Trend Micro warns of hacker gang VoidBanshee exploiting Windows vulnerability CVE-2024-38112

Trend Micro warns that an advanced persistent threat (APT) actor known as Void Banshee has exploited a Windows zero-day vulnerability, tracked as CVE-2024-38112 (CVSS score 7.5), to execute code via the disabled Internet Explorer.

The vulnerability was addressed in the July 2024 Patch Tuesday updates, approximately two months after its discovery in the wild and subsequent report to Microsoft. Microsoft warned about active exploit of the flaw in the patch release.

Exploitation details - This vulnerability involves the MSHTML (MIME encapsulation of aggregate HTML documents) protocol handler within Internet Explorer (IE), which allows execution of HTML Application (HTA) files even when IE is disabled. Void Banshee utilized internet shortcut (URL) files to abuse the MSHTML protocol handler and x-usc directives, executing code through the disabled IE process.

• The attackers initiated the attack via spearphishing emails containing internet shortcut files disguised as PDF books. When victims opened these files, the attack chain led to the execution of a malicious HTA file.
• The URL parameters in the internet shortcut files were crafted to open the target URL using the native Internet Explorer process (iexplore.exe), leading to the download and execution of the malicious HTA file.
• Once the HTA file executed, it triggered a series of scripts and the LoadToBadXml .NET trojan loader, culminating in the in-memory execution of the Atlantida stealer.
• The Atlantida stealer targets and exfiltrates sensitive information from applications such as FileZilla, Steam, Telegram, cryptocurrency wallets, and web browsers. It can also capture screenshots, steal files, and gather extensive system information.

Microsoft addressed this vulnerability in their July 2024 Patch Tuesday updates by unregistering the MHTML handler from Internet Explorer, effectively mitigating the risk.