Void Banshee APT Exploits Microsoft MHTML Flaw to Spread Atlantida Stealer
An advanced persistent threat (APT) group called Void Banshee has been observed exploiting a recently disclosed security flaw in the Microsoft MHTML browser engine as a zero-day to deliver an information stealer called Atlantida.
Cybersecurity firm Trend Micro, which observed the activity in mid-May 2024, the vulnerability – tracked as CVE-2024-38112 – was used as part of a multi-stage attack chain using specially crafted internet shortcut (URL) files.
“Variations of the Atlantida campaign have been highly active throughout 2024 and have evolved to use CVE-2024-38112 as part of Void Banshee infection chains,” security researchers Peter Girnus and Aliakbar Zahravi said. “The ability of APT groups like Void Banshee to exploit disabled services such as [Internet Explorer] poses a significant threat to organizations worldwide.”
The findings dovetail with prior disclosures from Check Point, which told The Hacker News of a campaign leveraging the same shortcoming to distribute the stealer. It’s worth noting that CVE-2024-38112 was addressed by Microsoft as part of Patch Tuesday updates last week.
CVE-2024-38112 has been described by the Windows maker as a spoofing vulnerability in the MSHTML (aka Trident) browser engine used in the now-discontinued Internet Explorer browser. However, the Zero Day Initiative (ZDI) has asserted that it’s a remote code execution flaw.
“What happens when the vendor states the fix should be a defense-in-depth update rather than a full CVE?,” ZDI’s Dustin Childs pointed out. “What happens when the vendor states the impact is spoofing but the bug results in remote code execution?”
Attack chains involve the use of spear-phishing emails embedding links to ZIP archive files hosted on file-sharing sites, which contain URL files that exploit CVE-2024-38112 to redirect the victim to a compromised site hosting a malicious HTML Application (HTA).
Opening the HTA file results in the execution of a Visual Basic Script (VBS) that, in turn, downloads and runs a PowerShell script responsible for retrieving a .NET trojan loader, which ultimately uses the Donut shellcode project to decrypt and execute the Atlantida stealer inside RegAsm.exe process memory.
Atlantida, modeled on open-source stealers like NecroStealer and PredatorTheStealer, is designed to extract files, screenshots, geolocation, and sensitive data from web browsers and other applications, including Telegram, Steam, FileZilla, and various cryptocurrency wallets.
“By using specially crafted URL files that contained the MHTML protocol handler and the x-usc! directive, Void Banshee was able to access and run HTML Application (HTA) files directly through the disabled IE process,” the researchers said.
“This method of exploitation is similar to CVE-2021-40444, another MSHTML vulnerability that was used in zero-day attacks.”
Not much is known about Void Banshee other than the fact that it has a history of targeting North American, European, and Southeast Asian regions for information theft and financial gain.
The development comes as Cloudflare revealed that threat actors are swiftly incorporating proof-of-concept (PoC) exploits into their arsenal, sometimes as quickly as 22 minutes after their public release, as observed in the case of CVE-2024-27198.
“The speed of exploitation of disclosed CVEs is often quicker than the speed at which humans can create WAF rules or create and deploy patches to mitigate attacks,” the web infrastructure company said.
It also follows the discovery of a new campaign that leverages Facebook ads promoting fake Windows themes to distribute another stealer known as SYS01stealer that aims to hijack Facebook business accounts and further propagate the malware.
“Being an infostealer, SYS01 focuses on exfiltrating browser data such as credentials, history, and cookies,” Trustwave said. “A big chunk of its payload is focused on obtaining access tokens for Facebook accounts, specifically those with Facebook business accounts, which can aid the threat actors in spreading the malware.”