Russian Hackers Exploit New NTLM Flaw to Deploy RAT Malware via Phishing Emails
Nov. 14, 2024, 7:30 p.m.
Tags
External References
Description
A newly discovered vulnerability in Windows NT LAN Manager (NTLM) has been exploited by suspected Russian hackers in cyber attacks against Ukraine. The flaw, identified as CVE-2024-43451, allows attackers to steal NTLMv2 hashes through minimal user interaction with malicious files. The exploit chain involves phishing emails containing links to compromised Ukrainian government websites, leading to the download of a ZIP archive with a malicious URL file. When interacted with, this file triggers the vulnerability and downloads additional payloads, including the Spark RAT malware. The attack also enables pass-the-hash attacks for unauthorized user authentication. Ukrainian CERT has attributed this activity to a threat actor known as UAC-0194.
Date
Published: Nov. 14, 2024, 11:57 a.m.
Created: Nov. 14, 2024, 11:57 a.m.
Modified: Nov. 14, 2024, 7:30 p.m.
Indicators
994fa6d6b44379a8271e0936cf2a2e898de4f720ab8c1fec98be674f20df883d
6ec7f86cc19df1fef8063242ef6861355cc7ed25a669de842e1cda7332eca343
e2ad6fa6dbe71e9ab10dcf3bad4b82538dabe34a3011fdaa2eeb302b67ea776d
34073f2055002791ed3cad21be0e94b33ff4345eab8a5e7801dfdafa7cc2fb99
d6d77204740bd3bdd2fd5e918a7ba9134c1d7d10eb3d6972749009dd50df6cc8
6de2602f486985bfadae3b4ac06af041f22fd41559954a6ecd262f7c3a8aa681
ad10aaac2661b2dd17ef586a2bf8f3dca7a82abda2580dbd3aca2d52cc5460ae
5499a4bf696fdbbe41cdc2bc9efae2df93306a135643a3651701c5ca57570eb7
8cf24fe1384ca8ea763081b78fd14995704bbd73a871ebe1c362053767aeec20
caba3a8900302df5b83d260ed1f4da19b68f8c2d1b92c6dfc91b2ca01f14a1ef
c423ea5a16e33d3b988358ad649bb43a3265cad8e118ed91863d8b9dc3e8f8f9
715a69b898bd0a056098d24505046391e29381f671952d5e860c0cb41779a49f
e4a6368556c15d316960bd605827c00e336ef6e56c369090803a46ff69dfd4ac
928cdef8fb7c2ba9aa96ab726d74aa7a18b032102d9ec4ed00e7559f98c1bdf9
df74298b2ecb33558bd34b7d59bcade5901eb5db1b61ce9aa1ae27e597f4f58d
6c6ba73e4c80853219121f922e60564720d414bf42d8bc542dac800560d1eb36
0efe4a603dd59b377798ae2889fe47a851f79e36d1a925d327a93416204d1767
07b417ffa08f12201eceba3688690bd5c947f657be00e3c883f6ec342ec5c344
aac3f49b8c875ca842f96dd6dde194102944907a956fad1ff1cff14c64aaf2e0
77.83.172.47
89.23.101.101
89.23.102.251
92.42.96.30
92.42.96.10
Attack Patterns
Spark RAT
UAC-0194
T1053.005
T1574.002
T1571
T1547.001
T1070.004
T1573
T1218
T1105
T1566.001
T1055
T1219
T1036
T1204
T1140
T1027
T1112
T1566
T1078
T1059
Additional Informations
Government
Ukraine