A recently addressed vulnerability in Windows, known as the "MSHTML spoofing vulnerability" and tracked under CVE-2024-43461, has been reclassified as previously exploited following its use in attacks orchestrated by the Void Banshee APT hacking group. Initially disclosed during the September 2024 Patch Tuesday, Microsoft did not label the vulnerability as previously exploited at that time. However, a recent update to the CVE-2024-43461 advisory has confirmed its exploitation prior to the fix.
The flaw was uncovered by Peter Girnus, a Senior Threat Researcher at Trend Micro's Zero Day initiative. In comments to BleepingComputer, Girnus indicated that the CVE-2024-43461 vulnerability was leveraged in zero-day attacks by Void Banshee to deploy information-stealing malware. This APT group, first identified by Trend Micro, targets organizations across North America, Europe, and Southeast Asia, aiming to extract sensitive data for financial gain.
The CVE-2024-43461 Zero-Day
In July, both Check Point Research and Trend Micro reported on attacks that exploited Windows zero-days to compromise devices with the Atlantida info-stealer, a tool designed to pilfer passwords, authentication cookies, and cryptocurrency wallets from affected systems. These attacks utilized two zero-days: CVE-2024-38112, which was patched in July, and CVE-2024-43461, which received a fix this month, forming part of a broader attack chain.
The discovery of CVE-2024-38112 was credited to Check Point researcher Haifei Li, who explained that it was exploited to manipulate Windows into opening malicious websites in Internet Explorer instead of Microsoft Edge when specially crafted shortcut files were launched. "Specifically, the attackers used special Windows Internet Shortcut files (.url extension), which, when clicked, would invoke the retired Internet Explorer (IE) to navigate to an attacker-controlled URL," Li detailed in a July report.
These URLs facilitated the download of a malicious HTA file, prompting users to open it. Upon opening, a script would execute, leading to the installation of the Atlantida info-stealer. The HTA files cleverly employed the CVE-2024-43461 zero-day to obscure their true extension, presenting themselves as PDFs during the Windows prompt, thereby increasing the likelihood of user engagement.
Girnus elaborated on the exploitation, noting that the CVE-2024-43461 flaw enabled the creation of a CWE-451 condition through HTA file names that incorporated 26 encoded braille whitespace characters (%E2%A0%80), effectively concealing the .hta extension. The file name would appear as a PDF but included these braille characters followed by the .hta extension, as illustrated below:
Books_A0UJKO.pdf%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80.hta
When Windows attempted to open this file, the braille whitespace characters pushed the HTA extension out of the visible interface, leaving only a '...' string in the prompts. This clever manipulation made the HTA files appear as benign PDF files, thus increasing the chances of users inadvertently executing them.
Following the installation of the security update for CVE-2024-43461, Girnus noted that while the whitespace is no longer stripped, Windows now accurately displays the .hta extension in prompts.
Security update now shows HTA extensionSource: Peter Girnus
However, this fix is not...
