MHTML Exploited By APT Group Void Banshee

Security experts have uncovered a critical remote code execution (RCE) vulnerability, identified as CVE-2024-38112, within the MHTML protocol handler. 

This vulnerability, dubbed ZDI-CAN-24433, was reported from CVE-2024-38112 to Microsoft upon discovery (and later patched by the tech giant), with evidence suggesting it was actively exploited by the advanced persistent threat (APT) group Void Banshee. 

Known for targeting North American, European and Southeast Asian regions, Void Banshee leveraged CVE-2024-38112 as part of a sophisticated attack chain designed to steal sensitive information and achieve financial gain.

The attack culminated in the deployment of the Atlantida stealer, a malware variant initially detected in January 2024. Throughout the year, variations of this campaign intensified, incorporating CVE-2024-38112 to compromise systems. 

By exploiting the MHTML vulnerability through internet shortcut (.URL) files, Void Banshee manipulated disabled instances of Internet Explorer on Windows systems, circumventing security measures and executing malicious payloads such as HTML Applications (HTA).

In response to this threat, Trend Micro monitored the evolving campaign in mid-May 2024, leveraging internal and external telemetry to track Void Banshee’s tactics, techniques and procedures (TTPs). 

The attackers exploited not only the MHTML protocol but also Microsoft protocol handlers and URI schemes, exploiting remnants of Internet Explorer present in modern Windows versions despite its official discontinuation and disabling.

The severity of CVE-2024-38112 prompted Microsoft to issue a patch during its July 2024 Patch Tuesday cycle, which effectively unregistered the MHTML handler from Internet Explorer. This critical step mitigates the risk posed by this vulnerability, preventing further exploitation through internet shortcut files.

Read more about the latest Patch Tuesday fixes: Microsoft Fixes Four Zero-Days in July Patch Tuesday

According to Trend Micro, the incident underscores ongoing concerns regarding the exploitation of legacy components like Internet Explorer, which despite being phased out, remain latent vulnerabilities in modern Windows environments. 

“Since services such as IE have a large attack surface and no longer receive patches, it represents a serious security concern to Windows users,” Trend Micro said.

“When faced with uncertain intrusions, behaviors and routines, organizations should assume that their system is already compromised or breached and work to immediately isolate affected data or toolchains. With a broader perspective and rapid response, organizations can address breaches and protect [their] remaining systems.”