Malware Deployed via Phishing Emails by Russian Hackers Manipulating New NTLM Flaw

| Updated on November 25, 2024

A recently fixed security vulnerability affecting Windows NT LAN Manager (NTLM) was used as a zero-day as a part of cyber attacks targeting Ukraine by a suspected actor linked to Russia. 

The flaw identified as CVE-2024-43451 (CVSS score 6.5), indicates a parodic flaw that allows NTLM to have a disclosure. It could be manipulated to capture an NTLMv2 hash of the users. Luckily, it was fixed by Microsoft earlier this week. Microsoft in its advisory stated that this flaw could be activated by some small actions or minimal user interaction with a malicious file including selecting (single-click), inspecting (right-click) or performing any action except simply opening or executing it. 

The Israeli cybersecurity firm, ClearSky identified the zero-day exploitation of this flaw in June 2024 and reported that it had been misused in an attack chain that delivers the open-source Spark RAT Malware. The company mentions that the flaw triggers URL files that further result in malicious activities. It noted that the harmful files were hosted on an official Ukrainian website that enables users to download academic certificates. 

The attack sequence consists of sending phishing emails from “doc.osvita-kp.gov[.]ua” which is a compromised Ukrainian government server. It urges the recipients to renew their academic certificates by simply clicking on a malicious URL included in the email. 

This action downloads a ZIP file containing a harmful internet shortcut (.URL) file on your system, this flaw gets activated when the users interact with the URL file by deleting it, right-clicking on it or when users are trying to shift it to some other folder.

Warnings have been issued by The Computer Emergency Response Team of Ukraine (CERT-UA) about the phishing emails featuring tax-related bait which are being used to distribute LiteManager, a legitimate remote desktop application, labelling the attack campaign as financially motivated.

Olawale Sanni H

Follow Me:

Comments Leave a Reply
Leave A Reply

Thanks for choosing to leave a comment. Please keep in mind that all comments are moderated according to our comment Policy.

Related Posts