This devious malware looked to exploit braille characters to breach Windows security flaws
Do you know what file types you are opening?
The Windows operating system (OS) had a vulnerability that allowed people to hide a file’s true extension, which hackers were able to use and distribute files that looked like .PDF documents, but were in fact weaponized .HTA files.
In the most recent Patch Tuesday cumulative update, Microsoft addressed a flaw described as "Windows MSHTML spoofing vulnerability", and tracked as CVE-2024-43461. This flaw was apparently used by a threat actor known as Void Banshee to deploy the Atlantida infostealer.
In the attack, the crooks would first create a malicious .HTA file. An .HTA file stands for HTML Application, and it is a file type that allows HTML to be executed as a standalone application. Unlike typical web pages that run in a browser, .HTA files are executed with more privileges, similar to desktop applications, and can access system resources.
Atlantida infostealer
Then, they would abuse the vulnerability to add twenty-six repeated encoded braille whitespace characters to the file’s name. That way, when a user views a file on their computer, the actual file type would be hidden, tricking the victim into believing they were looking at a .PDF file, instead. Running the file would install the Atlantida infostealer, which would pick up and exfiltrate sensitive data, login information, and more.
Deploying the .HTA file to the device was done through a weaponized shortcut file (.URL). This file was most likely delivered with phishing, or social engineering.
"Specifically, the attackers used special Windows Internet Shortcut files (.url extension name), which, when clicked, would call the retired Internet Explorer (IE) to visit the attacker-controlled URL," Check Point Research explained in a recent paper, BleepingComputer reports.
The bug was fixed with the latest Patch Tuesday update. Now, when a user tries to open the .HTA file, the actual file type will not remain hidden. However, it will still be pushed to the right, thanks to multiple braille whitespace characters, which might still confuse some people.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
More from TechRadar Pro
- Pro-Kremlin propaganda pages seized by US in election interference crackdown
- Here's a list of the best firewalls around today
- These are the best endpoint security tools right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.