Security News > 2024 > July > Windows MSHTML zero-day used in malware attacks for over a year
![Windows MSHTML zero-day used in malware attacks for over a year](/static/build/img/news/windows-mshtml-zero-day-used-in-malware-attacks-for-over-a-year-medium.jpg)
Haifei Li discovered that threat actors have been distributing Windows Internet Shortcut Files to spoof legitimate-looking files, such as PDFs, but that download and launch HTA files to install password-stealing malware.
An Internet Shortcut File is simply a text file that contains various configuration settings, such as what icon to show, what link to open when double-clicked, and other information.
When saved as a.url file and double-clicked, Windows will open the configured URL in the default web browser.
According to vulnerability researcher Will Dormann, opening a webpage in Internet Explorer offers additional benefits to threat actors, as there are fewer security warnings when downloading malicious files.
Check Point says that the threat actors are creating Internet Shortcut files with icon indexes to make them appear as links to a PDF file.
Check Point Research told BleepingComputer that allowing the HTA file to run would install the Atlantida Stealer malware password-stealing malware on the computer.
News URL
Related news
- Black Basta ransomware gang linked to Windows zero-day attacks (source)
- Void Banshee APT exploited “lingering Windows relic” in zero-day attacks (source)
- DarkGate Malware Replaces AutoIt with AutoHotkey in Latest Cyber Attacks (source)
- Hackers Use MS Excel Macro to Launch Multi-Stage Malware Attack in Ukraine (source)
- More_eggs Malware Disguised as Resumes Targets Recruiters in Phishing Attack (source)
- Black Basta Ransomware May Have Exploited MS Windows Zero-Day Flaw (source)
- Ransomware crew may have exploited Windows make-me-admin bug as a zero-day (source)
- New Cross-Platform Malware 'Noodle RAT' Targets Windows and Linux Systems (source)
- Pakistan-linked Malware Campaign Evolves to Target Windows, Android, and macOS (source)
- CISA warns of Windows bug exploited in ransomware attacks (source)