Exploiting Now-Patched Flaw
In this campaign, the ZDI threat hunting team discovered and analyzed samples exploiting CVE-2024-38112, which we disclosed to Microsoft. These samples could run and execute files and websites through the disabled IE process by exploiting CVE-2024-38112 through MSHTML. By using specially crafted.URL files that contained the MHTML protocol handler and the x-usc! directive, Void Banshee was able to access and run HTML Application (HTA) files directly through the disabled IE process.
The problem is that because it’s been retired, Internet Explorer is no longer being supported by Microsoft, prompting the researchers to write that “this method of using the disabled IE process as a proxy to access sites and scripts is especially alarming, as IE has historically been a vast attack surface but now receives no further updates or security fixes.”
They noted that the exploitation tactic is similar to another MSHTML vulnerability – CVE-2021-40444 – that also was used in zero-day attacks. CVE-2024-38112 was patched this month.
“The underlying premise in both these attacks [on CVE-2024-38112 and CVE-2021-40444] is the ability of an attacker to call the older Internet Explorer instead of the more secure Chrome [and] Edge,” said Mayuresh Dani, manager of security research at Qualys. “Microsoft has taken a route of unregistering the ‘.mhtml’ handler in .url files for this security update. This CVE is definitely important for the fact that it led to two patches, one for CVE-2024-38112 and another defense-in-depth patch for fixing the .hta evasion trick.”
Casting the Lure
The operators behind Void Banshee exploited the vulnerability in a spearfishing campaign that directed victims to zip archives that contained malicious files disguised as book and resource material PDFs that were disseminated though such avenues as cloud sharing websites, Discord servers, and online libraries. The campaign focused on North America, Europe, and Southeast Asia.
The Atlantida stealer, which has been around since January, “targets sensitive information from various applications, including Telegram, Steam, FileZilla, various cryptocurrency wallets, and web browsers,” Girnus and Zahravi wrote. “This malware focuses on extracting stored sensitive and potentially valuable data, such as passwords and cookies, and it can also collect files with specific extensions from the infected system’s desktop.”
The malware also captures the victim’s screen and collects system information like the GPUs and CPUs being used, memory, and screen resolution and collects the system’s geolocation information. It also can steal information from cryptocurrency-related Edge and Google Chrome extensions.
Researchers from cybersecurity firm Check Point earlier this month reported on attacks using the security flaw to target victims through Internet Explorer, adding that the bad actors have been doing this since early last year and as recently as May. Trend Micro also referred to the attacks in May.
An Overlooked Attack Surface
The Trend Micro researchers wrote that “this zero-day attack is a prime example of how unsupported Windows relics are an overlooked attack surface that can still be exploited by threat actors to infect unsuspecting users with ransomware, backdoors, or as a conduit for other kinds of malware.”
Cybersecurity vendor Bitsight in a blog post earlier this year outlined the top risks associated with outdate software and operating systems, which ranged from ransomware and business disruption to third-party breaches, compromised mobile devices – a problem at a time when more devices are being connected to the internet and workers are using their devices more often for work – and the Internet of Things, with the rapidly expanding types of devices connecting to corporate networks.
Keeping patching up-to-date is only one step organizations can take to protect themselves, joining other actions like monitoring for out-of-date technologies and securing endpoints.
“The fact is, failing to update your software doesn’t just mean you’re missing out on the latest version – it means you could expose your organization to major security vulnerabilities, like the widespread Apache Log4j2 vulnerability,” Bitsight wrote.
