Void Banshee APT Exploits Microsoft MHTML Vulnerability in Information Theft Campaign
An advanced persistent threat (APT) group known as Void Banshee has been detected leveraging a newly identified security vulnerability in the Microsoft MHTML browser engine. This zero-day exploit is being used to distribute an information-stealing malware known as Atlantida. Cybersecurity experts from Trend Micro reported observing this malicious activity in mid-May 2024, highlighting the seriousness of the situation. The vulnerability is classified as CVE-2024-38112 and was utilized in a multi-stage attack chain that involved specially designed internet shortcut files.
Trend Micro researchers Peter Girnus and Aliakbar Zahravi noted that variations of the Atlantida campaign have been persistently active throughout 2024, evolving to incorporate this specific vulnerability as a key component of Void Banshee’s infection strategy. The exploitation of services that are no longer active, such as Internet Explorer, poses significant risks to organizations globally, they explain.
The exploitation process begins with spear-phishing emails that include links to ZIP archives hosted on file-sharing platforms. These archives contain URL files designed to exploit CVE-2024-38112, which redirects victims to compromised websites hosting malicious HTML Application (HTA) files. Once the HTA file is opened, it executes a Visual Basic Script (VBS) that subsequently downloads and executes a PowerShell script. This script is responsible for retrieving a .NET trojan loader, ultimately deploying the Atlantida stealer within the memory of the RegAsm.exe process.
The cybersecurity community has noted parallels between this current campaign and previous vulnerabilities, specifically citing CVE-2021-40444, another MSHTML flaw that was similarly exploited in zero-day attacks. The rapid adaptation of threat actors, including their swift incorporation of proof-of-concept exploits following public disclosures, highlights the persistent nature of cyber threats in the current landscape. Notably, research from Cloudflare indicates that threat actors have been able to adopt new exploits in as little as 22 minutes after their announcement, making it increasingly challenging for security teams to keep defenses up to date.
Atlantida is modeled on open-source password theft tools and is engineered to extract various types of sensitive data from infected systems, including files, screenshots, geolocation data, and information related to applications such as Telegram, Steam, and popular cryptocurrency wallets. This type of malware is particularly concerning for business owners, as the potential for data breaches and the subsequent loss of sensitive customer information can lead to severe financial and reputational repercussions.
While Microsoft addressed CVE-2024-38112 in the recent Patch Tuesday updates, experts have criticized the characterization of the vulnerability. Microsoft referred to it as a spoofing issue within the MSHTML engine used by Internet Explorer, but the Zero Day Initiative has argued it should be classified as a remote code execution flaw. This disparity highlights the complexities surrounding vulnerability disclosures and the challenges organizations face in maintaining infrastructure security.
As part of the ongoing threat landscape, it is crucial for organizations to assess their risk and ensure that they are implementing appropriate security measures to protect against sophisticated attacks like those executed by Void Banshee. Possible adversary tactics identified through the MITRE ATT&CK framework that may apply to this scenario include initial access through spear-phishing, execution via VBS and PowerShell scripts, and persistence through potential backdoor installations. The implications of such sophisticated attacks underscore the necessity for robust cybersecurity practices and regular updates to security protocols.
In summary, the activity of the Void Banshee APT group represents a significant threat to both businesses and individuals alike. As cyber threats continue to evolve, organizations must remain vigilant and proactive in safeguarding their digital assets against these increasingly complex attacks.
