Security News > 2024 > July > Void Banshee APT exploited “lingering Windows relic” in zero-day attacks

The zero-day exploit used to leverage CVE-2024-38112, a recently patched Windows MSHTML vulnerability, was wielded by an APT group dubbed Void Banshee to deliver malware to targets in North America, Europe, and Southeast Asia, threat hunters with Trend Micro's Zero Day Initiative have shared.

As previously explained by Check Point researcher Haifei Li, the attackers used files that were specially crafted to exploit the vulnerability but were made to look like PDFs. "The threat actor leveraged CVE-2024-38112 to execute malicious code by abusing the MHTML protocol handler and x-usc directives through internet shortcut files. Using this technique, the threat actor was able to access and run files directly through the disabled Internet Explorer instance on Windows machines," Trend Micro researchers noted.

The threat actors used spear-phishing tactics to direct targets to ZIP files containing copies of books in PDF format, along with malicious files disguised as PDFs. The ZIP files were hosted on online libraries, cloud sharing sites, Discord, and compromised websites.

"Some PDF lures we uncovered during our analysis of the Void Banshee campaign include textbooks and reference material such as Clinical Anatomy, which suggests the campaign is targeting highly skilled professionals and students who often use reference materials and places where digital copies of books are collected," the threat hunters say.

"The ability of APT groups like Void Banshee to exploit disabled services such as IE poses a significant threat to organizations worldwide," Trend Micro threat hunters noted.

Microsoft released fixes for the vulnerability on July 2024 Patch Tuesday that make it so that MHTML can no longer be used inside internet shortcut files, and credited the former in the vulnerability's security advisory.

News URL

https://www.helpnetsecurity.com/2024/07/16/cve-2024-38112-void-banshee/