“Particularly, the attackers used particular Home windows Web Shortcut recordsdata (.url extension identify), which, when clicked, would name the retired Web Explorer (IE) to go to the attacker-controlled URL,” defined Li in a July Verify Level Analysis report.
The URLs have been employed to obtain a malicious HTA file and immediate the consumer to open it. As soon as opened, a script is executed to put in the Atlantida info-stealer.
These HTA recordsdata additionally exploited CVE-2024-43461 to hide the HTA file extension and make it seem as a PDF when Home windows requested customers if the file ought to be opened. The repair from Microsoft, when utilized, will enable Home windows to indicate the precise .hta extension, thereby alerting customers in opposition to the malicious obtain.