The Threat Intelligence team of Hossein Jazi and Malwarebytes released a report on Thursday focusing on new threat actors that could target Russians and pro-Russians.
Attackers have indicated that the attack may have been a political motivation, including a manifesto on Crimea. The attack contains a suspicious document named “Manifest.docx”. This document uniquely downloads and executes a dual attack vector called CVE-2021-26411, which is an exploit for remote template injection and Internet Explorer.
“Both techniques have been loaded by malicious documents using template injection techniques. The first template contains a URL to download a remote template with a full-featured VBA rat embedded in it. This rat has several different features such as downloading, uploading, and running files. “Jaj said.
“The second template is an exploit for CVE-2021-26411 that runs shellcode and deploys the same VBA rat. The VBA rat is not obfuscated, but it does some interesting techniques for inserting shellcode. I’m using.”
Jazi attributed the attack to an ongoing conflict between Russia and Ukraine. Some of them are centered around Crimea. The report points out that cyberattacks on both sides are on the rise.
However, Jazi is aware that manifest and Crimean information may be used as false flags by threat actors.
The Malwarebytes Threat Intelligence team discovered “Манифест.docx” (“Manifest.docx”) on July 21st, downloading and running two templates. One is macro-enabled and the other is an html object that contains Internet Explorer. Exploit.
Analysts have discovered that the exploitation of CVE-2021-26411 is similar to the attack initiated by Lazarus APT.
According to the report, attackers combined social engineering and exploits to increase their chances of infecting victims.
Malwarebytes could not attribute the attack to a particular actor, but a decoy containing a statement from a group related to a person named Andreiselgeibich Portico, who allegedly opposes Russian President Vladimirputin’s policy on Crimea. The peninsula that stated that the document was displayed to the victims.
Jazi explained that the decoy document is loaded after the remote template is loaded. This document is in Russian, but has also been translated into English.
The attack collects victim information, identifies AV products running on the victim’s machine, executes shellcode, deletes files, uploads and downloads files, and at the same time discs and files. It also includes VBA rats that read system information.
Jazi points out that instead of using well-known API calls for shellcode execution, which could easily be flagged by AV products, an attacker used their own EnumWindows to execute shellcode. Did.
The security team found the Crimea manifest buried in VBA rats using a double attack vector.
Source link The security team found the Crimea manifest buried in VBA rats using a double attack vector.