Void Banshee APT Exploits Microsoft Zero-Day to Launch Spear-Phishing Attacks

July 16, 2024

The Void Banshee advanced persistent threat (APT) group has been exploiting a yet-to-be-patched Microsoft zero-day vulnerability, CVE-2024-38112, in a spear-phishing campaign to propagate the Atlantida Stealer malware. This malware is designed to extract system information and sensitive data, such as passwords and cookies, from various applications.

A July 15 blog post from cybersecurity firm Trend Micro provides new insights into the APT's tactics. The Void Banshee APT leveraged the CVE-2024-38112 vulnerability against victims in North America, Europe, and Southeast Asia. The flaw resides in the MSHTML (Trident) engine for the now-defunct Internet Explorer (IE) browser but can still be exploited on a victim's machine, regardless of whether IE is disabled or not set as the default browser.

Peter Girnus, a senior threat researcher at Trend Micro, and Aliakbar Zahravi, a malware reverse engineer, called the attack 'alarming.' They noted that IE, which 'historically has been a vast attack surface but now receives no further updates or security fixes,' remains a potent threat.

The Void Banshee campaign tricked victims into opening zip archives containing malicious files disguised as book PDFs. These files were distributed via cloud-sharing websites, Discord servers, and online libraries, among other platforms. This strategy aligns with the group's usual modus operandi, which often targets victims for both information theft and financial gain.

'[Atlantida] malware focuses on extracting stored sensitive and potentially valuable data, such as passwords and cookies, and it can also collect files with specific extensions from the infected system's desktop,' the researchers wrote. 'Moreover, the malware captures the victim's screen and gathers comprehensive system information.'

Security researchers had previously disclosed that unidentified threat groups were exploiting the IE flaw, patched in Microsoft's July Patch Tuesday update, to spread Atlantida and other malware through malicious PDF files. Microsoft characterized CVE-2024-38112 as a spoofing vulnerability that could significantly impact system confidentiality, integrity, and availability if successfully exploited. However, it only assigned it a moderately high severity rating of 7.5 out of 10 on the CVSS vulnerability-severity scale.

The report from Trend Micro offered fresh details about how Void Banshee persuaded Windows users to interact with the weaponized URL file. The APT conducted a spear-phishing campaign, tricking targets into opening URL shortcut files masquerading as PDF copies of textbooks and reference materials. The researchers suggested that the campaign was likely targeting highly skilled professionals and students who frequently use reference materials and digital book collections.

The Atlantida stealer, constructed from open source stealers NecroStealer and PredatorTheStealer, targets sensitive data from various applications, including Telegram, Steam, FileZilla, various cryptocurrency wallets, and Web browsers. The malware then compresses the stolen data into a zip file and transmits it to an attacker-controlled command-and-control (C2) site over TCP port 6655.

The researchers concluded by highlighting the continued threat posed by unsupported technology like IE. They warned that threat actors could still exploit 'lingering Windows relics like IE on their machine to infect users and organizations with ransomware, backdoors, or as a proxy to execute other strains of malware.' Furthermore, the ability of threat actors to exploit unsupported and disabled system services to bypass modern Web sandboxes, such as IE mode for Microsoft Edge, is a 'significant industry concern,' they wrote.

Patching the flaw is the most effective way to prevent current exploitation of the IE issue. Trend Micro also provided a list of MITRE ATT&CK techniques and a link to indicators of compromise (IoCs) in its post. They recommended organizations to adopt a proactive stance, engage in advanced threat intelligence, and continuously monitor scanning software and other corporate network assets for potential vulnerabilities and attack surfaces.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.