New RAT Targets Russian SpeakersMalwarebytes Describes Unusual Tactics
The Malwarebytes threat intelligence team has discovered a remote access Trojan apparently designed to target Russian speakers that may have combined a social engineering technique with a known exploit to maximize chances of infecting targets.
The RAT is included in a document named Манифест.docx, or Manifest.docx, which downloads and executes two templates. One is macro-enabled, while the other is an html object that contains an Internet Explorer exploit, Malwarebytes says.
"The first template contains a URL to download a remote template that has an embedded full-featured VBA [Visual Basic for Applications] RAT. This RAT has several different capabilities, including downloading, uploading and executing files," the report says.
The VBA RAT collects victim information, identifies the anti-virus product running on a victim’s machine, executes shell codes, deletes files, uploads and downloads files, and reads disk and file systems information.
"The second template is an exploit for CVE-2021-26411, an Internet Explorer memory corruption vulnerability, which executes a shell-code to deploy the same VBA RAT. The VBA RAT is not obfuscated but still uses some interesting techniques for shell-code injection," Malwarebytes reports.
"Remote template injection is a common technique that is usually used by many threat actors. But what makes this attack different is that it loads two remote templates - something we have not seen before. One of the loaded templates, which is a working exploit for CVE-2021-26411, is also a new exploit," Hossein Jazi, author of the Malwarebytes report told Information Security Media Group.
Another novelty is the use of the VBA RAT. Threat actors, says Jazi, usually use maldocs to download a remote template to drop a final RAT, an executable. In this case, however, the final RAT is a VBA RAT that has been embedded within the downloaded remote template, he adds.
The Internet Explorer exploit was previously used by the Lazarus Group.
After loading the remote templates, the malicious document loads a decoy document in Russian, the report says. The decoy document contains a statement from an undisclosed group within Crimea that voices opposition to Russia and Russian President Vladimir Putin’s policies regarding that peninsula, it says.
"The decoy document contains a manifesto that shows a possible motive - Crimea - and target - Russian and pro-Russian individuals - behind this attack. However, it could also have been used as a false flag," the report adds.
The Malwarebytes team, however, could not determine the threat actors responsible based on the techniques alone.