Security specialists have revealed basic remote code execution (RCE) vulnerability, distinguished as CVE-2024-38112, within the MHTML protocol handler.
This vulnerability named ZDI-CAN-24433, was accounted for from CVE-2024-38112 to Microsoft upon revelation (and later fixed by the tech goliath), with proof proposing it was effectively exploited by the advanced persistent threat (APT) bunch Void Banshee.
Known for targeting on North American, European and Southeast Asian locales, Void Banshee utilized CVE-2024-38112 as part of a sophisticated attack bind intended to take delicate data and accomplish financial gain.
The assault finished in the deployment of the Atlantida stealer, a malware variation at first distinguished in January 2024. Consistently, varieties of this mission escalated, consolidating CVE-2024-38112 to compromise systems.
The MHTML vulnerability was exploited by Void Banshee through internet shortcut (.URL) files, resulting in disabled instances of Internet Explorer on Windows systems being manipulated, security measures being circumvented, and malicious payloads such as HTML Applications (HTA) being executed.
The evolving campaign in mid-May 2024, leveraging internal and external telemetry to track Void Banshee’s tactics, techniques and procedures (TTPs), was monitored by Trend Micro in response to this threat.
Not only was the MHTML protocol exploited by the attackers, but also Microsoft protocol handlers and URI schemes were exploited, along with remnants of Internet Explorer present in modern Windows versions despite its official discontinuation and disabling.
The seriousness of CVE-2024-38112 provoked Microsoft to give a patch during its July 2024 patch Tuesday cycle, which really unregistered the MHTML controller from Internet Explorer. This basic step mitigates the risk presented by this vulnerability, forestalling further exploitation through internet shortcut files.
As per Trend Micro, the incident highlights continuous worries with respect to the exploitation of legacy components like Internet Explorer which in spite of being eliminated, remain latent vulnerabilities in modern Windows environments.
Trend Micro said that since services such as IE have a large attack surface and no longer receive patches, a serious security concern is represented to Windows users.
“When confronted with unsure interruptions, ways of behaving and schedules, associations ought to accept that their system is now compromised or breached and attempt to quickly segregate impacted information or toolchains. With a more extensive point of view and fast reaction, associations can address breaches and protect [their] remaining systems.”
