logo

Windows MSHTML zero-day used in malware attacks for over a year

Windows on red symbol

Microsoft fixed a Windows zero-day vulnerability that has been actively exploited in attacks for eighteen months to launch malicious scripts while bypassing built-in security features.

The flaw, tracked as CVE-2024-38112, is a high-severity MHTML spoofing issue fixed during the July 2024 Patch Tuesday security updates.

Haifei Li of Check Point Research discovered the vulnerability and disclosed it to Microsoft in May 2024.

However, in a report by Li, the researcher notes that they have discovered samples exploiting this flaw as far back as January 2023.

Internet Explorer is gone, but not really

Haifei Li discovered that threat actors have been distributing Windows Internet Shortcut Files (.url) to spoof legitimate-looking files, such as PDFs, but that download and launch HTA files to install password-stealing malware.

An Internet Shortcut File is simply a text file that contains various configuration settings, such as what icon to show, what link to open when double-clicked, and other information. When saved as a .url file and double-clicked, Windows will open the configured URL in the default web browser.

However, the threat actors discovered that they could force Internet Explorer to open the specified URL by using the mhtml: URI handler in the URL directive, as shown below.

Contents of the URL file
Contents of the URL fileSource: Check Point

MHTML is a 'MIME Encapsulation of Aggregate HTML Documents' file, a technology introduced in Internet Explorer that encapsulates an entire webpage, including its images, into a single archive.

When the URL is launched with the mhtml: URI, Windows automatically launches it in Internet Explorer instead of the default browser.

According to vulnerability researcher Will Dormann, opening a webpage in Internet Explorer offers additional benefits to threat actors, as there are fewer security warnings when downloading malicious files.

"First, IE will allow you to download a .HTA file from the internet without warning," explained Dormann on Mastodon.

"Next, once it's downloaded, the .HTA file will live in the INetCache directory, but it will NOT explicitly have a MotW. At this point, the only protection the user has is a warning that "a website" wants to open web content using a program on the computer."

"Without saying which website it is. If the user believes that they trust "this" website, this is when code execution happens."

Essentially, the threat actors take advantage of the fact that Internet Explorer is still included by default on Windows 10 and Windows 11.

Despite Microsoft announcing its retirement roughly two years back and Edge replacing it on all practical functions, the outdated browser can still be invoked and leveraged for malicious purposes.

Check Point says that the threat actors are creating Internet Shortcut files with icon indexes to make them appear as links to a PDF file.

When clicked, the specified web page will open in Internet Explorer, which automatically attempts to download what appears to be a PDF file but is actually an HTA file.

Internet Explorer downloading an HTA file spoofed as a PDF
Internet Explorer downloading an HTA file spoofed as a PDFSource: Check Point

However, the threat actors can hide the HTA extension and make it appear like a PDF is being downloaded by padding the filename with Unicode characters so the .hta extension is not displayed, as shown below.

HTA file using Unicode character padding to hide .hta extension
HTA file using Unicode character padding to hide .hta extensionSource: BleepingComputer

When Internet Explorer downloads the HTA file, it asks if you wish to save or open it. If a user decides to open the file thinking it's a PDF, as it does not contain the Mark of the Web, it will launch with only a generic alert about the content opening from a website.

Warning from Windows when Internet Explorer launches HTA file
Warning from Windows when Internet Explorer launches HTA fileSource: BleepingComputer

As the target expects to download a PDF, the user may trust this alert, and the file is allowed to run.

Check Point Research told BleepingComputer that allowing the HTA file to run would install the Atlantida Stealer malware password-stealing malware on the computer.

Once executed, the malware will steal all credentials stored in the browser, cookies, browser history, cryptocurrency wallets, Steam credentials, and other sensitive data.

Microsoft has fixed the CVE-2024-38112 vulnerability by unregistering the mhtml: URI from Internet Explorer, so it now opens in Microsoft Edge instead.

CVE-2024-38112 is similar to CVE-2021-40444, a zero-day vulnerability that abused MHTML that North Korean hackers leveraged to launch attacks targeting security researchers in 2021.


Free security scan for your website