execution on Windows 10/11. Check Point Research notes the use of an “mhtml” trick and IE-specific prompts; a Microsoft patch for CVE-2024-38112 mitigates these techniques. #CVE-2024-38112 #InternetShortcut #MHTMLTrick #HTA #InternetExplorer #cbmelipilla.cl #Windows10 #Windows11

Keypoints

  • Threat actors use malicious .url shortcut files as an initial attack vector to lure Windows users toward remote code execution.
  • The attack relies on an “mhtml” trick to have Internet Explorer (IE) open an attacker-controlled URL instead of a modern browser.
  • The .url file appears to point to a PDF, but the real target is a malicious .hta file downloaded via IE.
  • IE’s dialog prompts and “Protected Mode” help bypass user suspicion, enabling continued exploitation if the user proceeds.
  • The technique could yield remote code execution, especially if an IE zero-day exploit exists, though samples analyzed did not show an IE RCE exploit.
  • Microsoft released CVE-2024-38112; users are urged to patch and be wary of .url files from untrusted sources.
  • Defense guidance includes proactive protections (e.g., IPS signatures) and vigilance against .url files; Check Point Research continues monitoring.

MITRE Techniques

  • [T1204.002] User Execution – Malicious File – The victim double-clicks a .url shortcut, triggering IE to open an attacker-controlled URL; “the victim will get this: IE and a promote window dialog appear when the victim double-clicks on the .url file”
  • [T1218.005] Mshta – HTML Application (HTA) Execution – The downloaded file is executed as a malicious .hta; “the ‘opened’ file is actually a malicious .hta file being downloaded and executed.”
  • [T1036] Masquerading – File extension/appearance deception – The .url file is presented to look like a PDF link to lure the user; “the malicious .url file appears as a link to a PDF file on Windows 11”
  • [T1203] Exploitation for Client Execution – Exploiting client software (IE) to enable code execution – The attacker could gain remote code execution via an IE zero-day exploit; “If the attacker has an IE zero-day exploit … the attacker could attack the victim to gain remote code execution immediately.”

Indicators of Compromise

  • [URL] attacker-controlled landing URL – http://cbmelipilla.cl/te/test1.html, https://cbmelipilla.cl/te/Books_A0UJKO.pdf%E2%A0%80%E2%A0%80…hta
  • [Domain] cbmelipilla.cl – Domain hosting attacker pages referenced in the .url file
  • [File hash] sample .url artifacts (ITW) – bd710ee53ef3ad872f3f0678117050608a8e073c87045a06a86fb4a7f0e4eff0, b16aee58b7dfaf2a612144e2c993e29dcbd59d8c20e0fd0ab75b76dd9170e104, and 6 more hashes

Read more: https://www.hendryadrian.com/zero-day-tricks-in-internet-shortcut-file-used-by-threat-actors-to-lure-victims-cve-2024-38112/