Microsoft Windows users have been warned to urgently apply this month’s update, after a new attack was found in the wild targeting Windows 10 and Windows 11. An alarming new report warns that this the new zero-day attack “is a prime example of how unsupported Windows relics are an overlooked attack surface that can still be exploited by threat actors to infect unsuspecting users with ransomware, backdoors, or as a conduit for other kinds of malware.”

The relic in question is Internet Explorer. While most Windows users will assume the now defunct browser has been banished from their machines, it’s actually still there under the covers. These devious attacks simply trick IE into waking back up and causing havoc. Beware—if that happens to you, the impact can be devastating.

We knew this new IE threat was serious when Microsoft’s July update advisory acknowledged likely exploits in the wild and the US cyber agency (CISA) added it to the Known Exploited Vulnerabilities (KEV) catalog, with a 21-day update mandate for all US federal agencies. The team at Check Point Research then published a detailed report into the threat and their disclosure to Microsoft.

Now the threat level for CVE-2024-38112 has become even more serious, with the publication of a new report from Trend Micro, which reports on active attacks that it says have exploited this trick in waking up Internet Explorer.

Trend Micro attributes the attacks to Void Banshee, an advanced persistent threat (APT) group targeting victims across the US, Asia and Europe. The research team says these attacks focused on installing the Atlantida stealer onto victim’s machines. This malware targets specific applications, including messengers and crypto wallets to steal login credentials, cookies and security codes.

According to Trend Micro, “Void Banshee lures in victims using zip archives containing malicious files disguised as book PDFs; these are disseminated in cloud-sharing websites, Discord servers, and online libraries, among others.”

The stealer malware itself is new and was only discovered earlier this year, but “variations of the Atlantida campaign have been highly active throughout 2024 and have evolved to use CVE-2024-38112 as part of Void Banshee infection chains.” While CISA’s focus is ransomware, this new report adds direct theft into the mix.

The malicious link that triggers one of these attacks is coded to open in IE rather than Edge or Chrome. And users may not even realize they are clicking an internet address, as it may appear as a cloud-based PDF being opened. But rather than offer advice as to what to look for, simply update your Windows PC to disable the threat.

That IE has come back from the dead is the real catch here, of course, and will surprise and alarm users. “IE has been officially disabled through later versions of Windows 10, including all versions of Windows 11,” Trend Micro explains. “Disabled, however, does not mean IE was removed from the system. The remnants of IE exist on the modern Windows system, though it is not accessible to the average user.”

Across these reports we have seen some variation, but the end result is the same lure for users to click a URL packaged with a dangerous mhtml handler that tells the system to open with IE instead of a newer, more secure alternative.

“The ability of APT groups like Void Banshee to exploit disabled services such as IE poses a significant threat to organizations worldwide,” Trend Micro says, which is why CISA’s July update mandate should be viewed universally—not just within federal agencies. Most large public and private organizations will seek to apply this as best practice, but given the ubiquity of IE buried on PCs, all should update.

There is an even wider issue here as well, Trend Micro adds. “The ability of threat actors to access unsupported and disabled system services to circumvent modern web sandboxes such as IE mode for Microsoft Edge highlights a significant industry concern.” And when that warning is critical when set against the backdrop of the slow shift from Windows 10 to Windows 11, before the older OS goes end-of-life in 2025.

Internet Explorer was a security nightmare when it was live. But now it’s “especially alarming,” Trend Micro warns, “because IE has historically been a vast attack surface but now receives no further updates or security fixes.” Microsoft’s July fix has now unregistered the MHTML protocol handler, disabling this type of attack.

Update right away—if you haven’t already.

Share.
Exit mobile version