Windows MSHTML Zero-Day Vulnerability Exploited In The Wild

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing

The Windows MSHTML platform spoofing vulnerability, CVE-2024-43461, which affects all supported Windows versions, has been exploited in the wild.

CVE-2024-43461 was used in attacks by the Void Banshee APT hacking group. Research from Trend Micro claims that Void Banshee lures people by disseminating harmful files disguised as book PDFs through zip archives.

These files may be found on cloud-sharing websites, Discord servers, and online libraries, among other places. Southeast Asia, Europe, and North America are the main regions targeted by Void Banshee’s attacks.

Microsoft mentioned CVE-2024-43461 on Friday as part of the September 2024 Patch Tuesday, indicating that it had been used in attacks.

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

Overview Of The Zero-Day Vulnerability Exploited In The Wild

The attack campaign of the Void Banshee group made use of both CVE-2024-43461 and the July-resolved vulnerability CVE-2024-38112.

Initially, Windows Internet Shortcut (.url) files were used in the attacks. Clicking on these files forced the device to launch a malicious website run by the attackers, using the now-deprecated Internet Explorer in place of Microsoft Edge.

An HTML Application (HTA) file was requested to be downloaded as soon as the malicious page was accessed.

The HTA file included a script to install the malware known as Atlantida info-stealer, which collects confidential data.

By spoofing the file extension and making it look like a PDF file rather than an .hta executable, the attackers were able to conceal the actual nature of the file.

The attackers spoof the HTA file extension by taking advantage of a vulnerability in Windows MSHTML.

The method uses braille whitespace characters (%E2%A0%80) to hide “.hta” extension from user view.

Braille whitespace characters used to hide .hta extension (Source: Trend Micro)

Hence, when the user accessed the spoofed file, the HTA file was executed, which initiated the script that deployed the Atlantida info-stealer.

Windows now shows the actual .hta extension (Source: Peter Girnus)

We advise concerned Windows users to exercise extra caution when opening.url files from unknown sources because this kind of attack depends on user involvement to be successful.

Simulating Cyberattack Scenarios With All-in-One Cybersecurity Platform – Watch Free Webinar