Hackers weaponize shortcut files because they are an obscure way to execute malicious code on a target system.

These files can be disguised as harmless icons but actually contain commands that, when clicked, launch malicious scripts or programs.

This technique allows attackers to exploit users’ trust in seemingly innocuous desktop shortcuts to bypass security measures, gain unauthorized access, or deliver payloads.

Cybersecurity researchers at Checkpoint recently pointed out that hackers are actively weaponizing shortcut files. zero day (CVE-2024-38112) tricks to attack Windows users.

Hackers are weaponizing shortcut files.

Using Windows Internet Shortcut files (.url) remotely on Microsoft’s Internet Explorer is bypassing advanced browser protections.

The retired IE has been exploited since January 2023 and Windows 10 and Windows 11 machines are also targeted by the exploit.

Join our free webinar to learn about Countering slow DDoS attacksThere is a big threat today.

Here threat actors gain many advantages in remote code execution by forcing the use of IE and hiding malicious .hta extensions.

This “mhtml” trick has previously been seen in CVE-2021-40444 attacks and is now being used by threat actors to exploit .url files.

Windows Internet shortcut files use a specific URL format (mhtml:http://…!x-usc:http://…) to access it.

By impersonating a PDF link, it ensures that modern browser security is bypassed, forcing the use of Internet Explorer.

Malicious .url file appears as a link to a PDF file on Windows 11 (Source – Checkpoint)

It allows the possible. Remote code execution On fully patched Windows 11 systems.

IE and a promotion window dialog appears when the victim double-clicks the .url file (Source – Checkpoint)

Malicious .url files exploit Windows shortcuts to open links in the retired Internet Explorer instead of modern browsers.

This bypasses security measures, allowing attackers to potentially execute remote code on Windows 10 and Windows 11 systems.

This technique, which does not require IE vulnerabilities, has been in use since at least January 2023. The researchers said.

The hack uses two types of deception, an “mhtml” hack that uses Internet Explorer instead of more secure browsers, and an IE-specific hack that converts a malicious .hta file as a PDF. hides

The file name consists of invisible non-printable characters followed by a hidden .hta extension to trick users into thinking they are opening a harmless PDF.

Additionally, Microsoft released a patch (CVE-2024-38112) on July 9, 2024, to address a security vulnerability reported on May 16.

As a result, bypassing IE’s Protected Mode is a two-step trick that can lead to system compromise if ignored by the user who then proceeds with the download.

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo

Source link