An advanced persistent threat (APT) group known as Void Banshee has been observed exploiting a recently patched security vulnerability in the Microsoft MHTML browser engine to deliver the Atlantida info-stealer.
Cybersecurity firm Trend Micro first observed the activity in mid-May 2024, involving the exploitation of CVE-2024-38112 as part of a multi-stage attack chain utilizing specially crafted internet shortcut (URL) files.
CVE-2024-38112 affects Windows MSHTML Platform and can be exploited by a remote attacker to perform spoofing attack and trick the victim into executing a specially crafted file. The issue impacts Microsoft Internet Explorer v 11 - 11.1790.17763.0, Windows: before 11 23H2 10.0.22631.3880, Windows Server: before 2022 10.0.20348.2582. According to Check Point Research, this flaw has been actively exploited in attacks for over a year to launch malicious scripts. The vulnerability was addressed as part of Microsoft’s July 2024 Patch Tuesday release.
“Variations of the Atlantida campaign have been highly active throughout 2024 and have evolved to use CVE-2024-38112 as part of Void Banshee infection chains,” said Trend Micro in its technical report. “The ability of APT groups like Void Banshee to exploit disabled services such as [Internet Explorer] poses a significant threat to organizations worldwide.”
Void Banshee leverages CVE-2024-38112 to infect victim machines with the Atlantida info-stealer, targeting sensitive data such as system information, passwords, and cookies from various applications.
Void Banshee lures victims with zip archives containing malicious files disguised as PDFs disseminated through cloud-sharing websites, Discord servers, and online libraries. The group's attacks have primarily targeted regions in North America, Europe, and Southeast Asia.
Void Banshee's attack methods involve abusing internet shortcuts (.URL) and Microsoft protocol handlers and URI schemes, including the MHTML protocol, to access Windows systems' disabled Internet Explorer.
The attacks primarily target North America, Europe, and Southeast Asia.
“In this campaign, we have observed that even though users may no longer be able to access IE, threat actors can still exploit lingering Windows relics like IE on their machine to infect users and organizations with ransomware, backdoors, or as a proxy to execute other strains of malware,” Trend Micro noted.
