Windows Vulnerability Exploits Braille ‘Spaces’ in Zero-Day Attacks

The recently patched “Windows MSHTML spoofing vulnerability” identified as CVE-2024-43461 is now marked as previously exploited after it was used in attacks by the Void Banshee APT hacking group.

When it was first disclosed as part of Tuesday’s September 2024 patch, Microsoft did not mark the vulnerability as previously exploited. However, on Friday, Microsoft updated the CVE-2024-43461 warning to indicate that it had been exploited in attacks before it was patched.

The discovery of the vulnerability is attributed to Peter Girnus, senior threat researcher at Trend Micro Zero Day, who told BleepingComputer that the CVE-2024-43461 flaw was exploited in zero-day attacks by Void Banshee to install information-stealing malware.

Void Banshee is an APT hacking group first discovered by Trend Micro that targets organizations in North America, Europe, and Southeast Asia with the goal of stealing data and making financial gains.

Zero-day vulnerability CVE-2024-43461

In July, Check Point Research and Trend Micro reported on the same attacks, which exploited Windows zero-day vulnerabilities to infect devices with the Atlantida virus, which was used to steal passwords, authentication cookies, and cryptocurrency wallets from infected devices.

The attacks exploited zero-day vulnerabilities designated CVE-2024-38112 (fixed in July) and CVE-2024-43461 (fixed this month) as part of an attack chain.

The discovery of the CVE-2024-38112 zero-day vulnerability is attributed to Check Point researcher Haifei Li, who says it was exploited to force Windows to open malicious websites in Internet Explorer rather than Microsoft Edge when running specially crafted shortcut files.

“Specifically, attackers used special Windows web shortcut files (.url extension) that, when clicked, invoked a deprecated Internet Explorer (IE) browser to visit an attacker-controlled URL,” Li explained in a July report by Check Point Research.

These URLs were used to download a malicious HTA file and ask the user to open it. Once opened, a script was run that installed Atlantida info-stealer.

HTA files used another zero-day code, identified as CVE-2024-43461, to hide the HTA file extension and make the file appear as a PDF when Windows asks users if it should open it, as shown below.

ZDI researcher Peter Girnus told BleepingComputer that the CVE-2024-43461 vulnerability was also exploited in Void Banshee attacks to create the CWE-451 condition using HTA filenames that contained 26 encoded Braille whitespace characters (%E2%A0%80) to hide the .hta extension.

As you can see below, the file name starts with PDF but contains twenty-six repeating encoded Braille whitespace characters (%E2%A0%80) followed by the “.hta” extension.

Books_A0UJKO.pdf%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80.hta

When Windows opens this file, the Braille whitespace characters push the HTA extension outside the user interface, limited only by the “…’ string in Windows prompts, as shown below. This caused the HTA files to appear as PDF files, making them more likely to be opened.

After installing the security update for CVE-2024-43461, Girnus claims that the spaces are not removed, but Windows now shows the actual .hta file extension in prompts.

Unfortunately, this fix is ​​not perfect, as the included space will still confuse users and make them think the file is a PDF rather than an HTA.

Microsoft fixed three other actively exploited zero-day vulnerabilities as part of its September Patch Tuesday update, including CVE-2024-38217, which was used in LNK Stomping attacks to bypass the Mark of the Web security feature.