A new zero-day exploit for Windows VBScript Engine discovered that belongs to North Korean cyber criminals gang called Darkhotel which is the same gang behind another Zero-day flaw “double kill” that affected IE browser.
This new zero-day attack spotted in July by security researchers from Trend Micro that helps to exploit the code execution vulnerability in Windows VBScript Engine.
This is the 3rd vulnerability discovered in windows VBScript Engine and first two also affecting the double killing vulnerability of Office and IE, in the wild.
Microsoft disabled the VBScript execution by default in the latest version of IE 11 via Registry, or via Group Policy, in new versions of Windows.
Further Analysis revealed with this new Zero-day attack confirmed that attackers used same obfuscation technique as like the previous Zero-day and the same group “Darkhotel” has been exploited these vulnerabilities in wide.
Researchers discovered that, this Zero-day using Microsoft Office Document with an embedded domain name (http ://windows-updater[.]net/stack/ov.php?w= 1\x00who =1)
A researcher from 360 Threat Intelligence Center analyzed the URL and confirm that the URL used by the same DarkHotel APT gang for latest attacks.
360 Threat Intelligence Center is also associated with a new DarkHotel that using the backdoor mstfe.dll (MD5: 5ce7342400cce1eff6dc70c9bfba965b) to hijack the Windows operating system module and found the new C2:
Hxxp://documentsafeinfo.com/mohamed/salah[.]php
Hxxp://779999977.com/mohamed/salah[.]php
Also, this zero-day contains a backdoor program associated with payload files within a named Zlib.
As a final step of the execution in the target system, the function of the malicious code is mainly to decrypt the URL from itself, download the malicious payload, decrypt it into a dll, modify the online configuration information, and load and run in the memory.
The vulnerability was fixed by Microsoft the day before the disclosure. The vulnerability number is CVE-2018-8373, also you can read the complete technical analysis here.
In a recent development, the SPAWNCHIMERA malware family has been identified exploiting the buffer overflow…
A significant vulnerability in Sitevision CMS, versions 10.3.1 and earlier, has been identified, allowing attackers…
Chinese cybersecurity entities have accused the U.S. National Security Agency (NSA) of orchestrating a cyberattack…
The ACRStealer malware, an infostealer disguised as illegal software such as cracks and keygens, has…
A security vulnerability in Nagios XI 2024R1.2.2, tracked as CVE-2024-54961, has been disclosed, allowing unauthenticated…
Ubiquiti Networks has issued an urgent security advisory (Bulletin 046) warning of multiple critical vulnerabilities…