Hackers Used Braille Whitespace Characters to Target Windows Users

By Ava McKinneyOnline Safety

Hackers Exploited Braille Whitespace Characters in Attacks on Windows Users

A recently patched MSHTML spoofing vulnerability in Windows (CVE-2024-43461) has now been confirmed as actively exploited in attacks. The hacker group Void Banshee leveraged this flaw in their operations, using Unicode Braille whitespace characters to disguise malicious files as PDFs.

The vulnerability was fixed during Microsoft’s September Patch Tuesday, but at the time, Microsoft did not disclose that it was already being exploited. The security bulletin for CVE-2024-43461 was only updated with this information at the end of last week.

The issue was discovered by experts from Trend Micro’s Zero Day Initiative (ZDI), who reported that Void Banshee had used the vulnerability in zero-day attacks to deploy an infostealer.

Background on Void Banshee Attacks

Back in July 2024, researchers from Check Point Research and Trend Micro had already reported on Void Banshee’s attacks, which exploited a zero-day vulnerability in Windows MSHTML. Through these attacks, hackers distributed the Atlantida infostealer, designed to steal passwords, authentication files, and cryptocurrency wallet data from infected devices.

The attacks combined two zero-day vulnerabilities: CVE-2024-38112 (patched in July) and CVE-2024-43461 (patched this month). CVE-2024-38112 was discovered by Check Point Research’s Haifei Li, who explained that hackers used specially crafted internet shortcut files (.url) to force Windows to open malicious sites in Internet Explorer instead of Microsoft Edge.

This method was used to download a malicious HTA file, which the user was prompted to open. Once opened, a malicious script would run and install the Atlantida stealer on the victim’s machine.

How Braille Whitespace Characters Were Used

It has now been revealed that the attacks also used another zero-day bug—CVE-2024-43461—to hide the HTA file extension and disguise the malicious file as a PDF when Windows asked the user whether to open it.

According to ZDI expert Peter Girnus, CVE-2024-43461 was exploited to trigger CWE-451 (user interface information distortion) in HTA file names. The file names included 26 Braille Pattern Blank whitespace characters (%E2%A0%80, U+2800) to hide the .hta extension, for example:

Books_A0UJKO.pdf%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80

The file name would start as a PDF, followed by 26 Braille whitespace characters, and only then the actual extension. As a result, when Windows tried to open the file, the Braille whitespace pushed the .hta extension out of the visible area in the user interface, showing only an ellipsis (“…”). This made HTA files appear as PDFs, increasing the likelihood that victims would open them.

After the patch for CVE-2024-43461, the Braille whitespace characters are still present, but Windows now displays the actual .hta extension in tooltips, making the attack less effective.

Leave a Reply