A two-year-old Windows flaw is being exploited in new phishing campaign

(Image credit: wk1003mike / Shutterstock)

Hackers are abusing a two-year-old flaw in the Windows User Account Control (UAC) feature to bypass endpoint protection and deliver malware, researchers are saying.

Cybersecurity experts from SentinelOne recently published a new report detailing how threat actors are using the UAC flaw to target victims in Eastern Europe with the Remcos remote access trojan (RAT). 

In the report, SentinelOne says the attack starts with the usual phishing email. The email is short, pointing the victim directly to an attachment which claims to be a late invoice or otherwise similarly urgent. However, the attachment is a tar.lz archive, carrying the DBatLoader executable. 

Hiding from antivirus programs

The choice of format is somewhat strange, BleepingComputer reports, and lowers the chances of the victims falling for the trick. However, it also lowers the chances of the attachment being picked up by email security, which is perhaps the reason why threat actors are opting for it.

Running the attachment does two things: first, it downloads a second payload from a public cloud service, and then it creates a mock trusted directory.

A mock trusted directory, the publication reports, is a folder that mocks one that is trusted by the UAC, by having an almost identical name. The only difference is that it has an extra space. So, for example, a mock folder of “C:\Windows\System32” would be “C:\Windows \System32”. 

As the File Explorer in Windows treats this mock folder the same as the legitimate one (as in, it doesn’t trigger the UAC warning) - threat actors can abuse it to run malicious files without the user being prompted for confirmation. 

So, the DBatLoader executable would deploy a legitimate exe file (easinvoker.exe) and a malicious DLL (netutils.dll) to the mock trusted directory and run them. 

Easinvoker.exe will run the malicious DLL, without users knowing what happened. Finally, the malicious DLL executes Remcos through process injection, granting the threat actor the ability to take screenshots and log key strokes. 

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.