Researchers have discovered a security vulnerability in Microsoft’s Internet Explorer browser that allowed attackers to deploy VBA malware onto targeted computers.
A new report has revealed that a now-patched zero-day vulnerability in the Microsoft Internet Explorer browser has been exploited by a malicious actor to deliver a fully featured VBA-based remote access Trojan (RAT) to selected systems. According to the details, this “unusual” attack campaign has been designed to give the malware perpetrators remote access to files stored on the compromised system, as well as the ability to download and execute malicious payloads.
A key feature of the VBA RAT is to detect the presence of anti-virus software and execute malicious instructions on the infected host, which may include the loading, removing, and downloading of arbitrary files and the exfiltration of the results back to the attacker-controlled server.
Additional malware in the form of a PHP-based panel named “Ekipa” has also been detected, which is apparently being used by the attacker to track targets and display information about the attack modus operandi, which highlights successful exploitation by using the zero-day vulnerability in Internet Explorer and the execution of the RAT.
The threat actors behind the multi-stage remote access Trojan (RAT) has not been officially identified but what has been found is that the backdoor is delivered in a fake document called “Manifest.docx” that loads the attack code for the vulnerability from an embedded template, which in turn runs shellcode to install the RAT. The suspicious file was first spotted by researchers on 21st of July, this year.
Disguised as a “Manifesto of the inhabitants of Crimea” the malicious document calls on citizens to unite in order to oppose Russian President Vladimir Putin, and create a unified platform called “People’s Resistance”.
Tracked as CVE-2021-26411, the IE vulnerability is only one of the methods the malicious actors used to deliver the multi-stage remote access Trojan in targeted computers. The second method of deploying the RAT is utilizing a social engineering component that executes a remote macro-weaponized template.
These multiple attack vectors are only indicating that threat actors are seeking ways to boost the chances of reaching their targets.