Advanced persistent threat (APT) group Void Banshee was observed using a recently patched zero-day to access and execute files through a disabled Internet Explorer (IE) browser using MHTML, a browser engine that renders web pages frequently connected to IE.
In a July 15 blog post, Trend Micro researchers reported that the zero-day was being used to infect victim machines with the Atlantida infostealer, which pilfers system information and sensitive data such as passwords and cookies from various applications.
The researchers said Void Banshee lures victims using a zip archives that contains malicious files disguised as book PDFs. The PDFs have then been disseminated on cloud-sharing websites, Discord servers, and online libraries in North America, Europe, and Southeast Asia.
Callie Guenther, senior manager of cyber threat research, explained that CVE-2024-38112 allows for a spoofing attack, where an attacker can craft a malicious MHTML file that, when opened by the victim, could execute arbitrary code.
Guenther, an SC Media columnist, said the attack begins with a malicious MHTML file, often disguised as a legitimate internet shortcut file. By opening this file, the user inadvertently triggers the vulnerability, allowing the attacker to execute malicious scripts. Although Microsoft addressed this vulnerability in its July 2024 Patch Tuesday release and CISA added it to the Known Exploited Vulnerabilities catalog, Guenther said the vulnerability remains significant for the following three reasons:
- Delayed or missed updates: Many users and organizations may not immediately apply patches, leaving systems vulnerable.
- Legacy systems: Unsupported and outdated systems, such as old versions of Internet Explorer, are still in use and are prime targets for such vulnerabilities.
- Evolving attack techniques: APT groups like Void Banshee continually adapt their tactics. Even after a patch gets released, they can find new ways to exploit the vulnerability before widespread adoption of the update.
“The discovery and exploitation of CVE-2024-38112 by Void Banshee underlines the critical importance of timely security updates and patch management,” said Guenther. “Even with a patch available, the risk persists due to the slow uptake of updates and the continued use of legacy systems.”
