Hackers Weaponizing Shortcut Files With Zero-day Tricks To Attack Windows Users

Hackers weaponize shortcut files because they are an inconspicuous way to execute malicious code on a target system. 

These files can be disguised as harmless icons but actually contain commands that, when clicked, launch harmful scripts or programs. 

EHA

This technique allows attackers to bypass security measures, gain unauthorized access, or deliver payloads while exploiting users’ trust in seemingly benign desktop shortcuts.

Cybersecurity researchers at CheckPoint recently identified that hackers have been actively weaponizing the shortcut files with Zero-day (CVE-2024-38112) tricks to attack Windows users.

Hackers Weaponizing Shortcut Files

Modern browser protections are being bypassed by executing codes on Microsoft’s Internet Explorer remotely using Windows Internet Shortcut files (.url).

The retired IE has been leveraged since January 2023 and exploits it to target even updated Windows 10 and Windows 11 machines.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

Here the threat actors gain many advantages in remote code execution by forcing the use of IE and hiding malicious .hta extensions.

This trick of “mhtml” has been seen before in CVE-2021-40444 attacks and is now being used by threat actors to exploit .url files.

Windows Internet Shortcut files use a specific URL format (mhtml:http://…!x-usc:http://…) to achieve this.

By means of impersonating a PDF link, it ensures that modern browser security is bypassed consequently forcing the usage of Internet Explorer.

Malicious .url file appears as a link to a PDF file on Windows 11 (Source – CheckPoint)

This allows for possible remote code execution on fully patched Windows 11 systems.

IE and a promote window dialog appear when the victim double-clicks on the .url file (Source – CheckPoint)

The malicious .url files exploit Windows shortcuts to open links in retired Internet Explorer instead of modern browsers. 

This evades the security measures, allowing attackers to potentially execute remote code on Windows 10 and Windows 11 systems. 

The technique, which doesn’t require IE vulnerabilities, has been used since at least January 2023, researchers said.

The hack uses two kinds of misleading methods, a “mhtml” hack which makes Internet Explorer used instead of more secure browsers, and an IE-specific hack that disguises a malicious .hta file as PDF.

The name of the file is composed of invisible non-printable characters followed by a hidden .hta extension to deceive users into thinking they are opening up a harmless PDF.

Besides this, Microsoft released a patch (CVE-2024-38112) on July 9, 2024, addressing the security vulnerability that was reported on May 16.

Consequently bypassing IE’s Protected Mode is a two-stage deception that may result in system compromise if it is ignored by the user who then proceeds with the download.

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.