Internet Explorer browser has been noticing an unidentified threat which is exploiting a now-patched zero-day flaw in to deliver a fully-featured VBA-based remote access trojan (RAT) capable of accessing files stored in compromised Windows systems, and downloading and executing malicious payloads as part of an “unusual” campaign.
According to cybersecurity firm Malwarebytes, which spotted the suspicious Word file on July 21, 2021 stated that the backdoor is distributed via a decoy document named “Manifest.docx” that loads the exploit code for the vulnerability from an embedded template, which, in turn, executes shellcode to deploy the RAT.
It has been found that the malware-prone document claims to be a “Manifesto of the inhabitants of Crimea” which asks the citizens to oppose Russian President Vladimir Putin and “create a unified platform called ‘People’s Resistance.’’
The North Korea-backed Lazarus Group is the abuser behind the Internet Explorer flaw, tracked as CVE-2021-26411, the reason being to target security researchers working on vulnerability research and development.
The South Korean cybersecurity firm ENKI, earlier this February, revealed that the state-aligned hacking collective had made an unsuccessful attempt at targeting its security researchers with malicious MHTML files that, when opened, downloaded two payloads from a remote server, one of which contained a zero-day against Internet Explorer. Microsoft addressed the issue as part of its Patch Tuesday updates for March.
In order to deploy the RAT, The Internet Explorer exploit is among one of the two ways, while the other method involves downloading and executing a remote macro-weaponized template containing the implant. Regardless of the infection chain, the use of double attack vectors is likely an attempt to increase the likelihood of finding a path into the targeted machines.
Malwarebytes researcher Hossein Jazi said in a report shared with The Hacker News that “While both techniques rely on template injection to drop a full-featured remote access trojan, the IE exploit (CVE-2021-26411) previously used by the Lazarus APT is an unusual discovery,” He further added “The attackers may have wanted to combine social engineering and exploit to maximize their chances of infecting targets.”
Jazi mentioned that “As the conflict between Russia and Ukraine over Crimea continues, cyber- attacks have been increasing as well”
Besides collecting system metadata, the VBA RAT is created to identify antivirus products running on the infected host and execute commands it receives from an attacker-controlled server, including reading, deleting, and downloading arbitrary files, and exfiltrate the results of those commands back to the server.
A PHP-based panel nicknamed “Ekipa” discovered by Malwarebytes is used by the adversary to identify victims and view information about the modus operandi that led to the successful breach, highlighting successful exploitation using the IE zero-day and the execution of the RAT.