Earlier this year, an APT group was found exploiting a now-patched Microsoft MSHTML platform spoofing flaw in information stealer malware attacks that aimed to steal sensitive data and credential information from various applications, including web browsers.
The flaw (CVE-2024-38112) exists in the Windows MSHTML browser rendering engine, and was disclosed and fixed by Microsoft in its regularly scheduled security updates last week. However, over the past week researchers with both Check Point and Trend Micro have offered additional details about the attacks leveraging the flaw. According to Trend Micro researchers on Monday, the flaw was used by the Void Banshee APT in attacks that targeted organizations in North America, Europe and Southeast Asia and leveraged the bug to access and execute files through processes linked to the disabled Internet Explorer browser, using MSHTML. Trend Micro researchers said they tracked the campaign in mid-May and are still seeing attacks even to this day; meanwhile, Check Point researchers said they found malicious .url samples linked to the campaign existed as early as January 2023.
“The Void Banshee group used similar tools, tactics, and procedures (TTPs) that involved abusing internet shortcuts (.URL) and Microsoft protocol handlers and URI schemes, including the MHTML (MIME encapsulation of aggregate HTML documents) protocol which was able to access Windows system-disabled Internet Explorer,” said Peter Girnus and Aliakbar Zahravi with Trend Micro in a Monday analysis.
The attack started with zip archives that contained malicious files disguised as book PDFs. The threat actors are using online libraries, like cloud-based file sharing and Discord CDN, according to researchers. One of the book PDF lures was Clinical Anatomy, suggesting the campaign targets skilled professionals or students.
After victims clicked on the URL shortcut file, CVE-2024-38112 was used “to redirect a victim by opening and using the system-disabled IE to a compromised website which hosted a malicious HTML Application (HTA),” said Trend Micro researchers. This technique is notable as it runs files directly through disabled Internet Explorer instances on victim machines, they said.
“The ability of APT groups like Void Banshee to exploit disabled services such as IE poses a significant threat to organizations worldwide.”
Though support for Internet Explorer ended on June 15, 2022, and Internet Explorer has been officially disabled in Windows 11 versions and later Windows 10 versions, the attacks leveraged IE remnants that have remained on the systems even after it was disabled. Threat actors crafted a URL string using the MHTML protocol handler to target victims through the iexplore.exe Internet Explorer executable process. If users try to execute iexplore.exe, Microsoft has provided a feature that opens the currently supported Microsoft Edge browser but in a special mode inside the Microsoft Edge sandbox that helps access sites and workloads with some IE-specific functionality.
“Specifically, the attackers used special Windows Internet Shortcut files (.url extension name), which, when clicked, would call the retired Internet Explorer (IE) to visit the attacker-controlled URL,” said Haifei Li in a Check Point Research analysis. “An additional trick on IE is used to hide the malicious .hta extension name. By opening the URL with IE instead of the modern and much more secure Chrome/Edge browser on Windows, the attacker gained significant advantages in exploiting the victim’s computer, although the computer is running the modern Windows 10/11 operating system.”
The malicious application led to the download of a PowerShell trojan downloader, .NET trojan loader and Donut, which is an open-source tool enabling in-memory execution of VBScript, JScript, and other various assemblies. In this attack, Donut was used to execute the Atlantida stealer, an information stealer with several capabilities. Atlantida stealer has the ability to snatch data - like passwords and cookies - from applications like FileZilla, Telegram and Steam, as well as various web browsers like Google Chrome, Microsoft Edge and Mozilla Firefox, and cryptocurrency wallets. System information, including RAM, GPU, CPU and screen resolution, is also targeted.
A fix for CVE-2024-38112 exists as of last week, and users are urged to apply Microsoft’s patches to protect against the attack. However, the bigger picture that this attack highlights is that threat actors are able to access disabled system services as part of their attacks, which highlights “a significant industry concern,” said researchers.
“In this campaign, we have observed that even though users may no longer be able to access IE, threat actors can still exploit lingering Windows relics like IE on their machine to infect users and organizations with ransomware, backdoors, or as a proxy to execute other strains of malware,” said Trend Micro researchers. “The ability of APT groups like Void Banshee to exploit disabled services such as IE poses a significant threat to organizations worldwide.”