According to researchers at Malwarebytes Labs, a suspicious document named “Манифест.docx” (“Manifest.docx”) was discovered that downloads and executes two templates, with one that is macro-enabled and the other, an html object containing an Internet Explorer exploit.
Both techniques rely on template injection leveraging the IE exploit (CVE-2021-26411) previously used by the Lazarus APT to drop a full-featured Remote Access Trojan.
How Hackers Exploited IE Bug to Deploy VBA Malware on Targeted Windows systems?
The unidentified hackers rely on template injection leveraging the IE exploit, with the remote template embedded in settings.xml.rels containing a full featured VBA Rat that performs the following actions: ability to collect victim’s information, executes shell-codes and ability to read disk and file systems information.
The shell-code once executed deploys the same VBA Rat loaded using remote template injection, and the malicious document loads a decoy document in Russian language after loading the remote templates. The malicious document is purported to be a statement from a group within Crimea opposition to Russia.
And the remote template contains Document_Open and Document_Close which are activated upon opening and closing the document. Interestingly, the VBA RAT is capable of identifying antivirus products running on the target system and execute commands from the attacker-controlled server.
How to Mitigate against the Microsoft IE Bug?
Microsoft had promptly released a patch for the IE Bug as part of its Patch Tuesday updates for March, and users are advised o update their browser in order to mitigate the exploit.
Among the security issues addressed with the update are a clutch of flaws known as ProxyLogon (CVE-2021-26855, 2021-26857, CVE-2021-26858, and CVE-2021-27065) which allowed attackers to break into Microsoft Exchange Servers and subsequently, install unauthorized web-based backdoors for long-term access.