Since January 2023, a sophisticated spoofing attack has been leveraging the Internet Explorer shortcut files to enable remote code execution on Windows 10 and 11 systems. The vulnerability, which has been actively exploited for over a year, allows the browser to visit the attacker-controlled URL.
When these .url files are clicked, they exploit a mechanism that calls the now-defunct Internet Explorer browser to open a malicious URL. This method allows attackers to bypass the security measures of modern browsers like Chrome and Edge, which are more robust against such exploits.
The attackers employ a trick to disguise the harmful .hta (HTML Application) file by hiding its extension, making it appear as a benign file type. This deception is particularly effective because many users may not recognise the threat posed by a seemingly harmless shortcut file.
Researchers disclosed the vulnerability to Microsoft in May 2024, and the company released the necessary patches (CVE-2024-38112) on July 9, 2024.
This method involves crafting a URL parameter in the .url file with the prefix mhtml: and incorporating the !x-usc: tag. When a victim clicks on the file, IE is summoned to open the specified URL, thereby bypassing the default security measures of modern browsers.
On close analysis of one such .url sample on VirusTotal, researchers discovered that the URL within the file is not a standard web address but rather a manipulated string.
This code exploits the outdated IE browser to run remote code. When a user clicks on the file, thinking it’s a PDF, IE opens and redirects to the attacker’s website, potentially leading to further exploitation.
A dialogue box appears when the .url file is opened, prompting users to open a PDF file. However, this is a deceptive tactic; the file’s true nature is hidden by non-printable characters appended to the filename, effectively masking its actual .hta extension. This allows attackers to obscure their intentions beyond just tricking the system into using IE.
Upon clicking ‘Open’, the victim unknowingly initiates the download and execution of a malicious .hta file, compromising their system. This layered approach underscores the attackers’ sophisticated understanding of IE’s vulnerabilities and user behaviour.
The malicious activity associated with these .url files dates back to January 2023. This means that this technique was used by cyber crooks for well over a year, suggesting that many systems could have been compromised during this period.
Threat actors have been known to deploy .url files as an initial attack vector in their campaigns.
“It’s not uncommon for threat actors to use .url files as an initial attack vector in their campaigns. Even using novel or zero-day url-file-related vulnerabilities has happened before—CVE-2023-36025, which was just patched last November, is a good example,” explained researchers.
In the News: RTO phishing campaigns target Indian Android users via WhatsApp
