Windows MSHTML zero-day used in malware attacks for over a year

Microsoft has fixed a zero-day vulnerability in Windows that had been actively exploited for 18 months in attacks to execute malicious scripts while bypassing built-in security features.

The flaw, known as CVE-2024-38112, is a high-severity MHTML spoofing issue that was fixed with the July 2024 Patch Tuesday security updates.

Haifei Li of Check Point Research discovered the vulnerability and reported it to Microsoft in May 2024.

However, in a report by Li, the researcher reports that they discovered samples exploiting this flaw as early as January 2023.

Internet Explorer is gone, but not really

Haifei Li discovered that attackers distribute Windows Internet Shortcut Files (.url) to imitate legitimate-looking files, such as PDFs. However, these files download and launch HTA files to install password-stealing malware.

An Internet Shortcut File is simply a text file that contains various configuration settings, such as which icon to display, which link to open when double-clicked, and other information. When saved as a .url file and double-clicked, Windows will open the configured URL in the default web browser.

However, the malicious actors discovered that they could force Internet Explorer to open the specified URL by exploiting the mhtml: URI handler in the URL directive as shown below.

Contents of the URL file
Source: Check Point

MHTML is a “MIME Encapsulation of Aggregate HTML Documents” file, a technology introduced in Internet Explorer that aggregates an entire web page, including its images, into a single archive.

When the URL is started with the mhtml: URI, Windows automatically starts this in Internet Explorer instead of the default browser.

According to vulnerability researcher Will Dormann, opening a web page in Internet Explorer offers additional advantages for cybercriminals, as there are fewer security warnings when downloading malicious files.

“First, IE allows you to download an .HTA file from the internet without warning,” Dormann explains on Mastodon.

“Then, once downloaded, the .HTA file will be located in the INetCache directory, but it will NOT explicitly have a MotW. At this point, the only protection the user has is a warning that “a website” wants to open web content using a program on the computer.”

“Without saying which website it is. If the user thinks he trusts “this” website, then the code execution takes place.”

In fact, the attackers are taking advantage of the fact that Internet Explorer is still included by default in Windows 10 and Windows 11.

Even though Microsoft announced the browser was being discontinued about two years ago and Edge would replace all of its features, the outdated browser can still be invoked and abused for malicious purposes.

According to Check Point, the attackers create Internet shortcut files with icon indexes so that they are displayed as links to a PDF file.

When you click this, the specified web page will open in Internet Explorer. Internet Explorer will automatically attempt to download a file that looks like a PDF file, but is actually an HTA file.

Internet Explorer downloads an HTA file that has been spoofed as a PDF
Source: Check Point

However, malicious actors can hide the HTA extension and make it appear as if a PDF is being downloaded by padding the file name with Unicode characters. The .hta extension will not be displayed, as shown below.

HTA file with Unicode character padding to hide the .hta extension
Source: BleepingComputer

When Internet Explorer downloads the HTA file, it will ask if you want to save or open it. If a user decides to open the file, thinking it is a PDF because it does not contain the Mark of the Web, it will open with only a generic warning about opening the content of a website.

Windows warning when Internet Explorer starts HTA file
Source: BleepingComputer

Since the target expects to download a PDF, the user can trust this warning and allow the file to be executed.

Check Point Research told BleepingComputer that if the HTA file were executed, the password-stealing malware Atlantida Stealer would be installed on the computer.

Once executed, the malware steals all browser credentials, cookies, browsing history, cryptocurrency wallets, Steam login details, and other sensitive data.

Microsoft has fixed the vulnerability CVE-2024-38112 by deregistering the mhtml: Internet Explorer URI, so it will now open in Microsoft Edge.

CVE-2024-38112 is similar to CVE-2021-40444, a zero-day vulnerability exploiting MHTML that North Korean hackers used to attack security researchers in 2021.

Leave a Comment