More than two years ago, Internet Explorer 11 reached end-of-life. Despite having passed from this mortal coil, death hasn’t stopped the browser of yore from continuing to do damage. Attackers are stealing information by secretly re-opening Microsoft Edge’s predecessor.
The attackers in question are Void Banshee. Security firm Trend Micro has been monitoring this group for quite some time. After Microsoft shared information about CVE-2024-43461, it has now become clear that this vulnerability was exploited by the cybercriminals. Void Banshee’s targets are in Europe, North America and Southeast Asia and are often robbed of sensitive data such as cookies and passwords.
Internet Explorer
The cybercriminals used both CVE-2024-43461 and vulnerability CVE-2024-38112, resolved in July, for their attack campaign. Both CVEs could be exploited by special .url files that allowed Internet Explorer to open. Despite the fact that this browser is long gone, its components remain alive within Windows and can still enable it to function.
Windows’ support for Braille also proved extremely useful for Void Banshee. The attackers were able to disguise a .hta (HTML) file as a PDF. This manuscript for the visually impaired contained an instruction in whitespace to hide standard Windows warnings. Users could then choose to open or save the file. In the former case, Internet Explorer opened and the Atlantida InfoStealer was installed. This obtained cookies, passwords and usernames. Previous attention to this infostealer already showed how Internet Explorer lives on within Windows in a kind of zombie form and remains exploitable.
Although the attack covertly uses a legacy application, it is perfectly possible to defend against the attack method. For example, security solutions such as Symantec offer built-in protection against executing .url files which open Internet Explorer.