Windows MSHTML zero-day used in malware attacks for over a year

Share:

Microsoft fixed a Windows zero-day vulnerability that has been actively exploited in attacks for eighteen months to launch malicious scripts while bypassing built-in security features.

The flaw, tracked as CVE-2024-38112, is a high-severity MHTML spoofing issue fixed during the July 2024 Patch Tuesday security updates.

Haifei Li of Check Point Research discovered the vulnerability and disclosed it to Microsoft in May 2024.

However, in a report by Li, the researcher notes that they have discovered samples exploiting this flaw as far back as January 2023.

Internet Explorer is gone, but not really

Haifei Li discovered that threat actors have been distributing Windows Internet Shortcut Files (.url) to spoof legitimate-looking files, such as PDFs, but that download and launch HTA files to install password-stealing malware.

An Internet Shortcut File is simply a text file that contains various configuration settings, such as what icon to show, what link to open when double-clicked, and other information. When saved as a .url file and double-clicked, Windows will open the configured URL in the default web browser.

However, the threat actors discovered that they could force Internet Explorer to open the specified URL by using the mhtml: URI handler in the URL directive, as shown below.

MHTML is a ‘MIME Encapsulation of Aggregate HTML Documents’ file, a technology introduced in Internet Explorer that encapsulates an entire webpage, including its images, into a single archive.

When the URL is launched with the mhtml: URI, Windows automatically launches it in Internet Explorer instead of the default browser.

According to vulnerability researcher Will Dormann, opening a webpage in Internet Explorer offers additional benefits to threat actors, as there are fewer security warnings when downloading malicious files.

“First, IE will allow you to download a .HTA file from the internet without warning,” explained Dormann on Mastodon.

“Next, once it’s downloaded, the .HTA file will live in the INetCache directory, but it will NOT explicitly have a MotW. At this point, the only protection the user has is a warning that “a website” wants to open web content using a program on the computer.”

“Without saying which website it is. If the user believes that they trust “this” website, this is when code execution happens.”

Essentially, the threat actors take advantage of the fact that Internet Explorer is still included by default on Windows 10 and Windows 11.

Despite Microsoft announcing its retirement roughly two years back and Edge replacing it on all practical functions, the outdated browser can still be invoked and leveraged for malicious purposes.

Check Point says that the threat actors are creating Internet Shortcut files with icon indexes to make them appear as links to a PDF file.

When clicked, the specified web page will open in Internet Explorer, which automatically attempts to download what appears to be a PDF file but is actually an HTA file.

However, the threat actors can hide the HTA extension and make it appear like a PDF is being downloaded by padding the filename with Unicode characters so the .hta extension is not displayed, as shown below.

When Internet Explorer downloads the HTA file, it asks if you wish to save or open it. If a user decides to open the file thinking it’s a PDF, as it does not contain the Mark of the Web, it will launch with only a generic alert about the content opening from a website.

As the target expects to download a PDF, the user may trust this alert, and the file is allowed to run.

Check Point Research told BleepingComputer that allowing the HTA file to run would install the Atlantida Stealer malware password-stealing malware on the computer.

Once executed, the malware will steal all credentials stored in the browser, cookies, browser history, cryptocurrency wallets, Steam credentials, and other sensitive data.

Microsoft has fixed the CVE-2024-38112 vulnerability by unregistering the mhtml: URI from Internet Explorer, so it now opens in Microsoft Edge instead.

CVE-2024-38112 is similar to CVE-2021-40444, a zero-day vulnerability that abused MHTML that North Korean hackers leveraged to launch attacks targeting security researchers in 2021.

Leave a Comment

Your email address will not be published. Required fields are marked *

loader-image
London, GB
8:57 am, Feb 11, 2025
weather icon 3°C
L: 3° | H: 4°
overcast clouds
Humidity: 93 %
Pressure: 1018 mb
Wind: 5 mph NW
Wind Gust: 0 mph
UV Index: 0
Precipitation: 0 mm
Clouds: 100%
Rain Chance: 0%
Visibility: 6 km
Sunrise: 7:21 am
Sunset: 5:07 pm
DailyHourly
Daily ForecastHourly Forecast
Today 9:00 pm
weather icon
3° | 4°°C 0.2 mm 20% 4 mph 95 % 1018 mb 0 mm/h
Tomorrow 9:00 pm
weather icon
2° | 7°°C 0 mm 0% 5 mph 96 % 1021 mb 0 mm/h
Thu Feb 13 9:00 pm
weather icon
3° | 7°°C 0 mm 0% 9 mph 77 % 1025 mb 0 mm/h
Fri Feb 14 9:00 pm
weather icon
2° | 6°°C 0 mm 0% 8 mph 78 % 1026 mb 0 mm/h
Sat Feb 15 9:00 pm
weather icon
1° | 5°°C 0 mm 0% 9 mph 75 % 1026 mb 0 mm/h
Today 9:00 am
weather icon
3° | 3°°C 0.2 mm 20% 4 mph 93 % 1018 mb 0 mm/h
Today 12:00 pm
weather icon
3° | 3°°C 0 mm 0% 4 mph 95 % 1018 mb 0 mm/h
Today 3:00 pm
weather icon
4° | 4°°C 0 mm 0% 4 mph 88 % 1017 mb 0 mm/h
Today 6:00 pm
weather icon
4° | 4°°C 0 mm 0% 3 mph 86 % 1018 mb 0 mm/h
Today 9:00 pm
weather icon
4° | 4°°C 0 mm 0% 3 mph 84 % 1018 mb 0 mm/h
Tomorrow 12:00 am
weather icon
4° | 4°°C 0 mm 0% 2 mph 88 % 1019 mb 0 mm/h
Tomorrow 3:00 am
weather icon
3° | 3°°C 0 mm 0% 3 mph 92 % 1018 mb 0 mm/h
Tomorrow 6:00 am
weather icon
2° | 2°°C 0 mm 0% 3 mph 96 % 1018 mb 0 mm/h
Name Price24H (%)
Bitcoin(BTC)
€95,274.51
0.46%
Ethereum(ETH)
€2,634.57
2.66%
XRP(XRP)
€2.44
2.83%
Tether(USDT)
€0.97
0.00%
Solana(SOL)
€198.91
0.01%
USDC(USDC)
€0.97
0.00%
Dogecoin(DOGE)
€0.259064
5.69%
Shiba Inu(SHIB)
€0.000016
2.48%
Pepe(PEPE)
€0.000010
8.85%
Scroll to Top