July 15, 2024 at 10:55AM
CVE-2024-38112, exploited by APT group Void Banshee, allowed them to use a zero-day to access and execute files via the disabled Internet Explorer using MSHTML. The vulnerability was promptly reported to Microsoft and patched. Void Banshee lured victims using zip archives with malicious files disguised as PDFs, targeting North America, Europe, and Southeast Asia. This attack demonstrates the exploitation of unsupported Windows relics.
Based on the meeting notes, the key takeaways are:
1. A zero-day vulnerability, CVE-2024-38112, was identified by the threat hunters under Trend Micro’s Zero Day Initiative. It was used by the APT group Void Banshee to exploit the disabled Internet Explorer using MSHTML and executed files.
2. The vulnerability was being used as part of an attack chain to infect victim machines with the Atlantida info-stealer, focusing on pilfering system information and sensitive data from various applications.
3. Void Banshee’s attack was primarily concentrated in North America, Europe, and Southeast Asia, and the attack exploited unsupported Windows relics like Internet Explorer to infect users with ransomware or other kinds of malware.
4. The vulnerability was patched as part of the July 2024 Patch Tuesday, and Microsoft unregistered the MHTML handler from Internet Explorer, rendering it no longer usable inside internet shortcut files.
5. The meeting also detailed the technical analysis of the attack chain, including the stages of the attack, such as spearphishing links, malicious internet shortcut files, HTML file downloader, VBScript in the HTA file, PowerShell trojan downloader, .NET trojan loader, Donut loader, and the final payload, Atlantida stealer.
6. The meeting highlighted the Mitre ATT&CK techniques used in the attack, such as Initial Access through phishing, Defense Evasion, Execution, and Collection of compromised infrastructure, and provided indicators of compromise (IOCs) for further investigation.
If you need further details or analysis on any specific aspect, please feel free to ask.