Resurrecting Internet Explorer: Threat Actors Using Zero-day Tricks in Internet Shortcut File to Lure Victims (CVE-2024-38112)
Check Point Research recently discovered that threat actors have been using novel (or previously unknown) tricks to lure Windows users for remote code execution. Specifically, the attackers used special Windows Internet Shortcut files (.url extension name), which, when clicked, would call the retired Internet Explorer (IE) to visit the attacker-controlled URL. An additional trick on IE is used to hide the malicious .hta extension name. By opening the URL with IE instead of the modern and much more secure Chrome/Edge browser on Windows, the attacker gained significant advantages in exploiting the victim’s computer, although the computer is running the modern Windows 10/11 operating system.
For some technical background, it’s not uncommon for threat actors to use .url files as an initial attack vector in their campaigns. Even using novel or zero-day url-file-related vulnerabilities has happened before—CVE-2023-36025, which was just patched last November, is a good example.
The malicious .url samples we discovered could be dated back as early as January 2023 (more than one year ago) to the latest May 13, 2024 (a few days ago, as of writing). This suggests that threat actors have been using the attacking techniques for quite some time.
/cdn.vox-cdn.com/uploads/chorus_asset/file/23951575/VRG_Illo_STK192_L_Normand_LinaKhan_Neutral.jpg)
