The Void Banshee APT group exploited CVE-2024-38112, an MHTML RCE vulnerability, to execute malicious code through internet shortcuts and disabled Internet Explorer, delivering the Atlantida info-stealer.
The attack chain, targeting North America, Europe, and Southeast Asia, leverages URL files and x-usc directives to bypass Internet Explorer restrictions, enabling the threat actor to access and run files directly within the disabled browser instance.
Despite being disabled, Internet Explorer remnants on modern Windows systems were exploited by attackers using CVE-2024-38112 in MSHTML to execute malicious HTA files through specially crafted .URL files.
This technique leveraged the MHTML protocol handler and x-usc directive to bypass security measures and run code within the disabled IE process, mimicking previous attacks like CVE-2021-40444. Microsoft has addressed this threat by unregistering the MHTML handler from Internet Explorer in the July 2024 Patch Tuesday update.
Void Banshee employed spearphishing links disguised as PDF files, primarily targeting professionals and students by leveraging online platforms hosting educational materials.
The attack chain begins with a malicious URL shortcut file mimicking a PDF, which exploits CVE-2024-38112 to redirect the victim’s browser to a compromised website hosting a malicious HTA, abusing the MHTML protocol handler and x-usc! directive for execution.
An attacker leverages Internet Explorer to download a malicious HTA file disguised as a PDF. The HTML file, hosted on a compromised domain, controls the browser window size to obfuscate the download process.
The HTA file’s extension is intentionally hidden to deceive the user, which exploits Internet Explorer’s default behavior of opening HTA files, unlike modern browsers.
The “Books_A0UJKO.pdf<26 spaces>.hta” file, a disguised HTA shortcut, launches a VBScript, that decrypts XOR-encrypted content and executes it using PowerShell.
The downloaded PowerShell script (“become.txt”) hides its console window and retrieves another malicious script from a compromised server, and then loads this downloaded script as a .NET assembly and executes its code, likely for further malicious actions.
The .NET Trojan loader “LoadToBadXml.exe” decrypts a XOR-encrypted payload using a specific key and injects it into a legitimate process, “RegAsm.exe.”.
It involves suspending “RegAsm.exe,” allocating memory within it, writing the payload there, and finally creating a thread to execute it, while analysis by Trend Micro reveals “LoadToBadXml.exe” is a modified version of an open-source shellcode injector.
The injected payload is most likely “Donut Loader,” another open-source tool that can execute various types of files in memory, including the final stage malware in this attack.
Atlantida is an info-stealer that targets sensitive data from various applications, including messaging apps, gaming platforms, file transfer clients, cryptocurrency wallets, and web browsers.
It captures screenshots, system information, and geolocation data, and steals files and credentials. The malware leverages open-source stealer code, collects data from multiple sources, and transmits a compressed archive of stolen data to a C&C server over TCP port 6666.