The update alert has now been issued to all Windows 10 and Windows 11 users
Microsoft Windows users are being warned to urgently apply this month’s update after a new attack was found in the wild targeting Windows 10 and Windows 11. An alarming new report warns that this new zero-day attack “is an example key than unsupported Windows Relics are an overlooked attack surface that can still be exploited by threat actors to infect unsuspecting users with ransomware, backdoors or as a conduit for other types of malware.”
The relic in question is Internet Explorer. While most Windows users will assume that the now-defunct browser has been banished from their machines, it’s actually still there under the covers. These sneaky attacks simply trick IE into waking up and wreaking havoc. Beware – if this happens to you, the impact can be devastating.
We knew this new IE threat was serious when Microsoft’s advisory for the July update acknowledged potential exploits in the wild, and the US cyber agency (CISA) added it to its catalog of Known Exploited Vulnerabilities (KEV), with a 21-day update mandate for all US feds. agencies. The team at Check Point Research then published a detailed report on the threat and their discovery for Microsoft.
Now the threat level for CVE-2024-38112 has become even more serious, with the release of a new report from Trend Micro, which reports active attacks that it says have exploited this trick to wake up Internet Explorer.
Trend Micro attributes the attacks to Void Banshee, an advanced persistent threat group (APT) targeting victims across the US, Asia and Europe. The research team says that these attacks focused on installing the Atlantida stealer on the victim’s cars. This malware targets specific applications, including messengers and crypto wallets to steal login credentials, cookies and security codes.
According to Trend Micro, “Void Banshee lures victims using zip archives containing malicious files disguised as book PDFs; these are distributed on cloud sharing websites, Discord servers, and online libraries, among others.”
The stealth malware itself is new and was only discovered earlier this year, but “variants of the Atlantida campaign have been very active throughout 2024 and have evolved to use CVE-2024-38112 as part of Void infection chains Banshee”. While CISA’s focus is ransomware, this new report adds outright theft to the mix.
Attack chain
The malicious link that triggers one of these attacks is coded to open in IE rather than Edge or Chrome. And users may not realize they’re clicking a web address, as it may look like a cloud-based PDF is opening. But instead of offering advice on what to look for, simply update your Windows PC to disable the threat.
The fact that IE is back from the dead is the real catch here, of course, and will surprise and alarm users. “IE is officially disabled through later versions of Windows 10, including all versions of Windows 11,” Trend Micro explains. “Disabled, however, does not mean that IE has been removed from the system. Remnants of IE exist in the modern Windows system, although it is not accessible to the average user.”
We’ve seen a few variations in these reports, but the end result is the same lure for users to click on a URL packed with a dangerous mhtml handler that tells the system to open with IE instead of a newer, safer alternative .
“The ability of APT groups like Void Banshee to exploit disabled services like IE poses a significant threat to organizations around the world,” Trend Micro says, which is why CISA’s July update mandate should be viewed universally – not just within federal agencies. Most large public and private organizations will seek to implement this as best practice, but given the prevalence of IE buried on PCs, all should be updated.
There’s an even broader issue here, Trend Micro adds. “The ability of threat actors to access unsupported system services and be unable to bypass modern web sandboxes, such as IE mode for Microsoft Edge, highlights a significant industry concern.” And when this warning is critical when set against the background of the slow shift from Windows 10 to Windows 11, before the older OS ends in 2025.
Internet Explorer was a security nightmare when it was live. But now it’s “particularly alarming,” warns Trend Micro, “because IE has historically been a huge attack surface, but now doesn’t receive further updates or security fixes.” Microsoft’s July patch has now deregistered the MHTML protocol handler, disabling this type of attack.
Update now – if you haven’t already.