An advanced persistent threat (APT) actor known as Void Banshee has exploited a recent Windows zero-day to execute code through the disabled Internet Explorer, Trend Micro explains.
The vulnerability, tracked as CVE-2024-38112 (CVSS score of 7.5), was addressed with the July 2024 Patch Tuesday updates, roughly two months after Trend Micro discovered it in the wild and reported it to Microsoft.
Void Banshee, a threat actor targeting entities in North America, Europe, and South Asia for information theft and financial gain, exploited CVE-2024-38112 as a zero-day to infect victims with the Atlantida stealer, a malware family discovered in January 2024.
As part of the observed attacks, the APT leveraged internet shortcut (URL) files to abuse the MSHTML (MIME encapsulation of aggregate HTML documents) protocol handler and x-usc directives and execute code directly through Windows’ disabled Internet Explorer (IE).
Although it was discontinued in 2022, IE still exists on the Windows platform, even in the latest releases, albeit not accessible to the typical user, as Microsoft has implemented mechanisms so that IE’s replacement, Edge, would launch whenever a user attempts to run the IE executable.
CVE-2024-38112, however, has allowed Void Banshee to craft URLs that would lead to the execution of HTML Application (HTA) files through the disabled IE process.
The attacks would start with a spearphishing message delivering internet shortcut files posing as PDF copies of books to lure victims into opening them. The attack chain exploited the zero-day to open the disabled IE and use it to redirect the victim to a compromised website hosting a malicious HTA file.
“In the URL parameter of the internet shortcut file, we can see that Void Banshee specifically crafted this URL string using the MHTML protocol handler along with the x-usc! directive. This logic string opens the URL target in the native Internet Explorer through the iexplore.exe process,” Trend Micro underlines.
The HTML file on the attacker-controlled domain also allowed the APT to control the window view size of the website and to hide the downloading of the next stage.
By default, IE prompts the user to open or save the HTML application, but the attackers added spaces to the malicious HTA file extension so that the user would believe they were downloading a PDF file instead.
Once the HTA file is run, the infection chain continues with the execution of a series of scripts, the execution of the LoadToBadXml .NET trojan loader and the Donut shellcode, and the in-memory execution of the Atlantida stealer.
The malware targets passwords and other information from FileZilla, Steam, Telegram, cryptocurrency wallets and extensions, and web browsers. It can also capture the victim’s screen, steal files, and harvest extensive system information.
“Threat actors can still exploit lingering Windows relics like IE on their machine to infect users and organizations with ransomware, backdoors, or as a proxy to execute other strains of malware. The ability of APT groups like Void Banshee to exploit disabled services such as IE poses a significant threat to organizations worldwide,” Trend Micro notes.
Related: Cisco Patches NX-OS Zero-Day Exploited by Chinese Cyberspies
Related: Microsoft Warns of Active Zero-Day Exploitation, Patches 60 Windows Vulnerabilities
Related: Hackers Target Reddit Alternative Lemmy via Zero-Day Vulnerability
