Security News > 2021 > July > Hackers Exploit Microsoft Browser Bug to Deploy VBA Malware on Targeted PCs
An unidentified threat actor has been exploiting a now-patched zero-day flaw in Internet Explorer browser to deliver a fully-featured VBA-based remote access trojan capable of accessing files stored in compromised Windows systems, and downloading and executing malicious payloads as part of an "Unusual" campaign.
The backdoor is distributed via a decoy document named "Manifest.docx" that loads the exploit code for the vulnerability from an embedded template, which, in turn, executes shellcode to deploy the RAT, according to cybersecurity firm Malwarebytes, which spotted the suspicious Word file on July 21, 2021.
The Internet Explorer exploit is one of the two ways that's used to deploy the RAT, with the other method relying on a social engineering component that involves downloading and executing a remote macro-weaponized template containing the implant.
"While both techniques rely on template injection to drop a full-featured remote access trojan, the IE exploit previously used by the Lazarus APT is an unusual discovery," Malwarebytes researcher Hossein Jazi said in a report shared with The Hacker News.
"The attackers may have wanted to combine social engineering and exploit to maximize their chances of infecting targets."
Besides collecting system metadata, the VBA RAT is orchestrated to identify antivirus products running on the infected host and execute commands it receives from an attacker-controlled server, including reading, deleting, and downloading arbitrary files, and exfiltrate the results of those commands back to the server.
News URL
Related news
- Hackers Exploit ConnectWise ScreenConnect Flaws to Deploy TODDLERSHARK Malware (source)
- Hackers exploit WordPress plugin flaw to infect 3,300 sites with malware (source)
- Hackers exploit Windows SmartScreen flaw to drop DarkGate malware (source)
- Microsoft: APT28 hackers exploit Windows flaw reported by NSA (source)
- Microsoft: APT28 hackers exploit Windows flaw reported by NSA (source)
- CISA warns of Microsoft Streaming bug exploited in malware attacks (source)
- Hackers target Docker, Hadoop, Redis, Confluence with new Golang malware (source)
- Hackers Exploit Misconfigured YARN, Docker, Confluence, Redis Servers for Crypto Mining (source)
- Microsoft says Russian hackers breached its systems, accessed source code (source)
- Microsoft Confirms Russian Hackers Stole Source Code, Some Customer Secrets (source)