An unidentified actor is trying to exploit a zero-day flaw in Internet Explorer to drop a VBA-based remote access Trojan and download and install arbitrary payloads. The attacks are part of a politically-themed campaign, cybersecurity firm Malwarebytes said.
VBA (Visual Basic for Applications) is the programming language used in Excel and other Microsoft Office programs.
The VBA Trojan is distributed through a decoy Word document titled “Манифест” (“Manifesto”) that loads the exploit code from an embedded template, which then launches a shell command to execute the Trojan. The threat actor was first spotted distributing the suspicious Word file by Malwarebytes on July 21, 2021.
The manifesto is intended for inhabitants of Ukraine’s Crimea Peninsula and is calling on the residents of the region to resist Russian President Vladimir Putin.
In the past, the same flaw CVE-2021-26411 was exploited by the North Korean Lazarus Group to target security researchers. Microsoft patched the issue with its Patch Tuesday updates for March.
During the current campaign, the attackers also used a social engineering technique to deploy the RAT. It involved a remote template that was loaded with a macro-weaponized component.
“While both techniques rely on template injection to drop a full-featured remote access trojan, the IE exploit (CVE-2021-26411) previously used by the Lazarus APT is an unusual discovery,” Malwarebytes researcher Hossein Jazi said in a report. “The attackers may have wanted to combine social engineering and exploit to maximize their chances of infecting targets.”
The VBA RAT is used by attackers to collect system metadata, identify antivirus products, read, delete, and download arbitrary files, exfiltrate the results, and execute other commands from their server.
Malwarebytes also discovered the adversary used Ekipa, a PHP-based panel, to track victims and review information about their own activities.
“As the conflict between Russia and Ukraine over Crimea continues, cyber attacks have been increasing as well,” Jazi said. “The decoy document contains a manifesto that shows a possible motive (Crimea) and target (Russian and pro-Russian individuals) behind this attack. However, it could also have been used as a false flag.”