Site icon Check Point Blog

CPR Warns Threat Actors are Leveraging Internet Explorer in New Zero-Day Spoofing Attack (CVE-2024-38112)

Check Point Research (CPR) warns of a new spoofing attack from threat actors using Internet Explorer shortcut files to lure Windows 10/11 users for remote code execution. CPR recommends Microsoft customers patch immediately 

Key Findings

Overview

Check Point Research recently discovered that threat actors have been using novel (or previously unknown) tricks to lure Windows users into enabling remote code execution.

Specifically, the attackers used special Windows Internet Shortcut files (.url extension name), which, when clicked, would call the retired Internet Explorer (IE) to visit the attacker-controlled URL. An additional trick on IE was used to hide the malicious “.hta” extension name. By opening the URL with IE instead of the modern and much more secure Chrome/Edge browser on Windows, the attacker gained significant advantages in exploiting the victim’s computer, although the computer is running the modern Windows 10/11 operating system.

Note, it’s not uncommon for threat actors to use .url files as an initial attack vector in their campaigns. Even using novel or zero-day url-file-related vulnerabilities has happened before—CVE-2023-36025, which was just patched last November, is a good example.

The malicious .url samples discovered by CPR could be dated back as early as January 2023 to May 13, 2024 and beyond. This suggests that threat actors have been using the attacking techniques for quite some time.

For the full analysis of this attack, visit the CPR blog.

Defense and Mitigation 

These exploitation tricks – which have been actively used in the wild for at least one year, work on the latest Windows 10/11 operating systems.

Check Point released the following protections on IPS and Harmony Email months ago to ensure customers remain protected: IPS signature named “Internet Shortcut File Remote Code Execution.” Windows users should immediately install the Microsoft patch.

Additionally, Harmony Email and Collaboration provides comprehensive inline protection against this zero-day attack at the highest security level.

Conclusion 

CPR recommends Windows users remain vigilant about .url files sent from untrusted sources. This tricky attack enables attackers to leverage IE (instead of the more secure Chrome/Edge browsers). It works in two ways

Check Point Research continues to monitor the activities related to this type of attack around the globe.

Exit mobile version