Windows MSHTML zero-day used in malware attacks for over a year
How does the malware steal user data?
The malware steals user data by exploiting a Windows zero-day vulnerability, tracked as CVE-2024-38112, which allows it to launch malicious scripts while bypassing built-in security features. Threat actors distribute Windows Internet Shortcut Files (.url) to spoof legitimate-looking files, which when clicked, download and launch HTA files to install password-stealing malware. Once executed, the malware steals credentials stored in the browser, cookies, browser history, cryptocurrency wallets, and other sensitive data5.
What is CVE-2024-38112?
CVE-2024-38112 is a high-severity MHTML spoofing vulnerability in Windows MSHTML Platform that has been actively exploited by threat actors for over a year. The vulnerability allows attackers to distribute Windows Internet Shortcut Files (.url) disguised as legitimate files, such as PDFs, which then download and launch HTA files to install password-stealing malware. The issue was fixed by Microsoft during the July 2024 Patch Tuesday security updates.
How long was CVE-2024-38112 exploited before detection?
CVE-2024-38112, a Windows MSHTML zero-day vulnerability, was exploited for eighteen months before its detection and patch by Microsoft during the July 2024 Patch Tuesday security updates2. The vulnerability was discovered by Haifei Li of Check Point Research, who reported it to Microsoft in May 2024, but found evidence of its exploitation dating back to January 2023.