Headline
Void Banshee APT Exploits Microsoft MHTML Flaw to Spread Atlantida Stealer
An advanced persistent threat (APT) group called Void Banshee has been observed exploiting a recently disclosed security flaw in the Microsoft MHTML browser engine as a zero-day to deliver an information stealer called Atlantida. Cybersecurity firm Trend Micro, which observed the activity in mid-May 2024, the vulnerability – tracked as CVE-2024-38112 – was used as part of a multi-stage attack
Data Security / Vulnerability
An advanced persistent threat (APT) group called Void Banshee has been observed exploiting a recently disclosed security flaw in the Microsoft MHTML browser engine as a zero-day to deliver an information stealer called Atlantida.
Cybersecurity firm Trend Micro, which observed the activity in mid-May 2024, the vulnerability – tracked as CVE-2024-38112 – was used as part of a multi-stage attack chain using specially crafted internet shortcut (URL) files.
“Variations of the Atlantida campaign have been highly active throughout 2024 and have evolved to use CVE-2024-38112 as part of Void Banshee infection chains,” security researchers Peter Girnus and Aliakbar Zahravi said. “The ability of APT groups like Void Banshee to exploit disabled services such as [Internet Explorer] poses a significant threat to organizations worldwide.”
The findings dovetail with prior disclosures from Check Point, which told The Hacker News of a campaign leveraging the same shortcoming to distribute the stealer. It’s worth noting that CVE-2024-38112 was addressed by Microsoft as part of Patch Tuesday updates last week.
CVE-2024-38112 has been described by the Windows maker as a spoofing vulnerability in the MSHTML (aka Trident) browser engine used in the now-discontinued Internet Explorer browser. However, the Zero Day Initiative (ZDI) has asserted that it’s a remote code execution flaw.
“What happens when the vendor states the fix should be a defense-in-depth update rather than a full CVE?,” ZDI’s Dustin Childs pointed out. “What happens when the vendor states the impact is spoofing but the bug results in remote code execution?”
Attack chains involve the use of spear-phishing emails embedding links to ZIP archive files hosted on file-sharing sites, which contain URL files that exploit CVE-2024-38112 to redirect the victim to a compromised site hosting a malicious HTML Application (HTA).
Opening the HTA file results in the execution of a Visual Basic Script (VBS) that, in turn, downloads and runs a PowerShell script responsible for retrieving a .NET trojan loader, which ultimately uses the Donut shellcode project to decrypt and execute the Atlantida stealer inside RegAsm.exe process memory.
Atlantida, modeled on open-source stealers like NecroStealer and PredatorTheStealer, is designed to extract files, screenshots, geolocation, and sensitive data from web browsers and other applications, including Telegram, Steam, FileZilla, and various cryptocurrency wallets.
“By using specially crafted URL files that contained the MHTML protocol handler and the x-usc! directive, Void Banshee was able to access and run HTML Application (HTA) files directly through the disabled IE process,” the researchers said.
“This method of exploitation is similar to CVE-2021-40444, another MSHTML vulnerability that was used in zero-day attacks.”
Not much is known about Void Banshee other than the fact that it has a history of targeting North American, European, and Southeast Asian regions for information theft and financial gain.
The development comes as Cloudflare revealed that threat actors are swiftly incorporating proof-of-concept (PoC) exploits into their arsenal, sometimes as quickly as 22 minutes after their public release, as observed in the case of CVE-2024-27198.
“The speed of exploitation of disclosed CVEs is often quicker than the speed at which humans can create WAF rules or create and deploy patches to mitigate attacks,” the web infrastructure company said.
It also follows the discovery of a new campaign that leverages Facebook ads promoting fake Windows themes to distribute another stealer known as SYS01stealer that aims to hijack Facebook business accounts and further propagate the malware.
“Being an infostealer, SYS01 focuses on exfiltrating browser data such as credentials, history, and cookies,” Trustwave said. “A big chunk of its payload is focused on obtaining access tokens for Facebook accounts, specifically those with Facebook business accounts, which can aid the threat actors in spreading the malware.”
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
Attackers have been using the Windows MSHTML Platform spoofing vulnerability in conjunction with another zero-day flaw.
Microsoft's September 2024 Patch Tuesday is here. Make sure you’ve applied the necessary patches!
This month's Patch Tuesday contains a total of 79 vulnerabilities — the fourth largest of the year.
Though IE was officially retired in June 2022, the vulnerability ramped up in January 2023 and has been going strong since.
Telecommunications provider AT&T disclosed earlier this month that adversaries stole a cache of data that contained the phone numbers and call records of “nearly all” of its customers.
The threat group used CVE-2024-38112 and a "zombie" version of IE to spread Atlantida Stealer through purported PDF versions of reference books.
Microsoft has released patches to address a total of 143 security flaws as part of its monthly security updates, two of which have come under active exploitation in the wild. Five out of the 143 flaws are rated Critical, 136 are rated Important, and four are rated Moderate in severity. The fixes are in addition to 33 vulnerabilities that have been addressed in the Chromium-based Edge browser
Microsoft Corp. today issued software updates to plug 139 security holes in various flavors of Windows and other Microsoft products. Redmond says attackers are already exploiting at least two of the vulnerabilities in active attacks against Windows users.
This Metasploit module exploits an authentication bypass vulnerability in JetBrains TeamCity. An unauthenticated attacker can leverage this to access the REST API and create a new administrator access token. This token can be used to upload a plugin which contains a Metasploit payload, allowing the attacker to achieve unauthenticated remote code execution on the target TeamCity server. On older versions of TeamCity, access tokens do not exist so the exploit will instead create a new administrator account before uploading a plugin. Older versions of TeamCity have a debug endpoint (/app/rest/debug/process) that allows for arbitrary commands to be executed, however recent version of TeamCity no longer ship this endpoint, hence why a plugin is leveraged for code execution instead, as this is supported on all versions tested.
Users of JetBrains TeamCity on-prmises server need to deal with two serious vulnerabilities.
Microsoft Word documents exploiting known remote code execution flaws are being used as phishing lures to drop malware called LokiBot on compromised systems. "LokiBot, also known as Loki PWS, has been a well-known information-stealing Trojan active since 2015," Fortinet FortiGuard Labs researcher Cara Lin said. "It primarily targets Windows systems and aims to gather sensitive information from
By Waqas LokiBot, a notorious Trojan active since 2015, specializes in stealing sensitive information from Windows machines, posing a significant threat to user data. This is a post from HackRead.com Read the original post: New Attack Drops LokiBot Malware Via Malicious Macros in Word Docs
A slew of Microsoft Exchange vulnerabilities (including ProxyLogon) fueled a surge in attacks targeting software flaws in 2021, but the trend has continued this year.
The most heavily targeted flaw last quarter was a remote code execution vulnerability in Microsoft Office that was disclosed and patched four years ago.
Though the once-popular browser is officially now history as far as Microsoft support goes, adversaries won't stop attacking it, security experts say.
Hello everyone! In this episode, I want to talk about the Positive Hack Days 11 conference, which took place on May 18 and 19 in Moscow. As usual, I want to express my personal opinion about this event. Alternative video link (for Russia): https://vk.com/video-149273431_456239091 As I did last year, I want to start talking about this […]
Threat actors already are exploiting vulnerability, dubbed ‘Follina’ and originally identified back in April, to target organizations in Russia and Tibet, researchers said.
Proof of concept for the remote code execution vulnerability in MSDT known as Follina.
Unisphere for PowerMax versions prior to 9.2.2.2 contains a privilege escalation vulnerability. An adjacent malicious user could potentially exploit this vulnerability to escalate their privileges and access functionalities they do not have access to. CVE-2022-31233 addresses the partial fix in CVE-2021-36338.
Microsoft MSHTML Remote Code Execution Vulnerability