cbcvebase.
CVE-2024-6473
published 2024-09-03

CVE-2024-6473: Yandex Browser for Desktop before 24.7.1.380 has a DLL Hijacking Vulnerability because an untrusted search path is used.

PriorityP275high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.72%
49.1th percentile
Yandex Browser for Desktop before 24.7.1.380 has a DLL Hijacking Vulnerability because an untrusted search path is used.

Affected

2 ranges
VendorProductVersion rangeFixed in
yandexbrowser< 24.7.1.38024.7.1.380
yandexyandex_browser< 24.7.1.38024.7.1.380

Detection & IOCsextracted from sources · hover to see the quote

filenamewinsta.dll
  • Detect DLL hijacking via untrusted search path in Yandex Browser for Desktop — monitor for unexpected DLL loads (e.g., winsta.dll) from non-standard or user-writable directories in the Yandex Browser process context.
  • Hunt for machine-specific decryption keying using firmware UUID — payloads are decrypted using the host's firmware UUID as an environmental guardrail, making sandbox detonation ineffective; look for WMI or registry queries for firmware UUID in loader processes.
  • Detect AMSI bypass attempts and debugger evasion techniques in PowerShell or .NET loader processes associated with Yandex Browser exploitation chains.
  • Monitor for HTTPS C2 traffic using domain fronting to CDN-mimicking domains matching the pattern ms-appdata-*.global.ssl.fastly.net, associated with the Trinper backdoor.
  • Correlate spearphishing emails disguised as forum invitations or service notifications with subsequent Yandex Browser process anomalies (unexpected child processes, DLL side-loading) as initial access indicators for Team46/TaxOff.
  • Hunt for identical PowerShell patterns shared between TaxOff and Team46 operations as a pivoting indicator across intrusions attributed to this threat actor.
  • Monitor for Trinper backdoor behaviors: keylogging, clipboard theft, file/process discovery activity originating from processes spawned under or related to Yandex Browser.
  • ·The DLL hijacking vulnerability affects only Yandex Browser for Desktop versions prior to 24.7.1.380; patched versions are not affected.
  • ·The domain pattern ms-appdata-*.global.ssl.fastly.net is a wildcard CDN-mimicking pattern; blocking it broadly may impact legitimate Fastly-hosted services — scope detections carefully.
  • ·Environmental guardrails using firmware UUID mean payloads will not execute outside the targeted host, limiting dynamic analysis effectiveness in sandboxes.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv4.08.4HIGHCVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck8.4HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.