Posted on Leave a comment

Hackers Installing VBA RAT’s Using Two Attack Vectors

Threat intel team from Malwarebytes has identified a new malware campaign which executes two templates by downloading and executing macro enabled file and html object file with IE exploit code(CVE-2021-26411) to install the fully featured Remote access trojan on target machine.

Researchers spotted a malicious file named “Manifest.docx” which executes shellcode to install the RAT on victim machine.

Expert also had identified a panel which was used by threat actors dubbed “Ekipa” meaning “team”. Additionally, they identified that statistics on exploitation of IE vulnerability on victims are also being tracked by the threat group for which the Microsoft had already released the patches.

Source: Malwarebytes

Malwarebytes team has also noted that the VBA RAT performs actions like Collecting Victim information, Identifying AV products running on target machine, upload, delete &downloading files, etc.

“After loading the remote templates the malicious document loads a decoy document in Russian which is pretty interesting. The decoy document is a statement from a group within Crimea that voices opposition to Russia and specifically Putin’s policies against that peninsula.” reads the blog post.

Source :Malwarebytes

“As the conflict between Russia and Ukraine over Crimea continues, cyber attacks have been increasing as well. The decoy document contains a manifesto that shows a possible motive (Crimea) and target (Russian and pro-Russian individuals) behind this attack. However, it could also have been used as a false flag.” concludes the blog post.

Indicators of Compromise:

Maldocs:
03eb08a930bb464837ede77df6c66651d526bab1560e7e6e0e8466ab23856bac
0661fc4eb09e99ba4d8e28a2d5fae6bb243f6acc0289870f9414f9328721010a

Remote template:
fffe061643271155f29ae015bca89100dec6b4b655fe0580aa8c6aee53f34928

C2 server:
cloud-documents[.]com

Source: Malwarebytes.

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1

Leave a Reply