Hackers Exploited MSHTML Flaw to Spy on Government and Defense Targets

by admin 0 Comments

Cyber Security

Products You May Like

Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn

Cybersecurity researchers on Tuesday took the wraps off a multi-stage espionage campaign targeting high-ranking government officials overseeing national security policy and individuals in the defense industry in Western Asia.

The attack is unique as it leverages Microsoft OneDrive as a command-and-control (C2) server and is split into as many as six stages to stay as hidden as possible, Trellix, a new company created following the merger of security firms McAfee Enterprise and FireEye, said in a report shared with The Hacker News.

First signs of activity associated with the covert operation are said to have commenced as early as June 18, 2021, with two victims reported on September 21 and 29, followed by 17 more in a short span of three days between October 6 and 8.

Automatic GitHub Backups

Trellix attributed the attacks with moderate confidence to the Russia-based APT28 group, the threat actor behind the compromise of SolarWinds in 2020, based on similarities in the source code as well as in the attack indicators and geopolitical objectives.

MSHTML Flaw

“We are supremely confident that we are dealing with a very skilled actor based on how infrastructure, malware coding and operation were set up,” Trellix security researcher Marc Elias said.

The infection chain begins with the execution of a Microsoft Excel file containing an exploit for the MSHTML remote code execution vulnerability (CVE-2021-40444), which is used to run a malicious binary that acts as the downloader for a third-stage malware dubbed Graphite.

Prevent Data Breaches

The DLL executable uses OneDrive as the C2 server via the Microsoft Graph API to retrieve additional stager malware that ultimately downloads and executes Empire, an open-source PowerShell-based post-exploitation framework widely abused by threat actors for follow-on activities.

If anything, the development marks the continued exploitation of the MSTHML rendering engine flaw, with Microsoft and SafeBreach Labs disclosing multiple campaigns that have weaponized the vulnerability to plant malware and distribute custom Cobalt Strike Beacon loaders.

This article was originally published by Thehackernews.com. Read the original article here.
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn

Products You May Like

Articles You May Like

CMF Watch Pro 2 Teased to Come With Interchangeable Bezels
OTT Releases This Week: Mirzapur Season 3, Srikanth, Space Cadet and More
Samsung Galaxy M35 5G India Launch Teased, Might Go on Sale During Amazon Prime Day
Blueprint for Success: Implementing a CTEM Operation
MSI Crosshair 16 HX Monster Hunter Edition Launched in India; MSI Claw Availability Announced

Leave a Reply

Your email address will not be published. Required fields are marked *