Unsupported and outdated software continues to be exploited by bad actors, with Void Banshee being only the latest example.

The advanced persistent threat (APT) group used a recently patched zero-day Microsoft Windows MSHTML vulnerability to spread the Atlantida malware that steals system information and sensitive data like passwords and cookies from applications, according to researchers from cybersecurity firm Trend Micro.

Void Banshee leveraged the security flaw, tracked as CVE-2024-38112, as a zero-day to access and execute files through the Internet Explorer web browser, which Microsoft stopped supporting two years ago and disabled in later versions of Windows 10 and all versions of Windows 11.

“Disabled, however, does not mean IE was removed from the system,” Trend Micro threat researchers Peter Girnus and Aliakbar Zahravi wrote in a report. “The remnants of IE exist on the modern Windows system, though it is not accessible to the average user.”

Users trying to run the Internet Explorer executable will find its replacement, Edge, open. However, those who need to access sites and workloads through Internet Explorer can use the IE mode for Microsoft Edge, which has some Internet Explorer-specific functions but runs inside the Edge sandbox, which Girnus and Zahravi wrote theoretically included enhanced security.

However, the Trend Micro researchers found that the Void Banshee malware could exploit the security flaw by using specially crafted URL files containing the MHTML protocol handler and x-usc! Directive to run HTML Applications files through the disabled Internet Explorer process.

Exploiting Now-Patched Flaw

In this campaign, the ZDI threat hunting team discovered and analyzed samples exploiting CVE-2024-38112, which we disclosed to Microsoft. These samples could run and execute files and websites through the disabled IE process by exploiting CVE-2024-38112 through MSHTML. By using specially crafted.URL files that contained the MHTML protocol handler and the x-usc! directive, Void Banshee was able to access and run HTML Application (HTA) files directly through the disabled IE process.

The problem is that because it’s been retired, Internet Explorer is no longer being supported by Microsoft, prompting the researchers to write that “this method of using the disabled IE process as a proxy to access sites and scripts is especially alarming, as IE has historically been a vast attack surface but now receives no further updates or security fixes.”

They noted that the exploitation tactic is similar to another MSHTML vulnerability – CVE-2021-40444 – that also was used in zero-day attacks. CVE-2024-38112 was patched this month.

“The underlying premise in both these attacks [on CVE-2024-38112 and CVE-2021-40444] is the ability of an attacker to call the older Internet Explorer instead of the more secure Chrome [and] Edge,” said Mayuresh Dani, manager of security research at Qualys. “Microsoft has taken a route of unregistering the ‘.mhtml’ handler in .url files for this security update. This CVE is definitely important for the fact that it led to two patches, one for CVE-2024-38112 and another defense-in-depth patch for fixing the .hta evasion trick.”

Casting the Lure

The operators behind Void Banshee exploited the vulnerability in a spearfishing campaign that directed victims to zip archives that contained malicious files disguised as book and resource material PDFs that were disseminated though such avenues as cloud sharing websites, Discord servers, and online libraries. The campaign focused on North America, Europe, and Southeast Asia.

The Atlantida stealer, which has been around since January, “targets sensitive information from various applications, including Telegram, Steam, FileZilla, various cryptocurrency wallets, and web browsers,” Girnus and Zahravi wrote. “This malware focuses on extracting stored sensitive and potentially valuable data, such as passwords and cookies, and it can also collect files with specific extensions from the infected system’s desktop.”

The malware also captures the victim’s screen and collects system information like the GPUs and CPUs being used, memory, and screen resolution and collects the system’s geolocation information. It also can steal information from cryptocurrency-related Edge and Google Chrome extensions.

Researchers from cybersecurity firm Check Point earlier this month reported on attacks using the security flaw to target victims through Internet Explorer, adding that the bad actors have been doing this since early last year and as recently as May. Trend Micro also referred to the attacks in May.

An Overlooked Attack Surface

The Trend Micro researchers wrote that “this zero-day attack is a prime example of how unsupported Windows relics are an overlooked attack surface that can still be exploited by threat actors to infect unsuspecting users with ransomware, backdoors, or as a conduit for other kinds of malware.”

Cybersecurity vendor Bitsight in a blog post earlier this year outlined the top risks associated with outdate software and operating systems, which ranged from ransomware and business disruption to third-party breaches, compromised mobile devices – a problem at a time when more devices are being connected to the internet and workers are using their devices more often for work – and the Internet of Things, with the rapidly expanding types of devices connecting to corporate networks.

Keeping patching up-to-date is only one step organizations can take to protect themselves, joining other actions like monitoring for out-of-date technologies and securing endpoints.

“The fact is, failing to update your software doesn’t just mean you’re missing out on the latest version – it means you could expose your organization to major security vulnerabilities, like the widespread Apache Log4j2 vulnerability,” Bitsight wrote.