Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,176
- Points
- 113
Cybercriminals use CVE-2024-38112 to break into vulnerable devices.
The hacker group Void Banshee is seen exploiting a recently identified vulnerability in MSHTML used to distribute the Atlantis malware. This vulnerability, registered as CVE-2024-38112, is used for multi-stage attacks using specially created Internet shortcuts, which lead to the launch of an outdated and insecure Internet Explorer browser.
Trend Micro recorded the activity of Void Banshee in mid-May 2024. The group is known for attacking North America, Europe, and Southeast Asia for information theft and financial gain. The researchers noted that the Atlantis campaign has been particularly active this year, and recently adapted the CVE-2024-38112 vulnerability for its infection chains.
Experts emphasize that the ability of APT groups, such as Void Banshee, to successfully exploit disabled Windows system services, such as Internet Explorer, poses a serious threat to organizations around the world.
Earlier, Check Point reported on a campaign that uses the same vulnerability to spread other malware. Vulnerability CVE-2024-38112 was patched by Microsoft last week as part of Patch Tuesday updates.
CVE-2024-38112 is described by Microsoft as a spoofing vulnerability in MSHTML used in the disabled Internet Explorer browser. However, the Zero Day Initiative (ZDI) claims that it should be classified as a Remote Code Execution (RCE) vulnerability.
The attack chains involve the use of phishing emails with links to ZIP archives containing URL files that exploit CVE-2024-38112 to redirect the victim to a compromised site with a malicious HTML application (HTA).
Opening the HTA file launches a Visual Basic Script that downloads and executes a PowerShell script that downloads the Trojan .NET. This causes the Atlantis infostiler to be decoded and executed in the process memory. RegAsm.exe.
Atlantis, based on NecroStealer and PredatorTheStealer open sources, is designed to extract files, screenshots, geolocation, and confidential data from web browsers and other applications, including Telegram, Steam, FileZilla, and various crypto wallets.
The Void Banshee group used specially created URL files with the MHTML protocol handler and the x-usc! directive, which allowed them to run HTA files through the disabled IE process. This method is similar to the CVE-2021-40444 vulnerability, which was also used in zero-day attacks.
Recent research shows that attackers integrate PoC exploits into their arsenals very quickly, sometimes even within 22 minutes of their public release, as was the case with CVE-2024-27198. This highlights that the speed of exploiting identified CVEs often exceeds the speed of creating WAF rules or deploying patches to mitigate attacks.
Disabled or rarely used components can become an unexpected entry point for attackers, putting the entire organization's infrastructure at risk. Regular updates and thorough audits of all elements of the IT environment, including those that are hidden or considered inactive, should now become an integral part of any modern company's cybersecurity strategy.
Source
The hacker group Void Banshee is seen exploiting a recently identified vulnerability in MSHTML used to distribute the Atlantis malware. This vulnerability, registered as CVE-2024-38112, is used for multi-stage attacks using specially created Internet shortcuts, which lead to the launch of an outdated and insecure Internet Explorer browser.
Trend Micro recorded the activity of Void Banshee in mid-May 2024. The group is known for attacking North America, Europe, and Southeast Asia for information theft and financial gain. The researchers noted that the Atlantis campaign has been particularly active this year, and recently adapted the CVE-2024-38112 vulnerability for its infection chains.
Experts emphasize that the ability of APT groups, such as Void Banshee, to successfully exploit disabled Windows system services, such as Internet Explorer, poses a serious threat to organizations around the world.
Earlier, Check Point reported on a campaign that uses the same vulnerability to spread other malware. Vulnerability CVE-2024-38112 was patched by Microsoft last week as part of Patch Tuesday updates.
CVE-2024-38112 is described by Microsoft as a spoofing vulnerability in MSHTML used in the disabled Internet Explorer browser. However, the Zero Day Initiative (ZDI) claims that it should be classified as a Remote Code Execution (RCE) vulnerability.
The attack chains involve the use of phishing emails with links to ZIP archives containing URL files that exploit CVE-2024-38112 to redirect the victim to a compromised site with a malicious HTML application (HTA).
Opening the HTA file launches a Visual Basic Script that downloads and executes a PowerShell script that downloads the Trojan .NET. This causes the Atlantis infostiler to be decoded and executed in the process memory. RegAsm.exe.
Atlantis, based on NecroStealer and PredatorTheStealer open sources, is designed to extract files, screenshots, geolocation, and confidential data from web browsers and other applications, including Telegram, Steam, FileZilla, and various crypto wallets.
The Void Banshee group used specially created URL files with the MHTML protocol handler and the x-usc! directive, which allowed them to run HTA files through the disabled IE process. This method is similar to the CVE-2021-40444 vulnerability, which was also used in zero-day attacks.
Recent research shows that attackers integrate PoC exploits into their arsenals very quickly, sometimes even within 22 minutes of their public release, as was the case with CVE-2024-27198. This highlights that the speed of exploiting identified CVEs often exceeds the speed of creating WAF rules or deploying patches to mitigate attacks.
Disabled or rarely used components can become an unexpected entry point for attackers, putting the entire organization's infrastructure at risk. Regular updates and thorough audits of all elements of the IT environment, including those that are hidden or considered inactive, should now become an integral part of any modern company's cybersecurity strategy.
Source
