CVE-2024-38112: Void Banshee Targets Windows Users Through Zombie Internet Explorer in Zero-Day Attacks
Conclusion
In this campaign, we have observed that even though users may no longer be able to access IE, threat actors can still exploit lingering Windows relics like IE on their machine to infect users and organizations with ransomware, backdoors, or as a proxy to execute other strains of malware. The ability of APT groups like Void Banshee to exploit disabled services such as IE poses a significant threat to organizations worldwide. Since services such as IE have a large attack surface and no longer receive patches, it represents a serious security concern to Windows users. Furthermore, the ability of threat actors to access unsupported and disabled system services to circumvent modern web sandboxes such as IE mode for Microsoft Edge highlights a significant industry concern.
To make software more secure and protect customers from zero-day attacks, Trend ZDI works with security researchers and vendors to patch and responsibly disclose software vulnerabilities before APT groups can deploy them in attacks. The ZDI Threat Hunting team also proactively hunts for zero-day attacks in the wild to safeguard the industry. The ZDI program is the largest vendor agnostic bug bounty program in the world while disclosing vulnerabilities to vendors at 2.5x the rate.
Organizations can help protect themselves from these kinds of attacks with Trend Vision One™️, which enables security teams to continuously identify attack surfaces, including known, unknown, managed, and unmanaged cyber assets. Vision One helps organizations prioritize and address potential risks, including vulnerabilities. It considers critical factors such as the likelihood and impact of potential attacks and offers a range of prevention, detection, and response capabilities. This is all backed by advanced threat research, intelligence, and AI, which helps reduce the time taken to detect, respond, and remediate issues. Ultimately, Vision One can help improve the overall security posture and effectiveness of an organization, including against zero-day attacks.
When faced with uncertain intrusions, behaviors, and routines, organizations should assume that their system is already compromised or breached and work to immediately isolate affected data or toolchains. With a broader perspective and rapid response, organizations can address breaches and protect its remaining systems, especially with technologies such as Trend Micro Endpoint Security and Trend Micro Network Security, as well as comprehensive security solutions such as Trend Micro™ XDR, which can detect, scan, and block malicious content across the modern threat landscape.
Trend protections
The following protections exist to detect and protect Trend customers against the zero-day CVE-2024-38112 (ZDI-CAN-24433) and Atlantida malware exfiltration attempts.
Trend Vision One Model
- Microsoft Windows Remote Code Execution Vulnerability (ZDI-CAN-24433)
- Svchost Executes Iexplorer
Trend Micro Cloud One – Network Security & TippingPoint Filters
- 44417 – ZDI-CAN-24433: Zero Day Initiative Vulnerability (Microsoft Windows)
- 44453 – Trojan.Win32.AtlantidaStealer.A Runtime Detection (Geo Information)
- 44454 – Trojan.Win32.AtlantidaStealer.A Runtime Detection (Exfil Data)
Trend Vision One Endpoint Security, Trend Cloud One – Workload and Endpoint Security, Deep Security and Vulnerability Protection IPS Rules
- 1012075 – Microsoft Windows Remote Code Execution Vulnerability Over SMB (ZDI-CAN-24433)
- 1012074 – Microsoft Windows Remote Code Execution Vulnerability (ZDI-CAN-24433)
MITRE ATT&CK techniques
| Tactic | Technique | Context |
| Initial Access | T1566.002 – Phishing: Spearphishing Link | Victim downloads malicious zip archive |
| Execution | T1204.002 – User Execution: Malicious File | Victim executes Internet Shortcut (.URL) file that exploits CVE-2024-38112 |
| Defense Evasion | T1218 – System Binary Proxy Execution | MHTML & x-usc directive handler open compromised site in Internet Explorer |
| Compromise Infrastructure | T1584.004 – Compromise Infrastructure: Server | Victim is redirected to compromised site which downloads a malicious HTML Application (.HTA) |
| Execution | T1204.002 – User Execution: Malicious File | Victim opens HTA file |
| Execution | T1059.005 – Command and Scripting Interpreter – VBScript | HTA application executes VBScript |
| Defense Evasion | T1027 – Obfuscated Files or Information | Obfuscated VBScript |
| Compromise Infrastructure | T1584.004 – Compromise Infrastructure: Server | VBScript downloads malicious PowerShell script |
| Execution | T1059.001 – Command and Scripting Interpreter – PowerShell | PowerShell script executes |
| Compromise Infrastructure | T1584.004 – Compromise Infrastructure: Server | PowerShell script downloads malicious .NET loader |
| Defense Evasion | T1027 – Obfuscated Files or Information | Obfuscated .NET loader |
| Privilege Escalation | T1055 – Process Injection | Atlantida uses process injection to gain persistence |
| Execution | T1218.009 – System Binary Proxy Execution: Regsvcs/Regasm | Atlantida abuses RegAsm.exe to proxy malicious code execution |
| Collection | T1560.001 – Archive via Utility | Atlantida encrypts data for exfiltration |
| Collection | T1005 – Data from Local System | Atlantida collects sensitive local system information |
| Collection | T1082 – System Information Discovery | Atlantida collects hardware information from victim |
| Collection | T1555.003 – Credentials from Password Stores: Credentials from Web Browsers | Atlantida collects sensitive data from web browsers including Chrome extension data |
| Collection | T1113 – Screen Capture | Atlantida captures screen captures of the victim machine |
| Exfiltration | T1041 – Exfiltration Over C&C Channel | Void Banshee exfiltrates stolen data to C&C server |
Indicators of Compromise (IOCs)
Download the full list of IOCs here.
Read More HERE
