“Specifically, the attackers used special Windows Internet Shortcut files (.url extension name), which, when clicked, would call the retired Internet Explorer (IE) to visit the attacker-controlled URL,” explained Li in a July Check Point Research report.
The URLs were employed to download a malicious HTA file and prompt the user to open it. Once opened, a script is executed to install the Atlantida info-stealer.
These HTA files also exploited CVE-2024-43461 to conceal the HTA file extension and make it appear as a PDF when Windows asked users if the file should be opened. The fix from Microsoft, when applied, will allow Windows to show the actual .hta extension, thereby alerting users against the malicious download.
