OceanLotus (APT32) Uses Social Security Themes as Lure in APT Attacks

July 11, 2024

How to set up an IoC local cache with Maltiverse and Redis

September 24, 2024

Published by user on July 19, 2024

Void Banshee Exploits Zombie Internet Explorer in Zero-Day Attacks

In a concerning development, security researchers have uncovered a zero-day vulnerability (CVE-2024-38112) that allows attackers to exploit the remnants of Internet Explorer on Windows systems. The advanced persistent threat (APT) group known as Void Banshee has been actively exploiting this vulnerability to deliver the Atlantida stealer malware.

The Attack Chain

Void Banshee’s attack begins with spearphishing links, often disguised as PDF books, distributed through various channels including online libraries, cloud sharing sites, and Discord servers. The initial payload is a malicious internet shortcut (.URL) file that exploits CVE-2024-38112.This exploit leverages the MHTML protocol handler and x-usc directives to access and execute files through the supposedly disabled Internet Explorer using MSHTML. This technique allows the attackers to bypass security measures and run malicious code on the victim’s system.The attack progresses through several stages:

A malicious HTML file downloader
An HTA file and VBS downloader
A PowerShell trojan downloader
A .NET trojan loader
A Donut loader for in-memory execution
The final payload: Atlantida stealer

Atlantida Stealer

The Atlantida stealer is a sophisticated piece of malware designed to pilfer a wide range of sensitive information from infected systems. It targets data from various applications, including:

Telegram
Steam
FileZilla
Cryptocurrency wallets
Web browsers (Chrome, Firefox, Edge)

The malware collects system information, takes screenshots, and even attempts to determine the victim’s geolocation. All stolen data is compressed into a ZIP file and exfiltrated to the attacker’s command and control (C&C) server.

Implications

This zero-day attack demonstrates how unsupported Windows components can become overlooked attack surfaces. Even though Internet Explorer has been officially disabled in modern Windows versions, its remnants can still be exploited by skilled threat actors.

Indicators of Compromise (IoCs)

To help organizations detect and mitigate this threat, here are some key IoCs associated with the Void Banshee campaign:Malicious URL File:

SHA256: c9f58d96ec809a75679ec3c7a61eaaf3adbbeb6613d667257517bdc41ecca9ae
File name: Books_A0UJKO.pdf.url

HTML Downloader:

SHA256: d8824f643127c1d8f73028be01363fd77b2ecb050ebe8c17793633b9879d20eb
File name: test1.html

HTA File:

SHA256: 87480b151e465b73151220533c965f3a77046138f079ca3ceb961a7d5fee9a33
File name: Books_A0UJKO.pdf<26 spaces>.hta

PowerShell Trojan Downloader:

SHA256: c85eedd51dced48b3764c2d5bdb8febefe4210a2d9611e0fb14ffc937b80e302
File name: become.txt

.NET Trojan Loader:

SHA256: 13907caae48ea741942bce60fa32087328475bd14f5a81a6d04d82286bd28b4d
File names: LoadToBadXml.exe, tedfd.te, Vnn3qRKOxH.exe

Donut Loader Shellcode:

SHA256: 119b0994bcf9c9494ce44f896b7ff4a489b62f31706be2cb6e4a9338b63cdfdb

Atlantida Stealer:

SHA256: 6f1f3415c3e52dcdbb012f412aef7b9744786b2d4a1b850f1f4561048716c750
File name: AtlantidaStealer.exe
Compilation time: 2024-01-25 15:52:03

Command & Control:

IPv4: 185.172.128.95

Payload Delivery URLs:

hxxps[://]fullgasesspa[.]cl/tet/download[.]php
hxxp[://]cbmelipilla[.]cl/te/test1[.]html
hxxps[://]cbmelipilla[.]cl/te/hhhh2[.]php
hxxps[://]hostalaskapatagonia[.]com/tt/tedfd[.]te
hxxps[://]hostalaskapatagonia[.]com/tt/become[.]txt

Organizations should update their systems with the latest security patches, especially the July 2024 Patch Tuesday release which addresses this vulnerability. Additionally, implementing robust email filtering, user awareness training, and endpoint protection solutions can help mitigate the risk of falling victim to such sophisticated attacks.As threat actors continue to evolve their tactics, it’s crucial for both individuals and organizations to remain vigilant and maintain up-to-date security measures to protect against emerging threats like the Void Banshee campaign.

For more detailed information, refer to the full investigations by Trend Micro and Check Point Research.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

OceanLotus (APT32) Uses Social Security Themes as Lure in APT Attacks

How to set up an IoC local cache with Maltiverse and Redis

Void Banshee Exploits Zombie Internet Explorer in Zero-Day Attacks

The Attack Chain

Atlantida Stealer

Implications

Indicators of Compromise (IoCs)

user

Related posts

How to set up an IoC local cache with Maltiverse and Redis

OceanLotus (APT32) Uses Social Security Themes as Lure in APT Attacks

Maltiverse is now member of the Cyber Threat Alliance