Update warning now issued for all Windows 10 and Windows 11 users
Microsoft Windows users have been warned to urgently apply this month’s update after a new attack was discovered in the wild targeting Windows 10 and Windows 11. An alarming new report warns that this new zero-day attack is “a prime example of how unsupported Windows relics are an overlooked attack surface that can still be exploited by threat actors to infect unsuspecting users with ransomware, backdoors, or as a conduit for other types of malware.”
The relic in question is Internet Explorer. While most Windows users assume the now-defunct browser has been banished from their machines, it’s actually still lurking under the covers. These sneaky attacks simply trick IE into waking up and wreaking havoc. Beware: if this happens to you, the impact can be devastating.
We knew this new IE threat was serious when Microsoft’s July update advisory acknowledged likely exploits in the wild and the U.S. cybersecurity agency (CISA) added it to its Known Exploited Vulnerabilities (KEV) catalog, with a 21-day update mandate for all U.S. federal agencies. The Check Point Research team subsequently published a detailed report on the threat and their disclosure to Microsoft.
The threat level for CVE-2024-38112 has now been made even more severe following the publication of a new report from Trend Micro, which notes active attacks that Trend Micro says have exploited this trick to wake up Internet Explorer.
Trend Micro attributes the attacks to Void Banshee, an advanced persistent threat (APT) group targeting victims in the US, Asia and Europe. The research team says these attacks were aimed at installing the Atlantida stealer on victims’ machines. This malware targets specific applications including messengers and crypto wallets to steal login credentials, cookies and security codes.
According to Trend Micro, “Void Banshee lures victims using zip archives containing malicious files masquerading as book PDFs and distributes them via cloud-sharing websites, Discord servers, online libraries, and more.”
The stealer malware itself is new, only discovered earlier this year, but “variations of the Atlantida campaign have been highly active in 2024 and have evolved to leverage CVE-2024-38112 as part of Void Banshee infection chains.” While CISA focuses on ransomware, this new report adds direct theft to the mix.
Attack chain
The malicious link that triggers one of these attacks is coded to open in IE instead of Edge or Chrome. And users may not even realize they’re clicking on an internet address, because it can appear to open a cloud-based PDF. But instead of giving advice on what to look for, you can simply update your Windows PC to disable the threat.
Of course, the real punchline here is that IE has risen from the dead, and it will surprise and alarm users. “IE has been officially disabled in later versions of Windows 10, including all versions of Windows 11,” Trend Micro explains. “Disabled does not mean that IE has been removed from the system, however. The remnants of IE exist on the modern Windows system, although it is inaccessible to the average user.”
We’ve seen some variation in these reports, but the end result is the same temptation for users to click on a URL tagged with a dangerous mhtml handler that tells the system to open with IE instead of a newer, safer alternative.
“The ability of APT groups like Void Banshee to exploit disabled services like IE poses a significant threat to organizations worldwide,” Trend Micro said. For this reason, the CISA July update mandate should be viewed universally, not just within federal agencies. Most large public and private organizations will attempt to adopt this as a best practice, but given the ubiquity of IE on PCs, they should all update.
Trend Micro adds that there’s a broader problem here. “The ability for attackers to access unsupported and disabled system services to bypass modern web sandboxes like IE Mode for Microsoft Edge highlights a significant industry concern.” And that warning is crucial against the backdrop of the slow transition from Windows 10 to Windows 11, before the older operating system reaches end-of-life in 2025.
Internet Explorer was a security nightmare when it was live. But now it’s “particularly alarming,” Trend Micro warns, “as IE has historically been a large attack surface but is now not receiving any further updates or security fixes.” Microsoft’s July fix has now deregistered the MHTML protocol handler, disabling this type of attack.
Please perform the update immediately if you have not already done so.