A recently patched Windows MSHTML (Trident) Platform Spoofing Vulnerability had zero day exploitations since before July 2024, in conjunction with another MSHTML spoofing bug, according to Microsoft.
Fixed in this month’s Patch Tuesday update, CVE-2024-43461 is a critical (CVSS 8.8/10) user interface (UI) misrepresentation of critical information vulnerability that allows an attacker to spoof a web page, according to a CISA advisory.
“CVE-2024-43461 was exploited as a part of an attack chain relating to CVE-2024-38112, prior to July 2024,” Microsoft said in the recent update to its advisory on the bug. “We released a fix for CVE-2024-38112 in our July 2024 security updates which broke this attack chain.”
Trident is Microsoft’s legacy web browser engine, which served as the foundational technology for the brand’s browsing strategies in the late 1990s and 2000s. The engine was launched as part of the Internet Explorer 4.0 release to provide embedded web functionalities and is still carried within Windows rollouts for backward compatibility purposes.
Exploitation by Void Banshee APT
Microsoft attributed the discovery of CVE-2024-43461 to Peter Girnus, senior cyber threat researcher at Trend Micro’s Zero Day Initiative (ZDI).
Trend Micro also discovered CVE-2024-38112 in May, the MSHTML remote code execution (RCE) vulnerability that attackers used along with CVE-2024-43461 in their attack chain.
“CVE-2024-38112 was used as part of an attack chain by the advanced persistent threat (APT) group Void Banshee, which targets North American, European, and Southeast Asian regions for information theft and financial gain.” Trend Micro had said in a July blog post.
The attack chain that exploited CVE-2024-38112 leveraged the CVE-2024-43461 to create a CWE-451 condition, UI misrepresentation of critical information, according to Girnus.
Void Banshee’s second MS zero day
Trend Micro’s analysis is in line with Check Point researcher Haifei Li’s claims that Void Banshee exploited the vulnerability in a spear-phishing campaign to distribute the Atlantida Stealer, which extracts system information and sensitive data like passwords and cookies from different applications. Microsoft had attributed Li to discovering CVE-2024-38112.
“Specifically, the attackers used special Windows Internet Shortcut files (.url extension name), which, when clicked, would call the retired Internet Explorer (IE) to visit the attacker-controlled URL,” explained Li in a July Check Point Research report.
The URLs were employed to download a malicious HTA file and prompt the user to open it. Once opened, a script is executed to install the Atlantida info-stealer.
These HTA files also exploited CVE-2024-43461 to conceal the HTA file extension and make it appear as a PDF when Windows asked users if the file should be opened. The fix from Microsoft, when applied, will allow Windows to show the actual .hta extension, thereby alerting users against the malicious download.
No Responses