Void Banshee APT Exploits Microsoft Zero-Day in Spear-Phishing Attacks

New details have emerged about how an advanced persistent threat (APT) group exploited an unpatched Microsoft zero-day in a spear-phishing campaign to spread the Atlantida Stealer, which lifts system information and sensitive data such as passwords and cookies from various applications.

A blog post published July 15 by Trend Micro sheds new light on how the APT, dubbed Void Banshee, which used the flaw (CVE-2024-38112)against victims in North America, Europe, and Southeast Asia. The bug exists in the MSHTML (Trident) engine for the now retired Internet Explorer (IE) browser, but it can be exploited on a victim's machine even if IE is disabled or not the default browser.

It's an "alarming" attack given that IE has "historically been a vast attack surface but now receives no further updates or security fixes," Trend Micro senior threat researcher Peter Girnus and malware reverse engineer Aliakbar Zahravi wrote in the post.

The Void Banshee campaign lured victims via zip archives containing malicious files disguised as book PDFs that were disseminated via cloud-sharing websites, Discord servers, and online libraries, among others sectors, the researchers found. This is a typical tactic of the group, which tends to target victims both for information stealing and financial gain, they noted.

"[Atlantida] malware focuses on extracting stored sensitive and potentially valuable data, such as passwords and cookies, and it can also collect files with specific extensions from the infected system's desktop," the researchers wrote. "Moreover, the malware captures the victim's screen and gathers comprehensive system information."

New Details on Zero-Day Exploitation

Separately, security researchers already had revealed that unidentified threat groups were exploiting the IE flaw — which was patched in Microsoft's July Patch Tuesday update— to spread Atlantida and other malware in malicious PDF files.

Microsoft described CVE-2024-38112 as a spoofing vulnerability that could have a high impact on system confidentiality, integrity, and availability if successfully exploited, but only gave it a moderately high severity rating of 7.5 out of 10 on the CVSS vulnerability-severity scale. That's because that for an attack to be successful, an attacker would need to convince a victim to interact with the weaponized URL file, among other factors.

Trend Micro's report provides new details about how Void Banshee was able to get Windows users to do this by convincing targets in a spear-phishing campaign to open URL shortcut files designed to look like PDF copies of a book — specifically, textbooks and reference materials such as "Clinical Anatomy."

This "suggests the campaign is targeting highly skilled professionals and students who often use reference materials and places where digital copies of books are collected," the researchers wrote.

CVE-2024-38112 Exploitation & Payload Behavior

A previously revealed attack vector described by Check Point security researcher Haifei Li detailed how malicious shortcuts when could use IE — even if it's not the default browser — to open an attacker-controlled URL by calling the defunct browser instead of a more secure browser such as Chrome or Edge. The vector hid dangerous HTML application (HTA) files in PDF documents that looked safe to users.

Trend Micro's report describes how Void Banshee did this by distributing URL files that contained the MHTML protocol handler and the x-usc! directive, which allowed the group to access and run HTA files directly through the disabled IE process. When a victim opens what looks like an innocuous PDF, it instead opens the URL target in the native IE through the iexplore.exe process.

"The Internet shortcut file that exploits CVE-2024-38112 points to an attacker-controlled domain where an HTML file downloads the HTA stage of the infection chain," the researchers explained. "Using this HTML file, the attacker can also control the window view size of the website through IE. This is used by the threat actor to hide browser information and to mask the downloading of the next stage of the infection chain from the victim."

As mentioned, the attack ultimately delivers the Atlantida stealer, which is built from open source stealers NecroStealer and PredatorTheStealer. It targets sensitive information from various applications, including Telegram, Steam, FileZilla, various cryptocurrency wallets, and Web browsers. The malware then compresses the stolen data into a zip file and sends it back to an attacker-controlled command-and-control (C2) site over TCP port 6655.

"Zombie Relics" Like IE Remain Dangerous

Overall, the attacks on CVE-2024-38112 demonstrate how even technology like IE that is no longer supported or even in active use at an organization can still pose a major threat, according to Trend Micro.

"Even though users may no longer be able to access IE, threat actors can still exploit lingering Windows relics like IE on their machine to infect users and organizations with ransomware, backdoors, or as a proxy to execute other strains of malware," the researchers wrote.

Furthermore, the ability of threat actors to access unsupported and disabled system services to circumvent modern Web sandboxes, such as IE mode for Microsoft Edge, poses "a significant industry concern," they wrote.

Patching the flaw is the most obvious way to thwart current exploitation of the IE issue, the researchers noted. Trend Micro also included a list of MITRE ATT&CK techniques and a link to indicators of compromise (IoCs) in its post.

According to Trend Micro, organizations also should take a proactive approach and engage in advanced threat intelligence as well as adopt a security posture that is constantly monitoring scanning software and other corporate network assets for potential flaws and other attack surfaces that potentially can be exploited.