Hackers are abusing a two-year-old flaw in the Windows User Account Control (UAC) feature to bypass endpoint protection and deliver malware (opens in new tab), researchers are saying.
Cybersecurity experts from SentinelOne recently published a new report detailing how threat actors are using the UAC flaw to target victims in Eastern Europe with the Remcos remote access trojan (RAT).
In the report, SentinelOne says the attack starts with the usual phishing email. The email is short, pointing the victim directly to an attachment which claims to be a late invoice or otherwise similarly urgent. However, the attachment is a tar.lz archive, carrying the DBatLoader executable.
Hiding from antivirus programs
The choice of format is somewhat strange, BleepingComputer (opens in new tab) reports, and lowers the chances of the victims falling for the trick. However, it also lowers the chances of the attachment being picked up by email security, which is perhaps the reason why threat actors are opting for it.
> Another vital Windows tool is being abused to sideload malware (opens in new tab)
> Criminals hijack antivirus software to deliver malware (opens in new tab)
> Malicious use of Microsoft OneNote documents on the rise (opens in new tab)
Running the attachment does two things: first, it downloads a second payload from a public cloud service, and then it creates a mock trusted directory.
A mock trusted directory, the publication reports, is a folder that mocks one that is trusted by the UAC, by having an almost identical name. The only difference is that it has an extra space. So, for example, a mock folder of “C:\Windows\System32” would be “C:\Windows \System32”.
As the File Explorer in Windows treats this mock folder the same as the legitimate one (as in, it doesn’t trigger the UAC warning) - threat actors can abuse it to run malicious files without the user being prompted for confirmation.
So, the DBatLoader executable would deploy a legitimate exe file (easinvoker.exe) and a malicious DLL (netutils.dll) to the mock trusted directory and run them.
Easinvoker.exe will run the malicious DLL, without users knowing what happened. Finally, the malicious DLL executes Remcos through process injection, granting the threat actor the ability to take screenshots and log key strokes.
- Check out the best firewalls (opens in new tab)
Via: BleepingComputer (opens in new tab)