CVE-2024-38112: Void Banshee Targets Windows Users Through Zombie Internet Explorer in Zero-Day Attacks

Report Highlights:

In May, ZDI threat hunters under Trend Micro’s Zero Day Initiative discovered a vulnerability that the APT group Void Banshee had been exploiting in an updated Atlantida Stealer campaign. We promptly identified and reported this as a zero-day vulnerability to Microsoft.
The vulnerability CVE-2024-38112 (ZDI-CAN-24433) was used as a zero-day to access and execute files through the disabled Internet Explorer using MSHTML.
As part of Void Banshee's attack chain, CVE-2024-38112 is being used to infect victim machines with the Atlantida info-stealer, which focuses on pilfering system information and sensitive data (like passwords and cookies) from various applications.
Void Banshee lures in victims using zip archives containing malicious files disguised as book PDFs; these are disseminated in cloud-sharing websites, Discord servers, and online libraries, among others. Void Banshee's attacks are concentrated in North America, Europe, and Southeast Asia.
This zero-day attack is a prime example of how unsupported Windows relics are an overlooked attack surface that can still be exploited by threat actors to infect unsuspecting users with ransomware, backdoors, or as a conduit for other kinds of malware.
For additional background on this entry, please read the ZDI blog entry, "Uncoordinated Vulnerability Disclosure: The Continuing Issues with CVD".

Trend Micro Zero Day Initiative (ZDI) discovered the MHTML remote code execution (RCE) vulnerability CVE-2024-38112. We immediately alerted Microsoft of this vulnerability being used in–the-wild as ZDI-CAN-24433. CVE-2024-38112 was used as part of an attack chain by the advanced persistent threat (APT) group Void Banshee, which targets North American, European, and Southeast Asian regions for information theft and financial gain. The final payload of this zero-day attack chain is the Atlantida stealer, which was first discovered in January 2024. Variations of the Atlantida campaign have been highly active throughout 2024 and have evolved to use CVE-2024-38112 as part of Void Banshee infection chains.

In mid-May 2024, we tracked this updated Void Banshee campaign using internal and external telemetry. The Void Banshee group used similar tools, tactics, and procedures (TTPs) that involved abusing internet shortcuts (.URL) and Microsoft protocol handlers and URI schemes, including the MHTML (MIME encapsulation of aggregate HTML documents) protocol which was able to access Windows system-disabled Internet Explorer.

In the attack chain shown in Figure 1, the threat actor leveraged CVE-2024-38112 to execute malicious code by abusing the MHTML protocol handler and x-usc directives through internet shortcut (URL) files. Using this technique, the threat actor was able to access and run files directly through the disabled Internet Explorer instance on Windows machines. This MHTML code execution vulnerability was used to infect users and organizations with Atlantida malware.

Trend provides protection to users from threat actors that exploit CVE-2024-38112 via the security solutions that can be found at end of this blog entry.

Figure 1. Attack chain of the CVE-2024-38112 zero-day campaign

Internet Explorer used as an attack vector

Internet Explorer (IE) has officially ended support on June 15, 2022. Additionally, IE has been officially disabled through later versions of Windows 10, including all versions of Windows 11. Disabled, however, does not mean IE was removed from the system. The remnants of IE exist on the modern Windows system, though it is not accessible to the average user (Figure 2).

Figure 2. Internet Explorer still exists on modern Windows systems

If users attempt to execute the IE executable (iexplore.exe), instead its replacement, Microsoft Edge, opens. For users and organizations that need to access sites and workloads through Internet Explorer, Microsoft has provided IE mode for Microsoft Edge (Figure 3). IE mode for Edge contains some IE-specific functionality, but operates inside the Microsoft Edge sandbox, which in theory provides enhanced security for the end user.

Figure 3. Internet Explorer mode in Microsoft Edge

In this campaign, the ZDI threat hunting team discovered and analyzed samples exploiting CVE-2024-38112, which we disclosed to Microsoft. These samples could run and execute files and websites through the disabled IE process by exploiting CVE-2024-38112 through MSHTML. By using specially crafted.URL files that contained the MHTML protocol handler and the x-usc! directive, Void Banshee was able to access and run HTML Application (HTA) files directly through the disabled IE process. This method of exploitation is similar to CVE-2021-40444, another MSHTML vulnerability that was used in zero-day attacks. This method of using the disabled IE process as a proxy to access sites and scripts is especially alarming, as IE has historically been a vast attack surface but now receives no further updates or security fixes.

This vulnerability was patched as part of the July 2024 Patch Tuesday. As of this patch cycle, Microsoft has unregistered the MHTML handler from Internet Explorer (Figure 4).

Figure 4. MHTML handler is no longer registered with Internet Explorer

This means that MHTML is no longer usable inside of internet shortcut files.

Technical analysis

T1566.002: Spearphishing Links

Void Banshee used zip archives containing copies of books in PDF format, along with malicious files disguised as PDFs in spearphishing links (T1566.002), on online libraries, cloud sharing sites, Discord, and a slew of compromised websites.

Some PDF lures we uncovered during our analysis of the Void Banshee campaign include textbooks and reference material such as Clinical Anatomy, which suggests the campaign is targeting highly skilled professionals and students who often use reference materials and places where digital copies of books are collected (Figure 5). In the case of exploiting CVE-2024-38112, Void Banshee changed the default icon of an internet shortcut file to that of a PDF file to entice the victim into executing it.

Stage 1: Malicious internet shortcut (URL) file

Name	Books_A0UJKO.pdf.url
SHA256	c9f58d96ec809a75679ec3c7a61eaaf3adbbeb6613d667257517bdc41ecca9ae
Size	267 bytes
File type	Internet shortcut

The zero-day attack begins when the victim opens a URL shortcut file designed to exploit CVE-2024-38112. One of the samples we uncovered, "Books_A0UJKO.pdf.url", is designed to look like a PDF copy of a book (Figure 6). The URL shortcut uses the MHTML protocol handler and the x-usc! directive through the internet shortcut’s URL parameter. This logic string is similar to the exploit logic of CVE-2021-40444 (Microsoft Office Remote Code Execution Vulnerability), highlighting the continued misuse of Windows protocol handlers.

Figure 6. Malicious URL file disguised to look like a PDF of a book

In this attack, CVE-2024-38112 was used as a zero-day to redirect a victim by opening and using the system-disabled IE to a compromised website which hosted a malicious HTML Application (HTA), as shown in Figure 7.

In the URL parameter of the internet shortcut file, we can see that Void Banshee specifically crafted this URL string using the MHTML protocol handler along with the x-usc! directive. This logic string opens the URL target in the native Internet Explorer through the iexplore.exe process.

Stage 2: HTML file downloader

Name	test1.html
SHA256	d8824f643127c1d8f73028be01363fd77b2ecb050ebe8c17793633b9879d20eb
Size	716 bytes
File type	HTML

As mentioned above, the internet shortcut file that exploits CVE-2024-38112 points to an attacker-controlled domain where an HTML file downloads the HTA stage of the infection chain (Figure 8). Using this HTML file, the attacker can also control the window view size of the website through IE. This is used by the threat actor to hide browser information and to mask the downloading of the next stage of the infection chain from the victim. Void Banshee specifically crafted this HTML file using window size elements to control the window size of IE.

Once this URL is contacted via IE, it attempts to open the malicious HTA file, prompting the user to open or save the HTML application (Figure 9). This behavior is unique to IE in that HTA files are opened by default, whereas modern browsers like Microsoft Edge or Chrome do not have the default open action.

Figure 9. Internet Explorer downloads the “Books_A0UJKO.pdf<26 spaces>.hta” file

The attacker adds 26 spaces to the malicious HTA file extension in “Books_A0UJKO.pdf.hta” to push the extension off the screen (Figure 10). The ellipses highlight that the filename contains additional content however, it is not clickable or expandable. To an unsuspecting user, it appears as if this is merely a PDF file.

Figure 10. The HTA file extension does not appear on the screen

Stage 3: HTA file and VBS downloader

Name	Books_A0UJKO.pdf<26 spaces>.hta
SHA256	87480b151e465b73151220533c965f3a77046138f079ca3ceb961a7d5fee9a33
Size	1,662 bytes
File type	Internet shortcut

The HTA file contains a Visual Basic Script (VBScript) that decrypts XOR encrypted content with key 4 and executes the content using PowerShell (Figure 11). This script uses PowerShell to download an additional script hosted on a compromised web server and executes the command using the PowerShell irm (Invoke-RestMethod) alias and iex (Invoke-Expression) alias commands. Finally, the script creates a new process for the downloaded script using the Win32_Process WMI class.

Stage 4: PowerShell trojan downloader

Name	become.txt
SHA256	c85eedd51dced48b3764c2d5bdb8febefe4210a2d9611e0fb14ffc937b80e302
Size	551 bytes
File type	PowerShell

Initially, the script defines the DllImport attributes to import two functions:

GetConsoleWindow from kernel32.dll, which retrieves the handle of the console window associated with the calling process.
“ShowWindow” from user32.dll, which sets the visibility state of the specified window.

It then uses the Add-Type cmdlet to add the type defined in $crop213 to the current PowerShell session, under the namespace crumble542543 with the name culture6546.

Next, the script retrieves the handle of the console window using the GetConsoleWindow method and stores it in $danger5646. It then calls ShowWindow with the window handle and the parameter 0, which hides the console window. This technique is often employed in malware to run without displaying any user interface.

The script proceeds to create a new System.Net.WebClient object, which is used to download data from a malicious server. This downloaded data is subsequently loaded as a .NET assembly using the System.Reflection.Assembly's Load method. Finally, the script invokes the entry point of the downloaded assembly, effectively executing the code contained within it.

Figure 12. Contents of the “become.txt” PowerShell file

Stage 5: .NET trojan loader

Name	LoadToBadXml.exe , tedfd.te, Vnn3qRKOxH.exe
SHA256	13907caae48ea741942bce60fa32087328475bd14f5a81a6d04d82286bd28b4d
Size	6,994,432 bytes
File type	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Window

LoadToBadXml is a .NET Trojan loader that is obfuscated using Eziriz .NET Reactor. As shown in Figure 13, it decrypts XOR-encrypted payloads using a byte array key (3, 2, 2).

Figure 13. The payload decryption process

It then injects them into C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe. The malware employs a common process injection technique, which involves the following steps:

Create Process: The malware uses the CreateProcess Windows API to launch RegAsm.exe in a suspended state.
Memory Allocation: It allocates space within the RegAsm.exe process using the VirtualAllocEx API.
Write Payload: The decrypted payload is then written into the allocated memory space using the WriteProcessMemory API.
Execute Payload: Finally, the malware creates a remote thread within the RegAsm.exe process to execute the injected payload using the CreateRemoteThread API.

LoadToBadXml is a modified version of the shellcode injector from Program.cs of the open-source project Donut Loader (Figure 14).

Figure 14. LoadToBadXml injects the decrypted Donut loader into the RegAsm.exe process

Stage 6: Donut loader

SHA256	119b0994bcf9c9494ce44f896b7ff4a489b62f31706be2cb6e4a9338b63cdfdb
Size	6.59 MB (6,918,144 bytes)
File type	Shellcode

Donut is an opensource position-independent code that enables in-memory execution of VBScript, JScript, EXE, DLL files, and dotNET assemblies. In this attack, Donut is used to decrypt and execute the Atlantida stealer inside RegAsm.exe process memory.

Stage 7: Atlantida stealer analysis

Name	AtlantidaStealer.exe
SHA256	6f1f3415c3e52dcdbb012f412aef7b9744786b2d4a1b850f1f4561048716c750
Size	6.6 MB (6,883,112 bytes)
Compilation time	2024-01-25 15:52:03
File type	PE32 executable (GUI) Intel 80386, for MS Windows

The final payload delivered in this attack is the Atlantida stealer, an info-stealer malware with extensive capabilities. Overall, the malware is built from open-source stealers NecroStealer and PredatorTheStealer, incorporating many of the same functions and structures found in these programs. It targets sensitive information from various applications, including Telegram, Steam, FileZilla, various cryptocurrency wallets, and web browsers. This malware focuses on extracting stored sensitive and potentially valuable data, such as passwords and cookies, and it can also collect files with specific extensions from the infected system's desktop. Moreover, the malware captures the victim's screen and gathers comprehensive system information. The stolen data is then compressed into a ZIP file and transmitted to the attacker via TCP.Upon execution, the malware initializes the ZIP file, sets up necessary structures, and manages the process of writing files to the archive. It then retrieves the "APPDATA" and "DESKTOP" paths and stores them in a global variable. This variable is later used throughout the code to access these locations, utilizing the SHGetFolderPathA Windows API with CSIDL values "0x1A" and "0x00," respectively.

Afterward, it takes a screenshot, saves it as "screenshot.jpeg," and adds it to the ZIP. The compression method is similar to the one used in zip.cpp for Necro Stealer and PredatorTheStealer.

To retrieve an infected system's geolocation information, such as IP address, country, and zip code, the malware contacts its command-and-control (C&C) server over port 6666 instead of using public services. Figure 15 shows an example of a C&C response:

Figure 15. C&C response with the infected system’s geolocation information

The malware then stores this in the “Geo Information.txt” and appends it to the ZIP archive (Figure 16).

Figure 16. Geolocation information retrieval logic

Next, the malware starts to collect system information such as RAM, GPU, CPU, and screen resolution and stores it in “User Information.txt”, subsequently appending this file to a zip archive held in memory (Figure 17). Furthermore, the malware harvests credentials and sensitive files from various applications. For FileZilla, the malware searches for the XML file located at C:\Users\<USERNAME>\AppData\Roaming\FileZilla\recentservers.xml, which contains information about recently connected servers. This XML file typically includes data such as the server's hostname, port number, username, and connection type. Additionally, the malware attempts to steal data that includes:

All files with the ".txt" extension from the infected system’s desktop directory
All JSON files under C:\Users\Username\AppData\Roaming\Binance
Telegram data under C:\Users\Username\AppData\Roaming\Telegram Desktop
Steam configurations
Web browser Google Chrome
Mozilla Firefox and Microsoft Edge’s cookies and credentials

The Atlantida stealer has the ability to steal information from cryptocurrency-related Google Chrome and Microsoft Edge extensions. For each extension, an “Extension ID” is given. The malware uses this information to harvest data stored within.

This is the extension path:

C:\Users\<YOUR_USERNAME>\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\< Extension ID >

The following is a browser extension list of cryptocurrency wallets:

Extension Name	Extension ID
AuroWallet	cnmamaachppnkjgnildpdmkaakejnhae
BinanceWallet	fhbohimaelbohpjbbldcngcnapndodjp
BitClip	ijmpgkjfkbfhoebgogflfebnmejmfbml
Bitoke	oijajbhmelbcoclnkdmembiacmeghbae
BitAppWallet	fihkakfobkmkjojpchpfgcmhfjnmnfpi
Byone	nlgbhdfgdhgbiamfdfmbikcdghidoadd
CardWallet	apnehcjmnengpnmccpaibjmhhoadaico
CloverWallet	nhnkbkgjikgcigadomkphalanndcapjk
Coin89	aeachknmefphepccionboohckonoeemg
CryptoAirdrops	dhgnlgphgchebgoemcjekedjjbifijid
CyanoWallet	dkdedlpgdmmkkfjabffeganieamfklkm
EQUALWallet	blnieiiffboillknjnepogjhkgnoapac
Flint	hnhobjmcibchnmglfbldbfabcgaknlkj
FreaksAxie	copjnifcecdedocejpaapepagaodgpbh
Guarda	jbdaocneiiinmjbjlgalhcelgbejmnid
GuildWallet	nkddgncdjgjfcddamfgcmfnlhccnimig
guildwallet	nanjmdknhkinifnkgdcggcfnhdaammmj
HyconLiteClient	bcopgchhojmggmffilplmbdicgaihlkp
ICONex	flpiciilemghbmfalicajoolhkkenfel
iWallet	kncchdigobghenbbaddojjnnaogfppfj
Keplr	dmkamcknogkgcdfhhbddcghachkejeap
KHC	hcflpincpppdclinealmandijcmnkbgn
Leaf Walle	cihmoadaighcejopammfbmddcmdekcje
LiqualityWallet	kpfopkelmapcoipemfendmdcghnegimn
MathWallet	afbcbjpbpfadlkmhmclhkeeodmamcflc
Metamask	nkbihfbeogaeaoehlefnkodbefgpgknn
MetaWallet	bkklifkecemccedpkhcebagjpehhabfb
MEW CX	nlbmnnijcnlegkjjpcfjclmcfggfefdm
NaboxWallet	nknhiehlklippafakaeklbeglecifhad
Nami	lpfcbjknijpeeillifnkikgncikgfhdo
NashExtension	onofpnbbkehpmmoabgpcpmigafmmnjhl
NiftyWallet	jbdaocneiiinmjbjlgalhcelgbejmnid
Oasis	ppdadbejkmjnefldpcdjhnkpbjkikoip
OneKey	infeboajgfhgbjpjbeppbkgnabfdkdaf
Phantom	bfnaelmomeimhlpmgjnjophhpkkoljpa
Polymesh Wallet	jojhfeoedkpkglbfimdfabpdfjaoolaf
Rabby	acmacodkjbdgmoleebolmdjonilkdbch
Saturn Wallet	cphhlgmgameodnhkjdmkpanlelnlohao
sollet	fhmfendgdocmcbmfikdcogofphimnkno
TerraStation	aiifbnbfobpmeekipheeijimdpnlpgpp
Temple	ookjlbkiijinhpmnjffcofjonbfbgaoc
TezBox	mnfifefkajgofkcjkemidiaecocnkjeh
TronWallet	pnndplcbkakcplkjnolgbkdgjikjednm
Wombat	amkmjjmmflddogmhpjloimipbofnfjih
XDefiWallet	hmeobnfnfcmdkdcmlblgagmfpfboieaf
Yoroi	ffnbelfdoeiohenkjibnmadjiehjhajb

Extension name	Microsoft Edge extension ID
MetaMask	ejbalbakoplchlghecdalmeeeajnimhm

The malware compresses all the collected data into a ZIP file and exfiltrates it to the attacker's C&C server over TCP port 6655.

Figure 17. Example of Atlantida stealer’s collected data

Figure 18. Example of exfiltration of stolen data

Conclusion

In this campaign, we have observed that even though users may no longer be able to access IE, threat actors can still exploit lingering Windows relics like IE on their machine to infect users and organizations with ransomware, backdoors, or as a proxy to execute other strains of malware. The ability of APT groups like Void Banshee to exploit disabled services such as IE poses a significant threat to organizations worldwide. Since services such as IE have a large attack surface and no longer receive patches, it represents a serious security concern to Windows users. Furthermore, the ability of threat actors to access unsupported and disabled system services to circumvent modern web sandboxes such as IE mode for Microsoft Edge highlights a significant industry concern.

To make software more secure and protect customers from zero-day attacks, Trend ZDI works with security researchers and vendors to patch and responsibly disclose software vulnerabilities before APT groups can deploy them in attacks. The ZDI Threat Hunting team also proactively hunts for zero-day attacks in the wild to safeguard the industry. The ZDI program is the largest vendor agnostic bug bounty program in the world while disclosing vulnerabilities to vendors at 2.5x the rate.

Organizations can help protect themselves from these kinds of attacks with Trend Vision One™️, which enables security teams to continuously identify attack surfaces, including known, unknown, managed, and unmanaged cyber assets. Vision One helps organizations prioritize and address potential risks, including vulnerabilities. It considers critical factors such as the likelihood and impact of potential attacks and offers a range of prevention, detection, and response capabilities. This is all backed by advanced threat research, intelligence, and AI, which helps reduce the time taken to detect, respond, and remediate issues. Ultimately, Vision One can help improve the overall security posture and effectiveness of an organization, including against zero-day attacks.

When faced with uncertain intrusions, behaviors, and routines, organizations should assume that their system is already compromised or breached and work to immediately isolate affected data or toolchains. With a broader perspective and rapid response, organizations can address breaches and protect its remaining systems, especially with technologies such as Trend Micro Endpoint Security and Trend Micro Network Security, as well as comprehensive security solutions such as Trend Micro™ XDR, which can detect, scan, and block malicious content across the modern threat landscape.

Trend protections

The following protections exist to detect and protect Trend customers against the zero-day CVE-2024-38112 (ZDI-CAN-24433) and Atlantida malware exfiltration attempts.

Trend Vision One Model

Microsoft Windows Remote Code Execution Vulnerability (ZDI-CAN-24433)
Svchost Executes Iexplorer

Trend Micro Cloud One - Network Security & TippingPoint Filters

44417 - ZDI-CAN-24433: Zero Day Initiative Vulnerability (Microsoft Windows)
44453 - Trojan.Win32.AtlantidaStealer.A Runtime Detection (Geo Information)
44454 - Trojan.Win32.AtlantidaStealer.A Runtime Detection (Exfil Data)

Trend Vision One Endpoint Security, Trend Cloud One - Workload and Endpoint Security, Deep Security and Vulnerability Protection IPS Rules

1012075 - Microsoft Windows MSHTML Platform Remote Code Execution Vulnerability Over SMB (CVE-2024-38112)
1012074 - Microsoft Windows MSHTML Platform Remote Code Execution Vulnerability (CVE-2024-38112)

MITRE ATT&CK techniques

Tactic	Technique	Context
Initial Access	T1566.002 - Phishing: Spearphishing Link	Victim downloads malicious zip archive
Execution	T1204.002 - User Execution: Malicious File	Victim executes Internet Shortcut (.URL) file that exploits CVE-2024-38112
Defense Evasion	T1218 - System Binary Proxy Execution	MHTML & x-usc directive handler open compromised site in Internet Explorer
Compromise Infrastructure	T1584.004 - Compromise Infrastructure: Server	Victim is redirected to compromised site which downloads a malicious HTML Application (.HTA)
Execution	T1204.002 - User Execution: Malicious File	Victim opens HTA file
Execution	T1059.005 - Command and Scripting Interpreter - VBScript	HTA application executes VBScript
Defense Evasion	T1027 - Obfuscated Files or Information	Obfuscated VBScript
Compromise Infrastructure	T1584.004 - Compromise Infrastructure: Server	VBScript downloads malicious PowerShell script
Execution	T1059.001 - Command and Scripting Interpreter - PowerShell	PowerShell script executes
Compromise Infrastructure	T1584.004 - Compromise Infrastructure: Server	PowerShell script downloads malicious .NET loader
Defense Evasion	T1027 - Obfuscated Files or Information	Obfuscated .NET loader
Privilege Escalation	T1055 – Process Injection	Atlantida uses process injection to gain persistence
Execution	T1218.009 - System Binary Proxy Execution: Regsvcs/Regasm	Atlantida abuses RegAsm.exe to proxy malicious code execution
Collection	T1560.001 - Archive via Utility	Atlantida encrypts data for exfiltration
Collection	T1005 – Data from Local System	Atlantida collects sensitive local system information
Collection	T1082 – System Information Discovery	Atlantida collects hardware information from victim
Collection	T1555.003 - Credentials from Password Stores: Credentials from Web Browsers	Atlantida collects sensitive data from web browsers including Chrome extension data
Collection	T1113 – Screen Capture	Atlantida captures screen captures of the victim machine
Exfiltration	T1041 - Exfiltration Over C&C Channel	Void Banshee exfiltrates stolen data to C&C server

Indicators of Compromise (IOCs)

Download the full list of IOCs here.

Acknowledgments

The Zero Day Initiative would like to thank the following Trenders for their contributions in ensuring that Trend Micro customers were protected from this zero-day attack pre-patching:

Scott Graham, Mohamad Mokbel, Abdelrahman Esmail, Simon Dulude, Senthil Nathan Sankar, Amit Kumar, and a special thanks to the content writers and marketing teams for helping with this research.

태그