CVE-2024-43461 Exploited by Void Banshee

A vulnerability originally reported as not actively exploited in this month’s Microsoft Patch Tuesday, CVE-2024-43461, has been now been found as actively exploited. This vulnerability is being leveraged as part of a campaign by the Void Banshee threat actor group as a means to deploy infostealer malware.

This vulnerability affects all supported versions of Microsoft Windows.

What is CVE-2024-43461?

CVE-2024-43461 is vulnerability identified as a Windows MSHTML Platform spoofing vulnerability with a high CVSS base score of 8.8. The vulnerability enables attackers to manipulate the user interface, leading to a misrepresentation of critical information, specifically through the appearance of file-type extensions. This can allow malicious files, such as HTA (HTML Application) files, to masquerade as benign file types (like PDFs) to deceive users.

This vulnerability was disclosed during Microsoft’s September 2024 Patch Tuesday and was previously exploited as a zero-day vulnerability by the Void Banshee APT (Advanced Persistent Threat) group. The exploit requires no special privileges and necessitates user interaction, meaning that users must open the malicious files for the exploit to take effect. The attack vector is primarily phishing/ social engineering, and successful exploitation can lead to significant impacts on integrity, confidentiality, and availability of the affected systems.

Void Banshee Exploitation

The advanced persistent threat (APT) group known as Void Banshee has been highly active since July 2024, primarily targeting North America, Europe, and Southeast Asia for information theft and financial gain. Utilising attack chains that exploit vulnerabilities such as CVE-2024-38112 and CVE-2024-43461, Void Banshee employs social engineering tactics to deceive victims into executing malicious files disguised as PDFs. Specifically, they manipulate internet shortcut files by changing their icons to appear like legitimate documents while using HTML applications (HTA) to execute payloads through disabled Internet Explorer services. The group has been associated with the Atlantida campaign, distributing the Atlantida info-stealer malware to pilfer sensitive data including passwords and cookies from various applications. Their lures include zip archives containing copies of textbooks or reference materials shared on platforms like Discord and online libraries, indicating a focus on highly skilled professionals and students. In May 2024, telemetry data tracked an updated campaign from Void Banshee that further refined these tactics, emphasising their ongoing threat to organizations worldwide through sophisticated exploitation methodologies.

Countermeasures and Patches

• Customers should ensure that All Microsoft security updates are installed, however the July and September 2024 patches directly address these vulnerabilities.

References

Microsoft Security update: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43461