An APT group has been exploiting a Windows vulnerability patched last week to trick users into downloading malicious files by unwittingly opening URLs in the retired Internet Explorer browser. The attack chain deploys information stealing malware and has been in use since May, when the flaw was still unknown to Microsoft.
Researchers from Trend Micro, who found the exploit in the wild and reported it to Microsoft, track the APT group behind it as Void Banshee. According to Trend Micro, Void Banshee’s main goals are information theft and financial gain, targeting entities throughout North America, Europe, and Southeast Asia.
“In mid-May 2024, we tracked this updated Void Banshee campaign using internal and external telemetry,” the researchers wrote in their report. “The Void Banshee group used similar tools, tactics, and procedures (TTPs) that involved abusing internet shortcuts (.URL) and Microsoft protocol handlers and URI schemes, including the MHTML (MIME encapsulation of aggregate HTML documents) protocol which was able to access Windows system-disabled Internet Explorer.”
Microsoft tracks the vulnerability as CVE-2024-38112 and describes it as a “MSHTML platform spoofing vulnerability” because the attackers leverage the MHTML protocol handler to open URLs in Internet Explorer without the user’s knowledge.
LNK shortcuts masquerading as PDF files
The attack chain begins with ZIP files hosted on cloud file sharing servers, online libraries, Discord, and compromised websites. The files claim to be copies of popular technical books or reference materials in different fields of study, suggesting the targets are skilled professionals and students.
The ZIP files contain LNK (Windows Shortcut) links that uses a trick to appear with a PDF icon when viewed in Windows Explorer. These LNK files have an URL declaration inside that starts with mhtml:[URL]l!x-usc:[URL]. This is meant to invoke the MHTML protocol handled in Windows when opened, which will result in the specified URL being opened in Internet Explorer, instead of Microsoft Edge or the user’s preferred browser.
“Internet Explorer (IE) has officially ended support on June 15, 2022,” the researchers explain. “Additionally, IE has been officially disabled through later versions of Windows 10, including all versions of Windows 11. Disabled, however, does not mean IE was removed from the system. The remnants of IE exist on the modern Windows system, though it is not accessible to the average user.”
The IE components that still exist in Windows continue to receive security updates, but users can’t easily open the browser user interface. For browsing tasks that require IE compatibility, Microsoft offers IE mode for Edge, which mimics IE features but operates inside Microsoft Edge’s strong and modern security sandbox.
The same technique of using mhtml:[URL]l!x-usc:[URL] links to invoke the MHTML protocol handler was used in the exploitation of a different vulnerability in 2021 tracked as CVE-2021-40444. However, in that case, the trick was used in Word documents, but this is the first time seen in Windows shortcut files.
Once the LNK file is opened, the zombie IE browser opens the specified URL and a very small browser window appears on the screen. The URL redirects the browser to an HTA (HTML Application) file. While Edge would ask the user whether they want to save the file, the default action offered by IE is for the user to open this file.
Furthermore, attackers use an obfuscation trick by naming the file something book.pdf[many space characters].hta. This causes the user to only see book.pdf in the file open dialog, the real .hta extension being pushed out of view by the many space characters.
Multiple malware loaders leading to Atlantida stealer
If the user agrees to open the file, the code inside the HTA will execute Visual Basic Script (VBScript) stored inside, which will then decrypt and execute PowerShell commands. The commands will download a malware downloader written in PowerShell, which will then reach out to a different server and download and execute .NET assembly data.
This second-stage malicious data is a modified variant of malware loader written in .NET called Donut loader. This open-source loader uses process injection techniques to execute VBScript, JScript, EXE, DLL files, and .NET assemblies.
The Donut loader variant used in this case decrypts and injects AtlantidaStealer.exe, an information stealing trojan that first appeared in January. This malware program appears to be based on the open-source NecroStealer and PredatorTheStealer programs and has extensive data theft capabilities.
It searches for sensitive information such as passwords and cookies in a number of browsers, as well as popular programs such as Telegram, Steam, and others. Attackers can also configure the program to extract files with specific extensions or from specific locations on the system. In addition, the trojan can take screenshots of the victim’s screen and gather information about their system including geolocation.
One of the stand-out features of Atlantida is that it also steals information from cryptocurrency wallets as well as Chrome browser extensions that handle cryptocurrency operations. The collected data is stored in ZIP archives and sent to a command-and-control server over TCP connections.
The Trend Micro report includes MITRE ATTACK TTPs associated with this campaign, as well as indicators of compromise that can be used to build detections and perform threat hunting inside organizations.
More by Lucian Constantin: