Security News > 2021 > July > Hackers Exploit Microsoft Browser Bug to Deploy VBA Malware on Targeted PCs

An unidentified threat actor has been exploiting a now-patched zero-day flaw in Internet Explorer browser to deliver a fully-featured VBA-based remote access trojan capable of accessing files stored in compromised Windows systems, and downloading and executing malicious payloads as part of an "Unusual" campaign.

The backdoor is distributed via a decoy document named "Manifest.docx" that loads the exploit code for the vulnerability from an embedded template, which, in turn, executes shellcode to deploy the RAT, according to cybersecurity firm Malwarebytes, which spotted the suspicious Word file on July 21, 2021.

The Internet Explorer exploit is one of the two ways that's used to deploy the RAT, with the other method relying on a social engineering component that involves downloading and executing a remote macro-weaponized template containing the implant.

"While both techniques rely on template injection to drop a full-featured remote access trojan, the IE exploit previously used by the Lazarus APT is an unusual discovery," Malwarebytes researcher Hossein Jazi said in a report shared with The Hacker News.

"The attackers may have wanted to combine social engineering and exploit to maximize their chances of infecting targets."

Besides collecting system metadata, the VBA RAT is orchestrated to identify antivirus products running on the infected host and execute commands it receives from an attacker-controlled server, including reading, deleting, and downloading arbitrary files, and exfiltrate the results of those commands back to the server.

News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/Z8xD-cnNeWM/hackers-exploit-microsoft-browser-bug.html