An unidentified threat actor has been exploiting a now-patched zero-day flaw in Internet Explorer browser to deliver a fully-featured VBA-based remote access trojan (RAT) capable of accessing files stored in compromised Windows systems, and downloading and executing malicious payloads as part of an “unusual” campaign.
The backdoor is distributed via a decoy document named “Manifest.docx” that loads the exploit code for the vulnerability from an embedded template, which, in turn, executes shellcode to deploy the RAT, according to cybersecurity firm Malwarebytes, which spotted the suspicious Word file on July 21, 2021.
The malware-laced document claims to be a “Manifesto of the inhabitants of Crimea” calling on the citizens to oppose Russian President Vladimir Putin and “create a unified platform called ‘People’s Resistance.'”
The Internet Explorer flaw, tracked as CVE-2021-26411, is notable for the fact that it was abused by the North Korea-backed Lazarus Group to target security researchers working on vulnerability research and development.
Earlier this February, South Korean cybersecurity firm ENKI revealed the state-aligned hacking collective had made an unsuccessful attempt at targeting its security researchers with malicious MHTML files that, when opened, downloaded two payloads from a remote server, one of which contained a zero-day against Internet Explorer. Microsoft addressed the issue as part of its Patch Tuesday updates for March.
images from Hacker News