In this article, I see that Microsoft fixed a zero-day that was once in the wild to hide a file extension from users called HTA.
I don’t know what this was, but according to the article, it used a braille space which I’ve never heard of. There’s a bunch of percent type codes like %a and %0 as part of the shown filename which makes this interesting.
It basicly makes this thing extend itself from the extension list to make people think we’re dealing with a PDF file.
To read the entire details, please read this article by Bleeping computer called Windows vulnerability abused braille “spaces” in zero-day attacks which talks about this and other fixed zero-days that are no longer wild.
I sent this to Robert Stepp, developer and owner of Braille2000 as I thought this was interesting enough to send him.
Bob did write back about the Braille Space, even though I didn’t have any specific questions for him.
He wrote:
Hi,
There is nothing special about a “braille” space. The 0x2800 character is simply a space in the 8-dot braille page of Unicode (three bytes in UTF-8). Apparently 0x2800 is interesting because is shows as nothing but is parsed as non-whitespace. A bogus filename SomeName.pdfxxxxxxxxxxxxxxxxxxxx.hta where x is the braille space, when written to a FileName box (whose length is too short to show the final .hta without scrolling) appears to be a .pdf file when it is actually a .hta (private malware) file. Any Unicode character, not known by Windows controls to be whitespace (space, thin-space, zero-width-space, etc) would work just as well for this visualization spoof.
That’s very insiteful, Bob! if one is to know how this stuff works, it would be him. Thanks for sharing!
See everyone soon.