A new zero-day exploit for Windows VBScript Engine discovered that belongs to North Korean cyber criminals gang called Darkhotel which is the same gang behind another Zero-day flaw “double kill” that affected IE browser.
This new zero-day attack spotted in July by security researchers from Trend Micro that helps to exploit the code execution vulnerability in Windows VBScript Engine.
This is the 3rd vulnerability discovered in windows VBScript Engine and first two also affecting the double killing vulnerability of Office and IE, in the wild.
Microsoft disabled the VBScript execution by default in the latest version of IE 11 via Registry, or via Group Policy, in new versions of Windows.
Further Analysis revealed with this new Zero-day attack confirmed that attackers used same obfuscation technique as like the previous Zero-day and the same group “Darkhotel” has been exploited these vulnerabilities in wide.
Researchers discovered that, this Zero-day using Microsoft Office Document with an embedded domain name (http ://windows-updater[.]net/stack/ov.php?w= 1\x00who =1)
A researcher from 360 Threat Intelligence Center analyzed the URL and confirm that the URL used by the same DarkHotel APT gang for latest attacks.
360 Threat Intelligence Center is also associated with a new DarkHotel that using the backdoor mstfe.dll (MD5: 5ce7342400cce1eff6dc70c9bfba965b) to hijack the Windows operating system module and found the new C2:
Hxxp://documentsafeinfo.com/mohamed/salah[.]php
Hxxp://779999977.com/mohamed/salah[.]php
Also, this zero-day contains a backdoor program associated with payload files within a named Zlib.
As a final step of the execution in the target system, the function of the malicious code is mainly to decrypt the URL from itself, download the malicious payload, decrypt it into a dll, modify the online configuration information, and load and run in the memory.
The vulnerability was fixed by Microsoft the day before the disclosure. The vulnerability number is CVE-2018-8373, also you can read the complete technical analysis here.
As California grapples with devastating wildfires, communities are rallying to protect lives and property. Unfortunately,…
AISURU botnet launched a DDoS attack targeting Black Myth: Wukong distribution platforms in August 2024…
Botnets are the networks of compromised devices that have evolved significantly since the internet's inception.…
The Federal Trade Commission (FTC) has announced that it will require GoDaddy Inc. to develop…
A significant cybersecurity threat has emerged, threatening the integrity of thousands of PHP-based web applications.…
A significant security vulnerability has been identified in the W3 Total Cache plugin for WordPress,…