This devious malware looked to exploit braille characters to breach Windows security flaws
Do you know what file types you are opening?
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
The Windowsoperating system(OS) had a vulnerability that allowed people to hide a file’s true extension, which hackers were able to use and distribute files that looked like .PDF documents, but were in fact weaponized .HTA files.
In the most recent Patch Tuesday cumulative update,Microsoftaddressed a flaw described as “Windows MSHTML spoofing vulnerability”, and tracked asCVE-2024-43461. This flaw was apparently used by a threat actor known as Void Banshee to deploy the Atlantidainfostealer.
In the attack, the crooks would first create a malicious .HTA file. An .HTA file stands for HTML Application, and it is a file type that allows HTML to be executed as a standalone application. Unlike typical web pages that run in a browser, .HTA files are executed with more privileges, similar to desktop applications, and can access system resources.
Atlantida infostealer
Then, they would abuse the vulnerability to add twenty-six repeated encoded braille whitespace characters to the file’s name. That way, when a user views a file on their computer, the actual file type would be hidden, tricking the victim into believing they were looking at a .PDF file, instead. Running the file would install the Atlantida infostealer, which would pick up and exfiltrate sensitive data, login information, and more.
Deploying the .HTA file to the device was done through a weaponized shortcut file (.URL). This file was most likely delivered with phishing, or social engineering.
“Specifically, the attackers used special Windows Internet Shortcut files (.url extension name), which, when clicked, would call the retired Internet Explorer (IE) to visit the attacker-controlled URL,” Check Point Research explained in a recent paper,BleepingComputerreports.
The bug was fixed with the latest Patch Tuesday update. Now, when a user tries to open the .HTA file, the actual file type will not remain hidden. However, it will still be pushed to the right, thanks to multiple braille whitespace characters, which might still confuse some people.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
More from TechRadar Pro
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
Cisco issues patch to fix serious flaw allowing possible industrial systems takeover
Washington state court systems taken offline following cyberattack
Thousands of employees could be falling victim to obvious phishing scams every month