CVE-2024-38112: Null Spectre Focuses on Windows Users Via Zombie Internet Explorer in Fresh Zero-Day Strikes
Wrap-up
Throughout this operation, it has come to our attention that though end-users may have lost access to IE, malicious entities can still capitalize on residual Windows artifacts like IE on their system to contaminate end-users and establishments with ransomware, backdoors, or as a gateway to deploy other variants of malware. The capacity of APT factions such as Null Spectre to leverage incapacitated services like IE presents a substantial peril to entities globally. As services like IE own a substantial attack perimeter and are no longer the recipient of updates, it represents a crucial security apprehension for Windows users. Furthermore, the capability of malevolent actors to reach unsupported and incapacitated system services to bypass contemporary web sandboxes like IE mode for Microsoft Edge underlines a notable industry issue.
To heighten the security level of software and safeguard patrons from zero-day assaults, Trend ZDI collaborates with security analysts and suppliers to rectify and responsibly unveil software vulnerabilities before APT factions can unleash them in attacks. The ZDI Threat Hunting crew further actively hunts for zero-day assaults in the wild to shield the sector. The ZDI initiative stands as the preeminent vendor-neutral bounty program globally while opening up vulnerabilities to suppliers at a rate 2.5 times higher.
Entities can enhance their safeguarding against such infringements with Trend Vision One™️, a platform enabling security squads to persistently pinpoint attack surfaces, comprising known, unknown, managed, and unmanaged cyber assets. Vision One aids establishments in setting priorities and handling potential hazards, including vulnerabilities. It takes into account pivotal variables such as the probability and impact of likely assaults and offers an array of preventive, detective, and reactionary capabilities. All these features are supported by advanced threat exploration, intelligence, and AI, thereby hastening the detection, response, and remediation periods. Essentially, Vision One aids in boosting the total security stance and efficacy of an establishment, particularly against zero-day assaults.
When grappling with unsure intrusions, propensities, and routines, entities should presume that their system is already jeopardized or compromised and act swiftly to segregate affected data or toolchains. With a more expansive viewpoint and swift reaction, entities can tackle breaches and safeguard their residual systems, particularly with technologies like Trend Micro Endpoint Security and Trend Micro Network Security, in addition to comprehensive security solutions such as Trend Micro™ XDR, capable of identifying, scrutinizing, and blocking malevolent content across the contemporary threat panorama.
Trend safeguards
The subsequent safeguards are in place to detect and shield Trend clients against the zero-day CVE-2024-38112 (ZDI-CAN-24433) and Atlantida malware exfiltration attempts.
Trend Vision One Format
- Microsoft Windows Remote Code Execution Vulnerability (ZDI-CAN-24433)
- Svchost Executes Iexplorer
Trend Micro Cloud One – Network Security & TippingPoint Filters
- 44417 – ZDI-CAN-24433: Zero Day Initiative Vulnerability (Microsoft Windows)
- 44453 – Trojan.Win32.AtlantidaStealer.A Runtime Detection (Geo Information)
- 44454 – Trojan.Win32.AtlantidaStealer.A Runtime Detection (Exfil Data)
Trend Vision One Endpoint Security, Trend Cloud One – Workload and Endpoint Security, Deep Security and Vulnerability Protection IPS Rules
- 1012075 – Microsoft Windows Remote Code Execution Vulnerability Over SMB (ZDI-CAN-24433)
- 1012074 – Microsoft Windows Remote Code Execution Vulnerability (ZDI-CAN-24433)
MITRE ATT&CK maneuvers
| Tactic | Technique | Context |
| Initial Access | T1566.002 – Phishing: Spearphishing Link | Victim downloads malicious zip archive |
| Execution | T1204.002 – User Execution: Malicious File | Victim executes Internet Shortcut (.URL) file that exploits CVE-2024-38112 |
| Defense Evasion | T1218 – System Binary Proxy Execution | MHTML & x-usc directive handler open compromised site in Internet Explorer |
| Compromise Infrastructure | T1584.004 – Compromise Infrastructure: Server | Victim is redirected to compromised site which downloads a malicious HTML Application (.HTA) |
| Execution | T1204.002 – User Execution: Malicious File | Victim opens HTA file |
| Execution | T1059.005 – Command and Scripting Interpreter – VBScript | HTA application executes VBScript |
| Defense Evasion | T1027 – Obfuscated Files or Information | Obfuscated VBScript |
| Compromise Infrastructure | T1584.004 – Compromise Infrastructure: Server | VBScript downloads malicious PowerShell script |
| Execution | T1059.001 – Command and Scripting Interpreter – PowerShell | PowerShell script executes |
| Compromise Infrastructure | T1584.004 – Compromise Infrastructure: Server | PowerShell script downloads malicious .NET loader |
| Defense Evasion | T1027 – Obfuscated Files or Information | Obfuscated .NET loader |
| Privilege Escalation | T1055 – Process Injection | Atlantida uses process injection to gain persistence |
| Execution | T1218.009 – System Binary Proxy Execution: Regsvcs/Regasm | Atlantida abuses RegAsm.exe to proxy malicious code execution |
| Collection | T1560.001 – Archive via Utility | Atlantida encrypts data for exfiltration |
| Collection | T1005 – Data from Local System | Atlantida collects sensitive local system information |
| Collection | T1082 – System Information Discovery | Atlantida collects hardware information from victim |
| Collection | T1555.003 – Credentials from Password Stores: Credentials from Web Browsers | Atlantida collects sensitive data from web browsers including Chrome extension data |
| Collection | T1113 – Screen Capture | Atlantida captures screen captures of the victim machine |
| Exfiltration | T1041 – Exfiltration Over C&C Channel | Null Spectre exfiltrates stolen data to C&C server |
Indicators of Compromise (IOCs)
Retrieve the complete list of IOCs here.
About Author
