A recent spear-phishing campaign conducted by an advanced persistent threat (APT) group known as Void Banshee has revealed new details about how the group exploited an unpatched Microsoft zero-day vulnerability to spread the Atlantida Stealer. This malware is designed to collect sensitive information such as passwords, cookies, and system data from various applications.
The vulnerability, identified as CVE-2024-38112, exists in the now-retired Internet Explorer (IE) browser’s MSHTML engine and can be exploited on machines where IE is disabled or not the default browser. This makes it a concerning attack vector as IE no longer receives security updates, leaving users vulnerable to attacks leveraging this flaw.
Void Banshee targeted victims in North America, Europe, and Southeast Asia by distributing malicious files disguised as book PDFs via zip archives on cloud-sharing websites, Discord servers, and online libraries. The group’s tactic of using fake PDF files to lure victims is a common approach aimed at stealing sensitive information and financial gain.
The malware deployed in this campaign focuses on extracting stored data and capturing comprehensive system information from infected machines. Additionally, the attackers used URL shortcut files disguised as PDF copies of books to trick victims into interacting with the malicious content. This method targeted professionals and students who frequent online libraries and reference materials, demonstrating a level of sophistication in the group’s tactics.
Void Banshee leveraged the CVE-2024-38112 exploit to execute a multi-stage attack that ultimately delivered the Atlantida Stealer. This malware, derived from open source stealers NecroStealer and PredatorTheStealer, targets information from various applications such as Telegram, Steam, FileZilla, cryptocurrency wallets, and web browsers. The stolen data is then compressed into a zip file and sent to an attacker-controlled command-and-control site.
The report emphasizes the continued threat posed by legacy technologies like IE, even if they are no longer actively used in organizations. Threat actors can exploit these “zombie relics” to infect users with ransomware, backdoors, or other malware, bypassing modern security measures. Patching the CVE-2024-38112 vulnerability is crucial to mitigating the risk posed by these attacks, as highlighted by Trend Micro’s researchers.
Organizations are advised to adopt proactive security measures, such as engaging in advanced threat intelligence and continuously monitoring their networks for potential vulnerabilities. By staying vigilant and addressing security flaws promptly, businesses can reduce the risk of falling victim to sophisticated cyberattacks like those orchestrated by APT groups such as Void Banshee.