Trend Micro has observed an advanced persistent threat (APT) group exploiting vulnerabilities in Internet Explorer. The group, known as Void Banshee, is leveraging a recently patched vulnerability to infect victim machines with the Atlantida info-stealer. This is part of a multi-stage attack involving uniquely crafted URL files and impacting the Windows MSHTML Platform. 

The vulnerability in question is CVE-2024-38112, affecting Microsoft Internet Explorer v 11 - 11.1790.17763.0, Windows: before 11 23H2 10.0.22631.3880 and Windows Server: before 2022 10.0.20348.2582. 

Void Banshee exploits CVE-2024-38112 to infect targeted machines with the info-stealer, seeking sensitive data such as passwords, system information and cookies. Zip archives hosting malicious files are disguised as book PDFs in order to lure targets. These are often distributed through cloud-sharing websites, online libraries and Discord servers. These attacks are predominantly observed in North America, Europe and Southeast Asia. 

Security leaders weigh in 

Mr. Mayuresh Dani, Manager, Security Research, at Qualys Threat Research Unit:

“MHTML attacks are not new. A prime example we’ve seen in the past is CVE-2021-40444, where the delivery mechanism was a MSWORD file. CVE-2024-38112 in this case is somewhat similar and uses .URL files as a means of exploitation. The underlying premise in both these attacks is the ability of an attacker to call the older Internet Explorer instead of the more secure Chrome/Edge. Microsoft has taken a route of unregistering the ".mhtml" handler in .url files for this security update.

“This CVE is definitely important for the fact that it led to two patches, one for CVE-2024-38112 and another defense-in-depth patch for fixing the .hta evasion trick. Both these patches are important and were released this Patch Tuesday.” 

Callie Guenther, Senior Manager, Cyber Threat Research at Critical Start:

“MHTML (MIME HTML) is a web page archive format used to combine resources such as images, applets, and scripts into a single file. This is particularly useful for saving and sending complete web pages. MHTML files typically have a .mht or .mhtml extension and are often used by Microsoft Internet Explorer.

“CVE-2024-38112 is a vulnerability in the Microsoft MSHTML platform, which is a core component of Internet Explorer responsible for rendering web pages. This specific flaw allows for a spoofing attack, where an attacker can craft a malicious MHTML file that, when opened by the victim, could execute arbitrary code. The attack begins with a malicious MHTML file, often disguised as a legitimate internet shortcut file. By opening this file, the user inadvertently triggers the vulnerability, allowing the attacker to execute malicious scripts. These files are distributed through cloud-sharing services, Discord servers, and online libraries, increasing their reach.

“Microsoft addressed this vulnerability in its July 2024 Patch Tuesday release. Despite the patch, the vulnerability remains significant due to several factors:

1. “Delayed or Missed Updates: Many users and organizations may not immediately apply patches, leaving systems vulnerable.
2. Legacy Systems: Unsupported and outdated systems, such as old versions of Internet Explorer, are still in use and are prime targets for such vulnerabilities.
3. Evolving Attack Techniques: APT groups like Void Banshee continually adapt their tactics. Even after a patch is released, they can find new ways to exploit the vulnerability before widespread adoption of the update.

“The Void Banshee group has been actively exploiting this vulnerability to distribute the Atlantida info-stealer, targeting sensitive user data. The group's focus on using cloud-sharing platforms and popular communication tools for distribution highlights their sophisticated approach and broad reach.

“The discovery and exploitation of CVE-2024-38112 by Void Banshee underline the critical importance of timely security updates and patch management. Even with a patch available, the risk persists due to the slow uptake of updates and the continued use of legacy systems. As always, defenders must prioritize awareness and prompt action to mitigate such vulnerabilities effectively.”