Hackers Use IE Fixed 0Day Vulnerability To Install RAT

Unknown cybercriminals exploit a fixed zero-day vulnerability in Internet Explorer to distribute a Remote Access Trojan (RAT) written in the VBA programming language. The malware is capable of accessing files on compromised Windows systems and downloading and executing malicious payloads.

As reported by the specialists of the company Malwarebytes, backdoor spreads via a fake document entitled Manifest.docx, which initiates operation of vulnerability and executes shell-code for the RAT deployment.

In addition to collecting system metadata, RAT is designed to detect anti-virus products on an infected system and execute C&C server commands, including reading, deleting, and loading arbitrary files, as well as transferring command results back to the server.

The experts also discovered a panel written in PHP called Ekipa, which is used by an attacker to track victims and view information about the methods of operation that led to a successful hack.

It is noteworthy that this vulnerability (CVE-2021-26411) has already been exploited by the Lazarus Group, supported by North Korea, for attacks on information security specialists. The Lazarus Group used MHTML files to attack cybersecurity researchers . The experts analyzed the payloads loaded by the MHT file and found an exploit for a zero-day vulnerability in Internet Explorer. Microsoft has fixed this issue with the March security updates.

Previous Post Next Post