1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • A two-year-old Windows flaw is being exploited in new phishing ca

    From TechnologyDaily@1337:1/100 to All on Tue Mar 7 12:15:04 2023
    A two-year-old Windows flaw is being exploited in new phishing campaign

    Date:
    Tue, 07 Mar 2023 12:00:55 +0000

    Description:
    Hackers are abusing a flaw in UAC to deliver a known remote access trojan.

    FULL STORY ======================================================================

    Hackers are abusing a two-year-old flaw in the Windows User Account Control (UAC) feature to bypass endpoint protection and deliver malware , researchers are saying.

    Cybersecurity experts from SentinelOne recently published a new report detailing how threat actors are using the UAC flaw to target victims in Eastern Europe with the Remcos remote access trojan (RAT).

    In the report, SentinelOne says the attack starts with the usual phishing email. The email is short, pointing the victim directly to an attachment
    which claims to be a late invoice or otherwise similarly urgent. However, the attachment is a tar.lz archive, carrying the DBatLoader executable. Hiding from antivirus programs

    The choice of format is somewhat strange, BleepingComputer reports, and
    lowers the chances of the victims falling for the trick. However, it also lowers the chances of the attachment being picked up by email security, which is perhaps the reason why threat actors are opting for it. Read more

    Another vital Windows tool is being abused to sideload malware



    Criminals hijack antivirus software to deliver malware



    Malicious use of Microsoft OneNote documents on the rise

    Running the attachment does two things: first, it downloads a second payload from a public cloud service, and then it creates a mock trusted directory.

    A mock trusted directory, the publication reports, is a folder that mocks one that is trusted by the UAC, by having an almost identical name. The only difference is that it has an extra space. So, for example, a mock folder of C:\Windows\System32 would be C:\Windows \System32.

    As the File Explorer in Windows treats this mock folder the same as the legitimate one (as in, it doesnt trigger the UAC warning) - threat actors can abuse it to run malicious files without the user being prompted for confirmation.

    So, the DBatLoader executable would deploy a legitimate exe file (easinvoker.exe) and a malicious DLL (netutils.dll) to the mock trusted directory and run them.

    Easinvoker.exe will run the malicious DLL, without users knowing what happened. Finally, the malicious DLL executes Remcos through process injection, granting the threat actor the ability to take screenshots and log key strokes. Check out the best firewalls

    Via: BleepingComputer



    ======================================================================
    Link to news story: https://www.techradar.com/news/a-two-year-old-windows-flaw-is-being-exploited- in-new-phishing-campaign


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)