CVE-2024-38112: Void Banshee Targets Windows Users Through Zombie Internet Explorer in Zero-Day Attacks

Conclusion

In this campaign, we have observed that even though users may no longer be able to access IE, threat actors can still exploit lingering Windows relics like IE on their machine to infect users and organizations with ransomware, backdoors, or as a proxy to execute other strains of malware. The ability of APT groups like Void Banshee to exploit disabled services such as IE poses a significant threat to organizations worldwide. Since services such as IE have a large attack surface and no longer receive patches, it represents a serious security concern to Windows users. Furthermore, the ability of threat actors to access unsupported and disabled system services to circumvent modern web sandboxes such as IE mode for Microsoft Edge highlights a significant industry concern.

To make software more secure and protect customers from zero-day attacks, Trend ZDI works with security researchers and vendors to patch and responsibly disclose software vulnerabilities before APT groups can deploy them in attacks. The ZDI Threat Hunting team also proactively hunts for zero-day attacks in the wild to safeguard the industry.  The ZDI program is the largest vendor agnostic bug bounty program in the world while disclosing vulnerabilities to vendors at 2.5x the rate.

Organizations can help protect themselves from these kinds of attacks with Trend Vision One™️, which enables security teams to continuously identify attack surfaces, including known, unknown, managed, and unmanaged cyber assets. Vision One helps organizations prioritize and address potential risks, including vulnerabilities. It considers critical factors such as the likelihood and impact of potential attacks and offers a range of prevention, detection, and response capabilities. This is all backed by advanced threat research, intelligence, and AI, which helps reduce the time taken to detect, respond, and remediate issues. Ultimately, Vision One can help improve the overall security posture and effectiveness of an organization, including against zero-day attacks.

When faced with uncertain intrusions, behaviors, and routines, organizations should assume that their system is already compromised or breached and work to immediately isolate affected data or toolchains. With a broader perspective and rapid response, organizations can address breaches and protect its remaining systems, especially with technologies such as  Trend Micro Endpoint Security and Trend Micro Network Security, as well as comprehensive security solutions such as Trend Micro™ XDR, which can detect, scan, and block malicious content across the modern threat landscape.

Trend protections

The following protections exist to detect and protect Trend customers against the zero-day CVE-2024-38112 (ZDI-CAN-24433) and Atlantida malware exfiltration attempts.

Trend Vision One Model

  • Microsoft Windows Remote Code Execution Vulnerability (ZDI-CAN-24433)
  • Svchost Executes Iexplorer

Trend Micro Cloud One – Network Security & TippingPoint Filters

  • 44417 – ZDI-CAN-24433: Zero Day Initiative Vulnerability (Microsoft Windows)
  • 44453 – Trojan.Win32.AtlantidaStealer.A Runtime Detection (Geo Information)
  • 44454 – Trojan.Win32.AtlantidaStealer.A Runtime Detection (Exfil Data)

Trend Vision One Endpoint Security, Trend Cloud One – Workload and Endpoint Security, Deep Security and Vulnerability Protection IPS Rules

  • 1012075 – Microsoft Windows Remote Code Execution Vulnerability Over SMB (ZDI-CAN-24433)
  • 1012074 – Microsoft Windows Remote Code Execution Vulnerability (ZDI-CAN-24433)

MITRE ATT&CK techniques

Tactic Technique Context
Initial Access T1566.002 – Phishing: Spearphishing Link Victim downloads malicious zip archive
Execution T1204.002 – User Execution: Malicious File Victim executes Internet Shortcut (.URL) file that exploits CVE-2024-38112
Defense Evasion T1218 – System Binary Proxy Execution MHTML & x-usc directive handler open compromised site in Internet Explorer
Compromise Infrastructure T1584.004 – Compromise Infrastructure: Server Victim is redirected to compromised site which downloads a malicious HTML Application (.HTA)
Execution T1204.002 – User Execution: Malicious File Victim opens HTA file
Execution T1059.005 – Command and Scripting Interpreter – VBScript HTA application executes VBScript
Defense Evasion T1027 – Obfuscated Files or Information Obfuscated VBScript
Compromise Infrastructure   T1584.004 – Compromise Infrastructure: Server   VBScript downloads malicious PowerShell script
Execution T1059.001 – Command and Scripting Interpreter – PowerShell PowerShell script executes
Compromise Infrastructure T1584.004 – Compromise Infrastructure: Server   PowerShell script downloads malicious .NET loader
Defense Evasion T1027 – Obfuscated Files or Information Obfuscated .NET loader
Privilege Escalation T1055 – Process Injection Atlantida uses process injection to gain persistence
Execution T1218.009 – System Binary Proxy Execution: Regsvcs/Regasm Atlantida abuses RegAsm.exe to proxy malicious code execution
Collection T1560.001 – Archive via Utility Atlantida encrypts data for exfiltration
Collection T1005 – Data from Local System Atlantida collects sensitive local system information
Collection T1082 – System Information Discovery Atlantida collects hardware information from victim
Collection T1555.003 – Credentials from Password Stores: Credentials from Web Browsers Atlantida collects sensitive data from web browsers including Chrome extension data
Collection T1113 – Screen Capture Atlantida captures screen captures of the victim machine
Exfiltration T1041 – Exfiltration Over C&C Channel   Void Banshee exfiltrates stolen data to C&C server

Indicators of Compromise (IOCs)

Download the full list of IOCs here.

Read More HERE