Tuesday, May 6, 2025
HomeMalwareWindows VBScript Engine Zero-day Flaw used by Darkhotel Hackers Group To Compromise...

Windows VBScript Engine Zero-day Flaw used by Darkhotel Hackers Group To Compromise Vulnerable Systems

Published on

SIEM as a Service

Follow Us on Google News

A new zero-day exploit for Windows VBScript Engine discovered that belongs to North Korean cyber criminals gang called Darkhotel which is the same gang behind another Zero-day flaw “double kill” that affected IE browser.

This new zero-day attack spotted in July by security researchers from Trend Micro that helps to exploit the code execution vulnerability in Windows VBScript Engine.

This is the 3rd vulnerability discovered in windows VBScript Engine and first two also affecting the double killing vulnerability of Office and IE, in the wild.

- Advertisement - Google News

Microsoft disabled the VBScript execution by default in the latest version of  IE 11 via Registry, or via Group Policy, in new versions of Windows.

Further Analysis revealed with this new Zero-day attack confirmed that attackers used same obfuscation technique as like the previous Zero-day and the same group “Darkhotel” has been exploited these vulnerabilities in wide.

Zero-day Traceability 

Researchers discovered that, this Zero-day using Microsoft Office Document with an embedded domain name (http ://windows-updater[.]net/stack/ov.php?w= 1\x00who =1)

A researcher from 360 Threat Intelligence Center analyzed the URL and confirm that the URL used by the same DarkHotel APT gang for latest attacks.

360 Threat Intelligence Center is also associated with a new DarkHotel that using the backdoor mstfe.dll (MD5: 5ce7342400cce1eff6dc70c9bfba965b) to hijack the Windows operating system module and found the new C2:

  • Hxxp://documentsafeinfo.com/mohamed/salah[.]php
  • Hxxp://779999977.com/mohamed/salah[.]php

Also, this zero-day contains a backdoor program associated with payload files within a named Zlib.

As a final step of the execution in the target system, the function of the malicious code is mainly to decrypt the URL from itself, download the malicious payload, decrypt it into a dll, modify the online configuration information, and load and run in the memory.

The vulnerability was fixed by Microsoft the day before the disclosure. The vulnerability number is CVE-2018-8373, also you can read the complete technical analysis here.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

BFDOOR Malware Targets Organizations to Establish Long-Term Persistence

The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations,...

Uncovering the Security Risks of Data Exposure in AI-Powered Tools like Snowflake’s CORTEX

As artificial intelligence continues to reshape the technological landscape, tools like Snowflake’s CORTEX Search...

UNC3944 Hackers Shift from SIM Swapping to Ransomware and Data Extortion

UNC3944, a financially-motivated threat actor also linked to the group known as Scattered Spider,...

Over 2,800 Hacked Websites Targeting MacOS Users with AMOS Stealer Malware

Cybersecurity researcher has uncovered a massive malware campaign targeting MacOS users through approximately 2,800...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

BFDOOR Malware Targets Organizations to Establish Long-Term Persistence

The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations,...

Over 2,800 Hacked Websites Targeting MacOS Users with AMOS Stealer Malware

Cybersecurity researcher has uncovered a massive malware campaign targeting MacOS users through approximately 2,800...

Hackers Targeting Schools and Universities in New Mexico with Cyber Attacks

A major cyberattack on the Coweta County School System's computer network occurred late Friday night, which is a worrying development for New Mexico's educational institutions. The unauthorized intrusion, detected around 7:00 p.m., prompted immediate action from the school...