Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

This devious malware looked to exploit braille characters to breach Windows security flaws

An abstract image of padlocks overlaying a digital background.

The Windows operating system (OS) had a vulnerability that allowed people to hide a file’s true extension, which hackers were able to use and distribute files that looked like .PDF documents, but were in fact weaponized .HTA files.

In the most recent Patch Tuesday cumulative update, Microsoft addressed a flaw described as "Windows MSHTML spoofing vulnerability", and tracked as CVE-2024-43461. This flaw was apparently used by a threat actor known as Void Banshee to deploy the Atlantida infostealer.

In the attack, the crooks would first create a malicious .HTA file. An .HTA file stands for HTML Application, and it is a file type that allows HTML to be executed as a standalone application. Unlike typical web pages that run in a browser, .HTA files are executed with more privileges, similar to desktop applications, and can access system resources.

Atlantida infostealer

Then, they would abuse the vulnerability to add twenty-six repeated encoded braille whitespace characters to the file’s name. That way, when a user views a file on their computer, the actual file type would be hidden, tricking the victim into believing they were looking at a .PDF file, instead. Running the file would install the Atlantida infostealer, which would pick up and exfiltrate sensitive data, login information, and more.

Deploying the .HTA file to the device was done through a weaponized shortcut file (.URL). This file was most likely delivered with phishing, or social engineering.

"Specifically, the attackers used special Windows Internet Shortcut files (.url extension name), which, when clicked, would call the retired Internet Explorer (IE) to visit the attacker-controlled URL," Check Point Research explained in a recent paper, BleepingComputer reports.

The bug was fixed with the latest Patch Tuesday update. Now, when a user tries to open the .HTA file, the actual file type will not remain hidden. However, it will still be pushed to the right, thanks to multiple braille whitespace characters, which might still confuse some people.

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.