Void Banshee APT Exploits Microsoft Zero-Day in Spear-Phishing Attacks

  /     /     /  
Publicated : 23/11/2024   Category : security


Void Banshee APT Exploits Microsoft Zero-Day in Spear-Phishing Attacks


The threat group used CVE-2024-38112 and a zombie version of IE to spread Atlantida Stealer through purported PDF versions of reference books.



New details have emerged about how an advanced persistent threat (APT) group exploited an unpatched Microsoft zero-day in a
spear-phishing
campaign to spread the Atlantida Stealer, which lifts system information and sensitive data such as passwords and cookies from various applications.
A
blog post
published July 15 by Trend Micro sheds new light on how the APT, dubbed Void Banshee, which used the flaw (
CVE-2024-38112)
against victims in North America, Europe, and Southeast Asia. The bug exists in the MSHTML (Trident) engine for the now retired Internet Explorer (IE) browser, but it can be exploited on a victims machine even if IE is disabled or not the default browser.
Its an alarming attack given that IE has historically been a vast attack surface but now receives no further updates or security fixes, Trend Micro senior threat researcher Peter Girnus and malware reverse engineer Aliakbar Zahravi wrote in the post.
The Void Banshee campaign lured victims via zip archives containing malicious files disguised as book PDFs that were disseminated via cloud-sharing websites, Discord servers, and online libraries, among others sectors, the researchers found. This is a typical tactic of the group, which tends to target victims both for information stealing and financial gain, they noted.
[Atlantida] malware focuses on extracting stored sensitive and potentially valuable data, such as passwords and cookies, and it can also collect files with specific extensions from the infected systems desktop, the researchers wrote. Moreover, the malware captures the victims screen and gathers comprehensive system information.
Separately, security researchers already
had revealed
that unidentified threat groups were exploiting the IE flaw — which was patched in Microsofts
July Patch Tuesday update
— to spread Atlantida and other malware in malicious PDF files.
Microsoft described CVE-2024-38112 as a spoofing vulnerability that could have a high impact on system confidentiality, integrity, and availability if successfully exploited, but only gave it a moderately high severity rating of 7.5 out of 10 on the CVSS vulnerability-severity scale. Thats because that for an attack to be successful, an attacker would need to convince a victim to interact with the weaponized URL file, among other factors.
Trend Micros report provides new details about how Void Banshee was able to get Windows users to do this by convincing targets in a spear-phishing campaign to open URL shortcut files designed to look like PDF copies of a book — specifically, textbooks and reference materials such as Clinical Anatomy.
This suggests the campaign is targeting highly skilled professionals and students who often use reference materials and places where digital copies of books are collected, the researchers wrote.
A previously revealed attack vector described by
Check Point security researcher Haifei Li
detailed how malicious shortcuts when could use IE — even if its not the default browser — to open an attacker-controlled URL by calling the defunct browser instead of a more secure browser such as Chrome or Edge. The vector hid dangerous HTML application (HTA) files in PDF documents that looked safe to users.
Trend Micros report describes how Void Banshee did this by distributing URL files that contained the MHTML protocol handler and the x-usc! directive, which allowed the group to access and run HTA files directly through the disabled IE process. When a victim opens what looks like an innocuous PDF, it instead opens the URL target in the native IE through the iexplore.exe process.
The Internet shortcut file that exploits CVE-2024-38112 points to an attacker-controlled domain where an HTML file downloads the HTA stage of the infection chain, the researchers explained. Using this HTML file, the attacker can also control the window view size of the website through IE. This is used by the threat actor to hide browser information and to mask the downloading of the next stage of the infection chain from the victim.
As mentioned, the attack ultimately delivers the Atlantida stealer, which is built from open source stealers NecroStealer and PredatorTheStealer. It targets sensitive information from various applications, including Telegram, Steam, FileZilla, various cryptocurrency wallets, and Web browsers. The malware then compresses the stolen data into a zip file and sends it back to an attacker-controlled command-and-control (C2) site over TCP port 6655.
Overall, the attacks on CVE-2024-38112 demonstrate how even technology like IE that is no longer supported or even in active use at an organization can still pose a major threat, according to Trend Micro.
Even though users may no longer be able to access IE, threat actors can still exploit
lingering Windows relics
like IE on their machine to infect users and organizations with ransomware, backdoors, or as a proxy to execute other strains of malware, the researchers wrote.
Furthermore, the ability of threat actors to access unsupported and disabled system services to circumvent modern Web sandboxes, such as IE mode for Microsoft Edge, poses a significant industry concern, they wrote.
Patching the flaw is the most obvious way to thwart current exploitation of
the IE issue
, the researchers noted. Trend Micro also included a list of MITRE ATT&CK techniques and
a link to indicators of compromise (IoCs)
in its post.
According to Trend Micro, organizations also should take a proactive approach and engage in advanced threat intelligence as well as adopt a security posture that is constantly monitoring scanning software and other corporate network assets for potential flaws and other attack surfaces that potentially can be exploited.

Last News

▸ There are plenty of online tools for reporting bugs. ◂
Discovered: 23/12/2024
Category: security

▸ 27 Million South Koreans Hit by Online Gaming Theft. ◂
Discovered: 23/12/2024
Category: security

▸ Homeland Security Background Checks Breach Raises Concerns. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Void Banshee APT Exploits Microsoft Zero-Day in Spear-Phishing Attacks