Threat Research

CVE-2024-38112: Void Banshee Targets Windows Users Through Zombie Internet Explorer in Zero-Day Attacks

TrendMicro

Trend Micro ZDI researchers disclosed CVE-2024-38112 was leveraged as a zero-day by Void Banshee to access and execute files through a disabled Internet Explorer using MSHTML, culminating in the Atlantida info-stealer. The campaign demonstrates multi-stage infection via internet shortcuts, VBScript/HTA down to a .NET loader and Donut-based in-memory execution, with data theft across browsers, wallets, and system information, exfiltrated to C2 over dedicated ports. #VoidBanshee #AtlantidaStealer #CVE-2024-38112 #Windows #InternetExplorer

Keypoints

  • Zero-day CVE-2024-38112 was exploited by Void Banshee to run code through a disabled Internet Explorer instance using MSHTML, enabling the Atlantida info-stealer.
  • Victims were lured with zip archives containing PDFs or PDF-like book lures hosted on cloud-sharing sites, Discord, and online libraries, targeting NA, Europe, and Southeast Asia.
  • The attack chain begins with malicious URL shortcut files (.URL) that use MHTML and the x-usc directive to trigger IE, acting as stage 1 delivery.
  • Stage progression includes an HTML downloader, an HTA file with VBScript, a PowerShell-based downloader, a .NET loader, and in-memory execution via Donut before deploying Atlantida.
  • Atlantida stealer exfiltrates wide-ranging data (browsers, wallets, files on desktop, screenshots) and communicates with its C2 over ports 6666 and 6655, storing geolocation and system information in ZIP archives.
  • Microsoft patched the vulnerability in the July 2024 patch cycle and unregistered the MHTML handler in IE, but lingering Windows relics remain a risk surface; Trend Micro products provide protections and guidance for detection and response.

MITRE Techniques

  • [T1566.002] Phishing: Spearphishing Link – ‘Void Banshee used zip archives containing copies of books in PDF format, along with malicious files disguised as PDFs in spearphishing links’
  • [T1204.002] User Execution: Malicious File – ‘Victim opens Internet Shortcut (.URL) file that exploits CVE-2024-38112’
  • [T1218] System Binary Proxy Execution – ‘MHTML & x-usc directive handler open compromised site in Internet Explorer’
  • [T1584.004] Compromise Infrastructure: Server – ‘Victim is redirected to compromised site which downloads a malicious HTML Application (.HTA)’
  • [T1059.005] Command and Scripting Interpreter: VBScript – ‘HTA application executes VBScript’
  • [T1027] Obfuscated Files or Information – ‘Obfuscated VBScript’
  • [T1059.001] Command and Scripting Interpreter: PowerShell – ‘PowerShell script executes’
  • [T1584.004] Compromise Infrastructure: Server – ‘VBScript downloads malicious PowerShell script’
  • [T1055] Process Injection – ‘Atlantida uses process injection to gain persistence’
  • [T1218.009] System Binary Proxy Execution: Regsvcs/Regasm – ‘Atlantida abuses RegAsm.exe to proxy malicious code execution’
  • [T1560.001] Archive via Utility – ‘Atlantida encrypts data for exfiltration’
  • [T1005] Data from Local System – ‘Atlantida collects sensitive local system information’
  • [T1082] System Information Discovery – ‘Atlantida collects hardware information from victim’
  • [T1555.003] Credentials from Password Stores: Credentials from Web Browsers – ‘Atlantida collects sensitive data from web browsers including Chrome extension data’
  • [T1113] Screen Capture – ‘Atlantida captures screen captures of the victim machine’
  • [T1041] Exfiltration Over C2 Channel – ‘Void Banshee exfiltrates stolen data to C&C server’

Indicators of Compromise

  • [File Name] Books_A0UJKO.pdf.url – Stage 1 internet shortcut file used to start the chain
  • [File Name] test1.html – Stage 2 HTML downloader
  • [File Name] Books_A0UJKO.pdf<26 spaces>.hta – Stage 3 HTA file with extended name trick
  • [File Name] become.txt – Stage 4 PowerShell trojan downloader
  • [File Name] LoadToBadXml.exe, tedfd.te, Vnn3qRKOxH.exe – Stage 5 .NET loader artifacts
  • [SHA256] c9f58d96ec809a75679ec3c7a61eaaf3adbbeb6613d667257517bdc41ecca9ae
  • [SHA256] d8824f643127c1d8f73028be01363fd77b2ecb050ebe8c17793633b9879d20eb
  • [SHA256] 87480b151e465b73151220533c965f3a77046138f079ca3ceb961a7d5fee9a33
  • [SHA256] c85eedd51dced48b3764c2d5bdb8febefe4210a2d9611e0fb14ffc937b80e302
  • [SHA256] 13907caae48ea741942bce60fa32087328475bd14f5a81a6d04d82286bd28b4d
  • [SHA256] 119b0994bcf9c9494ce44f896b7ff4b489b62f31706be2cb6e4a9338b63cdfdb
  • [SHA256] 6f1f3415c3e52dcdbb012f412aef7b9744786b2d4a1b850f1f4561048716c750
  • [Port] 6666 – C2 channel for geolocation data exfiltration
  • [Port] 6655 – Exfiltration to C2 server

Read more: https://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.html

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint