The Windows operating system (OS) had a vulnerability that allowed people to hide a file’s true extension, which hackers were able to use and distribute files that looked like .PDF documents, but were in fact weaponized .HTA files.
In the most recent Patch Tuesday cumulative update, Microsoft addressed a flaw described as "Windows MSHTML spoofing vulnerability", and tracked as CVE-2024-43461. This flaw was apparently used by a threat actor known as Void Banshee to deploy the Atlantida infostealer.
In the attack, the crooks would first create a malicious .HTA file. An .HTA file stands for HTML Application, and it is a file type that allows HTML to be executed as a standalone application. Unlike typical web pages that run in a browser, .HTA files are executed with more privileges, similar to desktop applications, and can access system resources.
Atlantida infostealer
Then, they would abuse the vulnerability to add twenty-six repeated encoded braille whitespace characters to the file’s name. That way, when a user views a file on their computer, the actual file type would be hidden, tricking the victim into believing they were looking at a .PDF file, instead. Running the file would install the Atlantida infostealer, which would pick up and exfiltrate sensitive data, login information, and more.
Deploying the .HTA file to the device was done through a weaponized shortcut file (.URL). This file was most likely delivered with phishing, or social engineering.
"Specifically, the attackers used special Windows Internet Shortcut files (.url extension name), which, when clicked, would call the retired Internet Explorer (IE) to visit the attacker-controlled URL," Check Point Research explained in a recent paper, BleepingComputer reports.
The bug was fixed with the latest Patch Tuesday update. Now, when a user tries to open the .HTA file, the actual file type will not remain hidden. However, it will still be pushed to the right, thanks to multiple braille whitespace characters, which might still confuse some people.
More from TechRadar Pro
- Pro-Kremlin propaganda pages seized by US in election interference crackdown
- Here's a list of the best firewalls around today
- These are the best endpoint security tools right now