Windows vulnerability abused braille “spaces” in zero-day attacks

Windows logo with a red background

A just lately mounted “Home windows MSHTML spoofing vulnerability” tracked underneath CVE-2024-43461 is now marked as beforehand exploited after it was utilized in assaults by the Void Banshee APT hacking group.

When first disclosed as a part of the September 2024 Patch Tuesday, Microsoft had not marked the vulnerability as beforehand exploited. Nevertheless, on Friday, Microsoft up to date the CVE-2024-43461 advisory to point it had been exploited in assaults earlier than it was mounted.

The flaw’s discovery was attributed to Peter Girnus, a Senior Menace Researcher at Pattern Micro’s Zero Day, who instructed BleepingComputer that the CVE-2024-43461 flaw was exploited in zero-day assaults by Void Banshee to put in information-stealing malware.

Void Banshee is an APT hacking group first tracked by Trend Micro that targets organizations in North America, Europe, and Southeast Asia to steal knowledge and for monetary acquire.

The CVE-2024-43461 zero-day

In July, Examine Level Analysis and Pattern Micro each reported on the identical assaults that exploited Home windows zero-days to infect devices with the Atlantida info-stealer, used to steal passwords, authentication cookies, and cryptocurrency wallets from contaminated units.

The assaults utilized zero-days tracked as CVE-2024-38112 (mounted in July) and CVE-2024-43461 (mounted this month) as a part of the assault chain.

The invention of the CVE-2024-38112 zero-day was attributed to Examine Level researcher Haifei Li, who says it was used to power Home windows to open malicious web sites in Web Explorer quite than Microsoft Edge when launching specifically crafted shortcut recordsdata.

“Particularly, the attackers used particular Home windows Web Shortcut recordsdata (.url extension identify), which, when clicked, would name the retired Web Explorer (IE) to go to the attacker-controlled URL,” defined Li in a July Check Point Research report.

These URLs have been used to obtain a malicious HTA file and immediate the person to open it. When opened, a script would run to put in the Atlantida info-stealer.

The HTA recordsdata utilized a special zero-day tracked as CVE-2024-43461 to cover the HTA file extension and make the file seem as a PDF when Home windows prompted customers as as to whether it must be opened, as proven under.

ZDI researcher Peter Girnus instructed BleepingComputer that the CVE-2024-43461 flaw was additionally used within the Void Banshee attacks to create a CWE-451 condition via HTA file names that included 26 encoded braille whitespace characters (%E2percentA0percent80) to cover the .hta extension.

As you’ll be able to see under, the file identify begins as a PDF file however contains twenty-six repeated encoded braille whitespace characters (%E2%A0%80) adopted by a ultimate ‘.hta’ extension.

Books_A0UJKO.pdfpercentE2percentA0percent80percentE2percentA0percent80percentE2percentA0percent80percentE2percentA0percent80percentE2percentA0percent80percentE2percentA0percent80percentE2percentA0percent80percentE2percentA0percent80percentE2percentA0percent80percentE2percentA0percent80percentE2percentA0percent80percentE2percentA0percent80percentE2percentA0percent80percentE2percentA0percent80percentE2percentA0percent80percentE2percentA0percent80percentE2percentA0percent80percentE2percentA0percent80percentE2percentA0percent80percentE2percentA0percent80percentE2percentA0percent80percentE2percentA0percent80percentE2percentA0percent80percentE2percentA0percent80percentE2percentA0percent80percentE2percentA0percent80.hta

When Home windows opens this file, the braille whitespace characters push the HTA extension outdoors the person interface, solely delineated by a ‘…’ string in Home windows prompts, as seen under. This prompted the HTA recordsdata to seem as PDF recordsdata, making them extra more likely to be opened.

Braile whitespace characters pushing HTA extension out of view
Supply: Pattern Micro

After putting in the safety replace for CVE-2024-43461, Girnus says the whitespace is just not stripped, however Home windows now reveals the precise .hta extension for the file in prompts.

Security update now shows HTA extension
Safety replace now reveals HTA extension
Supply: Peter Girnus

Sadly, this repair is just not good, because the included whitespace will doubtless nonetheless confuse individuals into pondering the file is a PDF quite than an HTA file.

Microsoft mounted three different actively exploited zero-days within the September Patch Tuesday, together with CVE-2024-38217, which was exploited in LNK stomping attacks to bypass the Mark of the Net safety function.

Sensi Tech Hub
Logo