Today > 1 Critical | 6 High | 24 Medium vulnerabilities   -   You can now download lists of IOCs here!

Russian Hackers Exploit New NTLM Flaw to Deploy RAT Malware via Phishing Emails

Nov. 14, 2024, 7:30 p.m.

Description

A newly discovered vulnerability in Windows NT LAN Manager (NTLM) has been exploited by suspected Russian hackers in cyber attacks against Ukraine. The flaw, identified as CVE-2024-43451, allows attackers to steal NTLMv2 hashes through minimal user interaction with malicious files. The exploit chain involves phishing emails containing links to compromised Ukrainian government websites, leading to the download of a ZIP archive with a malicious URL file. When interacted with, this file triggers the vulnerability and downloads additional payloads, including the Spark RAT malware. The attack also enables pass-the-hash attacks for unauthorized user authentication. Ukrainian CERT has attributed this activity to a threat actor known as UAC-0194.

Date

Published: Nov. 14, 2024, 11:57 a.m.

Created: Nov. 14, 2024, 11:57 a.m.

Modified: Nov. 14, 2024, 7:30 p.m.

Indicators

994fa6d6b44379a8271e0936cf2a2e898de4f720ab8c1fec98be674f20df883d

6ec7f86cc19df1fef8063242ef6861355cc7ed25a669de842e1cda7332eca343

e2ad6fa6dbe71e9ab10dcf3bad4b82538dabe34a3011fdaa2eeb302b67ea776d

34073f2055002791ed3cad21be0e94b33ff4345eab8a5e7801dfdafa7cc2fb99

d6d77204740bd3bdd2fd5e918a7ba9134c1d7d10eb3d6972749009dd50df6cc8

6de2602f486985bfadae3b4ac06af041f22fd41559954a6ecd262f7c3a8aa681

ad10aaac2661b2dd17ef586a2bf8f3dca7a82abda2580dbd3aca2d52cc5460ae

5499a4bf696fdbbe41cdc2bc9efae2df93306a135643a3651701c5ca57570eb7

8cf24fe1384ca8ea763081b78fd14995704bbd73a871ebe1c362053767aeec20

caba3a8900302df5b83d260ed1f4da19b68f8c2d1b92c6dfc91b2ca01f14a1ef

c423ea5a16e33d3b988358ad649bb43a3265cad8e118ed91863d8b9dc3e8f8f9

715a69b898bd0a056098d24505046391e29381f671952d5e860c0cb41779a49f

e4a6368556c15d316960bd605827c00e336ef6e56c369090803a46ff69dfd4ac

928cdef8fb7c2ba9aa96ab726d74aa7a18b032102d9ec4ed00e7559f98c1bdf9

df74298b2ecb33558bd34b7d59bcade5901eb5db1b61ce9aa1ae27e597f4f58d

6c6ba73e4c80853219121f922e60564720d414bf42d8bc542dac800560d1eb36

0efe4a603dd59b377798ae2889fe47a851f79e36d1a925d327a93416204d1767

07b417ffa08f12201eceba3688690bd5c947f657be00e3c883f6ec342ec5c344

aac3f49b8c875ca842f96dd6dde194102944907a956fad1ff1cff14c64aaf2e0

77.83.172.47

89.23.101.101

89.23.102.251

92.42.96.30

92.42.96.10

Attack Patterns

Spark RAT

UAC-0194

T1053.005

T1574.002

T1571

T1547.001

T1070.004

T1573

T1218

T1105

T1566.001

T1055

T1219

T1036

T1204

T1140

T1027

T1112

T1566

T1078

T1059

Additional Informations

Government

Ukraine