July 16, 2024 at 05:15AM
The Void Banshee APT group was discovered exploiting a zero-day vulnerability in the Microsoft MHTML browser engine to distribute the Atlantida information stealer. It was used in a multi-stage attack chain via specially crafted internet shortcut files. The group targets organizations globally and has a history of information theft and financial gain. Additionally, threat actors are quickly incorporating PoC exploits into their arsenals.
From the meeting notes:
1. A cyber threat group called Void Banshee has been observed exploiting a recently disclosed security vulnerability in the Microsoft MHTML browser engine to deliver an information stealer known as Atlantida.
2. Cybersecurity firm Trend Micro observed this activity in mid-May 2024, using the vulnerability (CVE-2024-38112) as part of a multi-stage attack chain using specially crafted internet shortcut (URL) files.
3. Variations of the Atlantida campaign have been highly active throughout 2024 and have evolved to use CVE-2024-38112 as part of Void Banshee infection chains.
4. The exploit involves the use of spear-phishing emails embedding links to ZIP archive files hosted on file-sharing sites, which contain URL files that exploit CVE-2024-38112 to redirect the victim to a compromised site hosting a malicious HTML Application (HTA).
5. Atlantida, modeled on open-source stealers like NecroStealer and PredatorTheStealer, is designed to extract files, screenshots, geolocation, and sensitive data from web browsers and other applications.
6. Not much is known about Void Banshee other than its history of targeting North American, European, and Southeast Asian regions for information theft and financial gain.
7. Threat actors are swiftly incorporating proof-of-concept (PoC) exploits into their arsenal as observed in the case of CVE-2024-27198, sometimes as quickly as 22 minutes after their public release.
8. This follows the discovery of a new campaign that leverages Facebook ads promoting fake Windows themes to distribute another stealer known as SYS01stealer targeting Facebook business accounts.
These are the key takeaways from the meeting notes.