Windows Security Vulnerability Exploits Braille “Spaces” In Zero-Day Attacks

 Windows Security Vulnerability Exploits Braille “Spaces” In Zero-Day Attacks

A recently patched security vulnerability in Windows, known as the “MSHTML Spoofing Vulnerability” and tracked under CVE-2024-43461, has now been marked as previously exploited. This vulnerability was used by the APT hacker group Void Banshee in attacks to install malware that steals information.

Key Findings

  • The CVE-2024-43461 vulnerability was exploited in attacks by Void Banshee.
  • The attacks aimed to steal information and achieve financial gain.
  • The vulnerability was originally disclosed in September 2024 as part of Microsoft’s Patch Tuesday.
  • The attacks also utilised another vulnerability known as CVE-2024-38112.

The discovery of the CVE-2024-43461 vulnerability was attributed to Peter Girnus, a Senior Threat Researcher at Trend Micro. Girnus stated that the vulnerability was used in zero-day attacks by Void Banshee to steal information.

Details on the Attacks

In July, Check Point Research and Trend Micro reported on attacks that exploited Windows zero-days to infect devices with the Atlantida info-stealer. This malware was used to steal passwords, authentication cookies, and cryptocurrency wallets from infected devices.

The attacks exploited the zero-days CVE-2024-38112 (patched in July) and CVE-2024-43461 (patched this month) as part of the attack structure.

The discovery of the CVE-2024-38112 vulnerability was attributed to Haifei Li from Check Point Research. Li explained that the attackers used special Windows internet shortcut files (.url extension) that opened Internet Explorer instead of Microsoft Edge when clicked, to visit the malicious URL.

The Role of Braille Spaces

The CVE-2024-43461 vulnerability was also used in the attacks by Void Banshee to create a CWE-451 condition through HTA file names that contained 26 encoded Braille spaces (%E2%A0%80) to hide the .hta extension.

An example of such a file name might look as follows:

Books_A0UJKO.pdf%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80.hta

When Windows opened this file, the Braille spaces pushed the HTA extension out of the user interface, so it was only marked by a “…” string in the Windows prompts. This caused the HTA files to appear as PDF files, increasing the likelihood that they would be opened.

Security Updates and Future Actions

After the installation of the security update for CVE-2024-43461, Windows now displays the actual .hta extension in the prompts. However, Girnus points out that the included spaces may still confuse users, leading them to think the file is a PDF file.

Microsoft also patched three other actively exploited zero-days in the September Patch Tuesday, including CVE-2024-38217, which was used in LNK stomping attacks to bypass the Mark of the Web security feature.

Sources