Threat actors exploited Windows 0-day for more than a year before Microsoft fixed it

The goal of the exploits was to open Explorer and trick targets into running malicious code.

Dan Goodin – Jul 10, 2024 5:44 pm | 78

Credit: Getty Images

Tricks old and new

Malicious code that exploits the vulnerability dates back to at least January 2023 and was circulating as recently as May this year, according to the researchers who discovered the vulnerability and reported it to Microsoft. The company fixed the vulnerability, tracked as CVE-2024-CVE-38112, on Tuesday as part of its monthly patch release program. The vulnerability, which resided in the MSHTML engine of Windows, carried a severity rating of 7.0 out of 10.

The researchers from security firm Check Point said the attack code executed “novel (or previously unknown) tricks to lure Windows users for remote code execution.” A link that appeared to open a PDF file appended a .url extension to the end of the file, for instance, Books_A0UJKO.pdf.url, found in one of the malicious code samples.

When viewed in Windows, the file showed an icon indicating the file was a PDF rather than a .url file. Such files are designed to open an application specified in a link.

Screenshot showing a file named Books_A0UJKO.pdf. The file icon indicates it's a PDF. Credit: Check Point

A link in the file made a call to msedge.exe, a file that runs Edge. The link, however, incorporated two attributes—mhtml: and !x-usc:—an “old trick” threat actors have been using for years to cause Windows to open applications such as MS Word. It also included a link to a malicious website. When clicked, the .url file disguised as a PDF opened the site, not in Edge, but in Internet Explorer.

“From there (the website being opened with IE), the attacker could do many bad things because IE is insecure and outdated,” Haifei Li, the Check Point researcher who discovered the vulnerability, wrote. “For example, if the attacker has an IE zero-day exploit—which is much easier to find compared to Chrome/Edge—the attacker could attack the victim to gain remote code execution immediately. However, in the samples we analyzed, the threat actors didn’t use any IE remote code execution exploit. Instead, they used another trick in IE—which is probably not publicly known previously—to the best of our knowledge—to trick the victim into gaining remote code execution.”

IE would then present the user with a dialog box asking them if they wanted to open the file masquerading as a PDF. If the user clicked “open,” Windows presented a second dialog box displaying a vague notice that proceeding would open content on the Windows device. If users clicked “allow,” IE would load a file ending in .hta, an extension that causes Windows to open the file in Internet Explorer and run embedded code.

Screenshot showing open IE window and IE-generated dialog box asking to open Books_A0UJKO.pdf file. Credit: Check Point

Screenshot of IE Security box asking if user wants to "open web content" using IE. Credit: Check Point

“To summarize the attacks from the exploitation perspective: the first technique used in these campaigns is the “mhtml” trick, which allows the attacker to call IE instead of the more secure Chrome/Edge,” Li wrote. “The second technique is an IE trick to make the victim believe they are opening a PDF file, while in fact, they are downloading and executing a dangerous .hta application. The overall goal of these attacks is to make the victims believe they are opening a PDF file, and it is made possible by using these two tricks.”

The Check Point post includes cryptographic hashes for six malicious .url files used in the campaign. Windows users can use the hashes to check if they have been targeted.