Void Banshee APT Group Exploits Windows MSHTML Spoofing Vulnerability

September 15, 2024

The Void Banshee APT group exploited a Windows MSHTML spoofing vulnerability, identified as CVE-2024-43461, for zero-day attacks before it was patched by Microsoft. This information was provided by Peter Girnus, a Senior Threat Researcher at Trend Micro's Zero Day.

The APT group primarily targets organizations in North America, Europe, and Southeast Asia to steal data and for financial gain. The group used the CVE-2024-43461 flaw to install the Atlantida info-stealer malware, which is capable of stealing passwords, authentication cookies, and cryptocurrency wallets from infected devices.

The group also exploited another zero-day, CVE-2024-38112, to force Windows to open malicious websites in Internet Explorer instead of Microsoft Edge. This was achieved by using specially crafted shortcut files. 'Specifically, the attackers used special Windows Internet Shortcut files (.url extension name), which, when clicked, would call the retired Internet Explorer (IE) to visit the attacker-controlled URL,' explained Check Point researcher Haifei Li.

These URLs were used to download a malicious HTA file and prompt the user to open it. A script would then run to install the Atlantida info-stealer. The HTA files used a different zero-day, CVE-2024-43461, to hide the HTA file extension and make the file appear as a PDF when Windows prompted users as to whether it should be opened.

The CVE-2024-43461 flaw was also used in the Void Banshee attacks to create a CWE-451 condition through HTA file names that included 26 encoded braille whitespace characters (%E2%A0%80) to hide the .hta extension. This made the HTA files appear as PDF files, increasing the likelihood of them being opened.

After the security update for CVE-2024-43461, the whitespace is not stripped, but Windows now shows the actual .hta extension for the file in prompts. However, this fix is not perfect, as the included whitespace will likely still confuse people into thinking the file is a PDF rather than an HTA file.

In addition to CVE-2024-43461, Microsoft patched three other actively exploited zero-days in the September Patch Tuesday, including CVE-2024-38217, which was exploited in LNK stomping attacks to bypass the Mark of the Web security feature.

Related News

• Microsoft Rectifies Zero-Day Flaw in Windows Smart App Control Exploited Since 2018
• Microsoft's September 2024 Patch Tuesday Addresses 79 Security Flaws Including 4 Zero-days
• Void Banshee APT Exploits Microsoft Zero-Day to Launch Spear-Phishing Attacks
• Longstanding Windows Zero-Day Exploited for Over a Year
• Microsoft's July Security Update Exploited by Attackers, Patch for 139 Unique CVEs Released

Latest News

• Ivanti Alert: High Severity CSA Vulnerability Now Actively Exploited
• Critical Security Flaw Found in GitLab Pipeline Execution: Immediate Updates Released
• Cybercriminals Target Selenium Grid Servers for Proxyjacking and Cryptomining
• Urgent Update Required: Adobe Patches Acrobat Reader Zero-Day Vulnerability
• Taiwanese Drone Makers Targeted by 'WordDrone' Attack Exploiting Old MS Word Flaw