Conclusion
In this campaign, we observed that even though users may no longer have access to IE, threat actors can still use remnants of Windows as IE on their machine to infect users and organizations with ransomware, backdoors, or as an execution proxy of other types of malware. The ability of APT groups like Void Banshee to exploit disabled services like IE poses a significant threat to organizations around the world. Since services like IE have a large attack surface and are no longer receiving patches, this poses a serious security problem for Windows users. Additionally, the ability of threat actors to access unsupported and disabled system services to bypass modern web sandboxes, such as IE mode for Microsoft Edge, highlights significant industry concern.
To make software more secure and protect customers from zero-day attacks, Trend ZDI works with security researchers and vendors to patch and responsibly disclose software vulnerabilities before APT groups can deploy them in attacks. The ZDI Threat Hunting team also proactively pursues zero-day attacks in the wild to protect the industry. The ZDI program is the largest vendor-agnostic bug bounty program in the world, while uncovering vendor vulnerabilities at a 2.5x higher rate.
Organizations can help protect against these types of attacks with Trend Vision One™️, which enables security teams to continuously identify attack surfaces, including known, unknown, managed and unmanaged cyber assets. Vision One helps organizations prioritize and address potential risks, including vulnerabilities. It takes into account critical factors such as the likelihood and impact of potential attacks and offers a range of capabilities to prevent, detect and respond. All of this is backed by advanced threat research, intelligence and AI, which helps reduce the time it takes to detect, respond and fix issues. Ultimately, Vision One can help improve an organization’s overall security posture and performance, including against zero-day attacks.
When faced with insecure intrusions, behaviors and routines, organizations must assume that their system has already been compromised or breached and work to immediately isolate the affected data or toolchains. With a broader perspective and rapid response, organizations can address breaches and protect their remaining systems, especially with technologies such as Trend Micro Endpoint Security and Trend Micro Network Security, as well as comprehensive security solutions such as Trend Micro™ XDR, which can to detect, scan and block malicious content in today’s threat landscape.
Protect trends
The following protections are in place to detect and protect Trend clients against the CVE-2024-38112 (ZDI-CAN-24433) zero-day and Atlantida malware exfiltration attempts.
Model Trend Vision One
- Microsoft Windows Remote Code Execution Vulnerability (ZDI-CAN-24433)
- Svchost runs Iexplorer
Trend Micro Cloud One – Network Security and TippingPoint Filters
- 44417 – ZDI-CAN-24433: Zero Day Initiative Vulnerability (Microsoft Windows)
- 44453 – Trojan.Win32.AtlantidaStealer.A Runtime detection (geographic information)
- 44454 – Trojan.Win32.AtlantidaStealer.A Runtime Detection (Exfil Data)
Trend Vision One Endpoint Security, Trend Cloud One – Workload and Endpoint Security, Deep Security and Vulnerability Protection IPS Rules
- 1012075 – Microsoft Windows Remote Code Execution Vulnerability over SMB (ZDI-CAN-24433)
- 1012074 – Microsoft Windows Remote Code Execution Vulnerability (ZDI-CAN-24433)
MITER ATT&CK techniques
| Tactics | Technique | Context |
| Initial access | T1566.002 – Phishing: Phishing link | The victim downloads a malicious zip archive |
| Execution | T1204.002 – User Execution: Malicious File | The victim executes an Internet Shortcut (.URL) file that exploits CVE-2024-38112 |
| Defense concealment | T1218 – System binary proxy execution | The MHTML & x-usc directive handler opens a compromised site in Internet Explorer |
| Compromise infrastructure | T1584.004 – Infrastructure Compromised: Server | The victim is redirected to a compromised site that downloads a malicious HTML application (.HTA) |
| Execution | T1204.002 – User Execution: Malicious File | The victim opens an HTA file |
| Execution | T1059.005 – Command and Script Interpreter – VBScript | The HTA application executes VBScript |
| Defense concealment | T1027 – Hidden files or information | Obfuscated VBScript |
| Compromise infrastructure | T1584.004 – Infrastructure Compromised: Server | VBScript downloads a malicious PowerShell script |
| Execution | T1059.001 – Command and Script Interpreter – PowerShell | The PowerShell script is running |
| Compromise infrastructure | T1584.004 – Infrastructure Compromised: Server | PowerShell script downloads malicious .NET loader |
| Defense concealment | T1027 – Hidden files or information | Messed up .NET loading |
| Escalation of privileges | T1055 – Injection process | Atlantida uses process injection to gain persistence |
| Execution | T1218.009 – System binary implementation of proxy: Regsvcs/Regasm | Atlantida abuses RegAsm.exe to proxy the execution of malicious code |
| collection | T1560.001 – Backup via Utility | Atlantida encrypts data for exfiltration |
| collection | T1005 – Data from local system | Atlantida collects sensitive local system information |
| collection | T1082 – Detect system information | Atlantida collects hardware information from the victim |
| collection | T1555.003 – Credentials from Password Stores: Credentials from Web Browsers | Atlantida collects sensitive data from web browsers, including data about Chrome extensions |
| collection | T1113 – Screen capture | Atlantida captures the victim machine’s screen |
| Exfiltration | T1041 – Exfiltration through C&C canal | Void Banshee exfiltrates stolen data to a C&C server |
Indicators of Compromise (IOC)
Download the full IOC list here.
