Security News > 2024 > July > Void Banshee APT Exploits Microsoft MHTML Flaw to Spread Atlantida Stealer

Void Banshee APT Exploits Microsoft MHTML Flaw to Spread Atlantida Stealer
2024-07-16 09:00

An advanced persistent threat group called Void Banshee has been observed exploiting a recently disclosed security flaw in the Microsoft MHTML browser engine as a zero-day to deliver an information stealer called Atlantida.

"Variations of the Atlantida campaign have been highly active throughout 2024 and have evolved to use CVE-2024-38112 as part of Void Banshee infection chains," security researchers Peter Girnus and Aliakbar Zahravi said.

"The ability of APT groups like Void Banshee to exploit disabled services such as poses a significant threat to organizations worldwide."

Opening the HTA file results in the execution of a Visual Basic Script that, in turn, downloads and runs a PowerShell script responsible for retrieving a.NET trojan loader, which ultimately uses the Donut shellcode project to decrypt and execute the Atlantida stealer inside RegAsm.

"By using specially crafted URL files that contained the MHTML protocol handler and the x-usc! directive, Void Banshee was able to access and run HTML Application files directly through the disabled IE process," the researchers said.

Not much is known about Void Banshee other than the fact that it has a history of targeting North American, European, and Southeast Asian regions for information theft and financial gain.


News URL

https://thehackernews.com/2024/07/void-banshee-apt-exploits-microsoft.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2024-07-09 CVE-2024-38112 Unspecified vulnerability in Microsoft products
Windows MSHTML Platform Spoofing Vulnerability
0.0

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Microsoft 365 50 1369 2820 161 4400