HomeWinBuzzer NewsMicrosoft Addresses Exploited Zero-Day Data-Stealing Windows Vulnerability

Microsoft Addresses Exploited Zero-Day Data-Stealing Windows Vulnerability

Void Banshee attacks used a Windows zero-day (CVE-2024-43461) to steal data. The flaw disguised HTA malware as PDFs, bypassing security measures.

-

The cybercriminal group Void Banshee has been exploiting a zero-day defect in Windows known as CVE-2024-43461, linked to the MSHTML engine, in their cyber attacks. Initially flagged during 's September 2024 Patch Tuesday, the vulnerability was subsequently confirmed as actively exploited.

The security breach was discovered by Peter Girnus from Trend Micro's Zero Day Initiative, revealing the flaw's usage in dispersing data-stealing malware.

Extent of the Attacks

Void Banshee has been focusing its attacks on entities in North America, Europe, and Southeast Asia to siphon sensitive data for monetary gain. The group has employed additional zero-day flaws, notably CVE-2024-38112 and CVE-2024-43461, in their cyber campaigns.

Check Point's Haifei Li found that a vulnerability allowed Internet Explorer to be launched instead of Microsoft Edge, using tailored shortcuts to download a harmful HTA file, which then installed the Atlantida info-stealer.

Exploit Strategy

CVE-2024-43461 was manipulated to disguise the HTA file's type, tricking users into seeing it as a PDF. This was achieved by embedding specific encoded braille whitespace characters (%E2%A0%80) into the file name to hide its real extension. Although the recent update now accurately displays the HTA extension, the addition of these characters may still trick users into thinking it's a PDF.

HTA stands for HTML Application. It's a file extension used for executable files that combine HTML, CSS, and JavaScript to create standalone applications. These applications can be run directly from a user's computer without requiring a web browser.

The loophole also enabled attackers to bypass certain defenses, letting malicious operations go undetected. Microsoft stresses the importance of updating security patches to defend against these vulnerabilities. Furthermore, the company points out that similar methods could be used to obscure different types of dangerous files, posing a broader security risk.

Beyond resolving CVE-2024-43461, Microsoft has fixed three more actively exploited zero-day issues in the same update cycle, including CVE-2024-38217, which challenged the Mark of the Web security barrier through LNK file modification. Microsoft remains engaged with security researchers to rapidly detect and correct these security gaps.

Last Updated on September 17, 2024 3:24 pm CEST

Luke Jones
Luke Jones
Luke has been writing about Microsoft and the wider tech industry for over 10 years. With a degree in creative and professional writing, Luke looks for the interesting spin when covering AI, Windows, Xbox, and more.
Mastodon