A complicated persistent menace (APT) group referred to as Void Banshee has been noticed exploiting a lately disclosed security flaw within the Microsoft MHTML browser engine as a zero-day to ship an data stealer referred to as Atlantida.
Cybersecurity agency Development Micro, which noticed the exercise in mid-Might 2024, the vulnerability – tracked as CVE-2024-38112 – was used as a part of a multi-stage assault chain utilizing specifically crafted web shortcut (URL) recordsdata.
“Variations of the Atlantida marketing campaign have been extremely lively all through 2024 and have advanced to make use of CVE-2024-38112 as a part of Void Banshee an infection chains,” security researchers Peter Girnus and Aliakbar Zahravi mentioned. “The flexibility of APT teams like Void Banshee to use disabled providers akin to [Internet Explorer] poses a major menace to organizations worldwide.”
The findings dovetail with prior disclosures from Verify Level, which informed The Hacker Information of a marketing campaign leveraging the identical shortcoming to distribute the stealer. It is price noting that CVE-2024-38112 was addressed by Microsoft as a part of Patch Tuesday updates final week.
CVE-2024-38112 has been described by the Home windows maker as a spoofing vulnerability within the MSHTML (aka Trident) browser engine used within the now-discontinued Web Explorer browser. Nonetheless, the Zero Day Initiative (ZDI) has asserted that it is a distant code execution flaw.
“What occurs when the seller states the repair ought to be a defense-in-depth replace reasonably than a full CVE?,” ZDI’s Dustin Childs identified. “What occurs when the seller states the affect is spoofing however the bug ends in distant code execution?”
Attack chains contain the usage of spear-phishing emails embedding hyperlinks to ZIP archive recordsdata hosted on file-sharing websites, which comprise URL recordsdata that exploit CVE-2024-38112 to redirect the sufferer to a compromised web site internet hosting a malicious HTML Software (HTA).
Opening the HTA file ends in the execution of a Visible Fundamental Script (VBS) that, in flip, downloads and runs a PowerShell script liable for retrieving a .NET trojan loader, which finally makes use of the Donut shellcode mission to decrypt and execute the Atlantida stealer inside RegAsm.exe course of reminiscence.
Atlantida, modeled on open-source stealers like NecroStealer and PredatorTheStealer, is designed to extract recordsdata, screenshots, geolocation, and delicate information from internet browsers and different functions, together with Telegram, Steam, FileZilla, and numerous cryptocurrency wallets.
“By utilizing specifically crafted URL recordsdata that contained the MHTML protocol handler and the x-usc! directive, Void Banshee was capable of entry and run HTML Software (HTA) recordsdata straight by way of the disabled IE course of,” the researchers mentioned.
“This methodology of exploitation is just like CVE-2021-40444, one other MSHTML vulnerability that was utilized in zero-day assaults.”
Not a lot is thought about Void Banshee apart from the truth that it has a historical past of focusing on North American, European, and Southeast Asian areas for data theft and monetary acquire.
The event comes as Cloudflare revealed that menace actors are swiftly incorporating proof-of-concept (PoC) exploits into their arsenal, generally as shortly as 22 minutes after their public launch, as noticed within the case of CVE-2024-27198.
“The velocity of exploitation of disclosed CVEs is commonly faster than the velocity at which people can create WAF guidelines or create and deploy patches to mitigate assaults,” the online infrastructure firm mentioned.
It additionally follows the invention of a brand new marketing campaign that leverages Fb advertisements selling pretend Home windows themes to distribute one other stealer often called SYS01stealer that goals to hijack Fb enterprise accounts and additional propagate the malware.
“Being an infostealer, SYS01 focuses on exfiltrating browser information akin to credentials, historical past, and cookies,” Trustwave mentioned. “An enormous chunk of its payload is targeted on acquiring entry tokens for Fb accounts, particularly these with Fb enterprise accounts, which might help the menace actors in spreading the malware.”
