Advanced Persistent Threat Group ‘Void Banshee’ Exploits Microsoft Zero-Day Vulnerabilities

September 16, 2024

Microsoft has reclassified a bug that was fixed in the recent Patch Tuesday update as a zero-day vulnerability. This vulnerability, identified as CVE-2024-43461, resides in the legacy MSHTML (Trident) browser engine. This engine is still included in Windows to maintain backward compatibility. The advanced persistent threat group 'Void Banshee' has been exploiting this bug since before July. The vulnerability affects all supported versions of Windows and allows remote attackers to execute arbitrary code on the affected systems. However, for any exploit to work, the attacker would need to convince a potential victim to visit a malicious web page or to click on an unsafe link.

When Microsoft initially disclosed the bug on September 10, it assigned the flaw a severity rating of 8.8 on the 10-point CVSS scale, without any mention of it being a zero-day bug. The company revised this assessment on September 13 to indicate that attackers had been actively exploiting the flaw. This was part of an attack chain related to CVE-2024-38112, another MSHTML platform spoofing vulnerability that Microsoft patched in July 2024. Microsoft stated in its updated advisory, 'We released a fix for CVE-2024-38112 in our July 2024 security updates which broke this attack chain.'

Following Microsoft's update, the US Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its known exploited vulnerabilities database on September 16, setting a deadline of October 7 for federal agencies to implement the vendor's mitigations. CVE-2024-43461 is similar to CVE-2024-38112 as it allows an attacker to display erroneous data in the user-interface. Check Point Research, credited by Microsoft for discovering CVE-2024-38112, described the flaw as allowing an adversary to send a crafted URL or an Internet shortcut file that would trigger Internet Explorer to open a malicious URL, even when disabled.

Threat actors have also been observed using a unique trick to make malicious HTML application (HTA) files appear as harmless PDF documents when exploiting the flaw. The threat actor 'Void Banshee' has been exploiting the vulnerability to drop the Atlantida malware on Windows systems. In the attacks observed by Trend Micro, the threat actor lured victims using malicious files disguised as book PDFs, distributed via Discord servers and file-sharing websites. Void Banshee is a financially motivated threat actor that researchers have observed targeting organizations in North America, Southeast Asia, and Europe.

According to Microsoft's updated advisory, attackers have been using CVE-2024-43461 as part of an attack chain also involving CVE-2024-38112. Researchers at Qualys previously noted that exploits against CVE-2024-38112 would work equally well for CVE-2024-43416, as both are near-identical flaws. The attackers were exploiting CVE-2024-43461 but assumed the patch for CVE-2024-38112 fixed the issue. However, the spoofing vulnerability was not fixed, which was promptly alerted to Microsoft.

The flaw CVE-2024-38112, exploited by Void Banshee, is a prime example of how organizations can get tripped up by unsupported Windows relics such as MSHTML, and end up having attackers drop ransomware, backdoors, and other malware on their systems. A study conducted by Sevco showed that more than 10% of 500,000 Windows 10 and Windows 11 systems were missing any kind of endpoint protection control and nearly 9% were missing controls for patch management, leaving them completely blind to threats. Greg Fitzgerald, co-founder of Sevco, emphasized the importance of patching this vulnerability and the need for comprehensive endpoint security and patch management controls to prevent exploitation of vulnerabilities like CVE-2024-43461.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.