Microsoft confirms second 0-day exploited by Void Banshee APT (CVE-2024-43461)
CVE-2024-43461, a spoofing vulnerability affecting Windows MSHTML – a software component used by various apps for rendering render web pages on Windows – “was exploited as a part of an attack chain relating to CVE-2024-38112, prior to July 2024,” Microsoft has revealed.
The latter vulnerability was patched by the company in July 2024, and threat hunters with Trend Micro’s Zero Day Initiative explained that it had been used by the Void Banshee APT group to deliver Atlantida malware to targets around the world.
The attack chain in action
Based on analyzed samples of malicious files used in the attacks, Check Point researchers concluded that CVE-2024-38112 had likely been exploited in the wild for over a year.
CVE-2024-38112 was leveraged to force a URL file (posing as a PDF file) to be opened with Internet Explorer instead of the Edge browser. The URL lead to a page controlled by the attackers and triggered the download of a HTA file.
The specially crafted HTA (HTML application) file used CVE-2024-43461 to make it appead as a PDF file, hiding its true extension and its malicious nature from the user.
The HTA file carried a script that made use of PowerShell to download and execute an additional script, create a new process for it, download additional trojan loaders and deliver the Atlantida info-stealer.
CVE-2024-43461 fixed
A fix for CVE-2024-43461 was released last week. At the time, Microsoft did not classify it as “exploited”.
On Friday, though, the company confirmed it had been exploited, as part of an attack chain that they “broke” by releasing a fix for CVE-2024-38112 in July.
“Customers should both the July 2024 and September 2024 security update to fully protect themselves,” Microsoft said.