Safety consultants have uncovered a vital distant code execution (RCE) vulnerability, recognized as CVE-2024-38112, throughout the MHTML protocol handler.
This vulnerability, dubbed ZDI-CAN-24433, was reported from CVE-2024-38112 to Microsoft upon discovery (and later patched by the tech big), with proof suggesting it was actively exploited by the superior persistent risk (APT) group Void Banshee.
Recognized for focusing on North American, European and Southeast Asian areas, Void Banshee leveraged CVE-2024-38112 as a part of a complicated assault chain designed to steal delicate data and obtain monetary achieve.
The assault culminated within the deployment of the Atlantida stealer, a malware variant initially detected in January 2024. All year long, variations of this marketing campaign intensified, incorporating CVE-2024-38112 to compromise programs.
By exploiting the MHTML vulnerability by way of web shortcut (.URL) recordsdata, Void Banshee manipulated disabled situations of Web Explorer on Home windows programs, circumventing safety measures and executing malicious payloads resembling HTML Functions (HTA).
In response to this risk, Development Micro monitored the evolving marketing campaign in mid-Could 2024, leveraging inside and exterior telemetry to trace Void Banshee’s ways, strategies and procedures (TTPs).
The attackers exploited not solely the MHTML protocol but in addition Microsoft protocol handlers and URI schemes, exploiting remnants of Web Explorer current in trendy Home windows variations regardless of its official discontinuation and disabling.
The severity of CVE-2024-38112 prompted Microsoft to concern a patch throughout its July 2024 Patch Tuesday cycle, which successfully unregistered the MHTML handler from Web Explorer. This vital step mitigates the danger posed by this vulnerability, stopping additional exploitation by way of web shortcut recordsdata.
Learn extra in regards to the newest Patch Tuesday fixes: Microsoft Fixes 4 Zero-Days in July Patch Tuesday
In keeping with Development Micro, the incident underscores ongoing issues relating to the exploitation of legacy elements like Web Explorer, which regardless of being phased out, stay latent vulnerabilities in trendy Home windows environments.
“Since companies resembling IE have a big assault floor and not obtain patches, it represents a severe safety concern to Home windows customers,” Development Micro stated.
“When confronted with unsure intrusions, behaviors and routines, organizations ought to assume that their system is already compromised or breached and work to right away isolate affected knowledge or toolchains. With a broader perspective and speedy response, organizations can deal with breaches and shield [their] remaining programs.”
