July 16, 2024 at 09:41AM
A Trend Micro blog post reveals new details about the exploit of a Microsoft zero-day flaw by an APT group known as Void Banshee, spreading the Atlantida Stealer in a spear-phishing campaign targeting victims in North America, Europe, and Southeast Asia. The attackers use unpatched vulnerabilities in the now-retired Internet Explorer browser to distribute malware through malicious PDF files disguised as books. The malware targets sensitive data and system information, posing a significant threat despite the retirement of Internet Explorer. Trend Micro recommends proactive security measures and patching the flaw to mitigate current exploitation.
Based on the meeting notes, here are the key takeaways:
1. An APT group known as Void Banshee exploited an unpatched Microsoft zero-day (CVE-2024-38112) in a spear-phishing campaign to spread the Atlantida Stealer, targeting victims in North America, Europe, and Southeast Asia.
2. The vulnerability exists in the now-retired Internet Explorer (IE) browser’s MSHTML (Trident) engine, allowing exploitation even if IE is disabled or not the default browser.
3. The campaign lured victims with zip archives containing malicious files disguised as book PDFs, distributed via cloud-sharing websites, Discord servers, and online libraries.
4. Void Banshee targeted highly skilled professionals and students by tricking them into opening URL shortcut files designed to look like PDF copies of reference materials.
5. The campaign used IE to open attacker-controlled URL files, ultimately delivering the Atlantida stealer, which targeted sensitive information from various applications.
6. The attacks demonstrate that unsupported and disabled system services like IE can still pose a significant threat, even as technology evolves.
7. To address the exploitation of the IE issue, patching the flaw is crucial, and organizations need to adopt a proactive security posture and engage in advanced threat intelligence.
These takeaways highlight the urgency of addressing the CVE-2024-38112 vulnerability and the need for organizations to be vigilant in monitoring and securing their networks against potential threats.