A recently patched Windows MSHTML spoofing vulnerability (CVE-2024-43461) has been confirmed as actively exploited in attacks. The hacking group Void Banshee has been leveraging this vulnerability in their operations, using Unicode Braille font block characters to disguise malicious files as PDFs.
Vulnerability Discovery and Exploitation
The vulnerability was addressed in Microsoft’s September Patch Tuesday updates. However, at that time, Microsoft did not disclose that the issue was already being exploited by threat actors. The bulletin for CVE-2024-43461 was updated with this critical information only at the end of last week.
Trend Micro’s Zero Day Initiative (ZDI) researchers discovered the vulnerability and reported that Void Banshee was using CVE-2024-43461 in zero-day attacks to deploy an infostealer. This revelation follows earlier reports from July 2024 by Check Point Research and Trend Micro, which detailed Void Banshee’s attacks using a zero-day vulnerability in Windows MSHTML to spread the Atlantida infostealer.
Attack Chain and Exploitation Techniques
The attacks combined two zero-day vulnerabilities: CVE-2024-38112 (patched in July) and CVE-2024-43461 (patched this month). CVE-2024-38112, discovered by Check Point Research’s Haifei Li, allowed attackers to force Windows to open malicious sites in Internet Explorer instead of Microsoft Edge using specially crafted .url files.
This technique was used to download a malicious HTA file, which the user was prompted to open. Once opened, it executed a malicious script that installed the Atlantida stealer on the victim’s machine.
Braille Characters and File Spoofing
The newly disclosed CVE-2024-43461 vulnerability was used in conjunction with the HTA files to hide the HTA extension and disguise the malicious file as a PDF when Windows prompted the user to open it. ZDI expert Peter Girnus explained that the vulnerability was exploited to cause a CWE-451 (User Interface (UI) Misrepresentation of Critical Information) issue in HTA filenames.
Attackers used 26 Braille blank characters (%E2%A0%80, U+2800, Braille Pattern Blank) in filenames to hide the .hta extension. For example:
Books_A0UJKO.pdf%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80.hta
This technique pushed the HTA extension beyond the user interface’s visible area, making the files appear as PDFs and increasing the likelihood of users opening them.
Patch and Mitigation
Following the patch for CVE-2024-43461, Windows now displays the actual .hta extension in tooltips, even though the blank characters are not removed. This change significantly improves user awareness and helps prevent accidental execution of malicious files.
As cybersecurity threats continue to evolve, it’s crucial for organizations and individuals to stay vigilant and keep their systems updated. Regularly applying security patches, educating users about potential threats, and implementing robust security measures are essential steps in maintaining a strong cybersecurity posture. By understanding the techniques used by threat actors, we can better prepare ourselves to defend against future attacks and protect our digital assets.
