New Windows UI 0-Day Vulnerability Actively Exploited in the Wild by Chinese APT Group

ClearSky Cyber Security has uncovered a user interface (UI) vulnerability in Microsoft Windows that is currently being exploited by a sophisticated threat actor known as Mustang Panda, a group believed to be affiliated with Chinese state interests.

The exploitation involves the manipulation of file visibility when extracting compressed files from RAR archives.

When users extract files from these RAR archives, the files become hidden from view within the Windows Explorer graphical user interface, leading to an apparent empty folder scenario.

However, these files are not truly absent; they are merely invisible to the user through standard file navigation. This invisibility extends to the command line interface, where using the “dir” command does not reveal these hidden files or folders, effectively making them invisible.

This vulnerability becomes particularly dangerous because it allows attackers to execute these hidden files through command-line prompts if the exact file path is known.

“Threat actors or users can also execute those compressed files from a command line prompt, if they know the exact path” ClearSky stated.

This is achieved by altering file attributes with commands like “attrib -s—h,” which removes system and hidden attributes. This could potentially lead to the execution of unknown file types created by an “Unknown” ActiveX component.

According to ClearSky’s findings, this vulnerability is being actively exploited in targeted attacks. While Microsoft has acknowledged the issue, it has been classified as a low-severity vulnerability, suggesting that the immediate threat level is moderate.

However, the stealthy nature of this exploit could lead to significant security breaches if not addressed properly.

ClearSky Cyber Security has yet to release more detailed information in an upcoming blog post, which will likely include mitigation strategies and further analysis of the vulnerability’s impact.

This discovery underscores the ongoing cat-and-mouse game between cybersecurity researchers and state-sponsored hackers, highlighting the need for continuous vigilance and updates in software security.

Users are urged to stay informed about software updates and patches released by Microsoft to address this and similar vulnerabilities.

As this article is a developing story, Stay tuned!. We will update you on this vulnerability as more technical details become available.

MD5 Hash of the Exploit: 3bd2eeda66ec057727be8810fee5da38

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates