Call the Advanced Persistent Threat Team (APT). Banshee Void has been seen using a newly discovered security flaw in Microsoft’s MHTML browser engine as a zero-day to deliver an information stealer called Atlantis.
Cybersecurity firm Trend Micro, which monitored this activity in mid-May 2024, tracked the vulnerability as CVE-2024-38112 – was used as part of a multi-stage attack chain using specially crafted Internet Shortcut (URL) files.
“Atlantida variants were very active during 2024 and evolved to exploit CVE-2024-38112 as part of the Void Banshee infection chains,” security researchers Peter Girnus and Aliakbar Zagrawi said. “The ability of APT groups like Void Banshee to exploit disabled services like (Internet Explorer) poses a significant threat to organizations around the world.”
These findings are consistent with previous reports from Check Point, which told The Hacker News about a company using the same flaw to spread theft. It’s worth noting that CVE-2024-38112 was addressed by Microsoft as part of last week’s Patch Tuesday updates.
CVE-2024-38112 was described by Windows as a spoofing vulnerability in the MSHTML (aka Trident) browser engine used in the now-discontinued Internet Explorer browser. However, the Zero Day Initiative (ZDI) claims that this is a remote code execution bug.
“What happens when the vendor says the fix should be a defense-in-depth update instead of a full CVE?” – ZDI’s Dustin Childs noted. “What happens when the vendor claims the exposure is spoofing, but the bug leads to remote code execution?”
The attack chains involve the use of phishing emails embedding links to archived ZIP files hosted on file sharing sites that contain URL files that exploit CVE-2024-38112 to redirect the victim to a compromised site containing a malicious HTML application (HTA). .
Opening the HTA file causes a Visual Basic Script (VBS) to run, which in turn downloads and runs the PowerShell script responsible for obtaining the .NET Trojan loader, which ultimately uses the Donut shellcode project to decrypt and execute the Atlantida hijacker inside the process’s memory RegAsm.exe.
Atlantida, modeled after open source code theft, as NecroStealer and PredatorTheStealerdesigned to extract files, screenshots, geolocation and sensitive data from web browsers and other applications, including Telegram, Steam, FileZilla and various cryptocurrency wallets.
“Using specially crafted URL files that contained an MHTML protocol handler and an x-usc! directive, Void Banshee was able to access and run HTML application (HTA) files directly through a disabled IE process,” the researchers said.
“This method of exploitation is similar to CVE-2021-40444another MSHTML vulnerability used in zero-day attacks.”
Not much is known about the Void Banshee, other than the fact that it has long targeted regions of North America, Europe, and Southeast Asia for information theft and financial gain.
The development comes after Cloudflare discovered that threat actors are rapidly adding proof-of-concept (PoC) exploits to their arsenal, sometimes as little as 22 minutes after their public release, as seen in the case of CVE-2024-27198.
“The rate at which exposed CVEs are exploited is often faster than the rate at which people can create WAF rules or create and deploy patches to mitigate attacks,” the web infrastructure company said. said.
It also follows the discovery of a new company using Facebook ads promoting fake Windows themes to spread another rip-off known as SYS01 hijacker which aims to hijack business Facebook accounts and further distribute malware.
“As an information stealer, SYS01 focuses on stealing browser data such as credentials, history and cookies” – Trustwave said. “Much of its payload is focused on obtaining access tokens for Facebook accounts, especially those with Facebook business accounts, which can help threat actors distribute malware.”
