relatório Microsoft: março hackers usado ativamente vulnerabilidades WinRAR

A Microsoft publicou detalhes de ataques gerenciados pelo Windows a computadores em empresas de mídia ocorridas em março.

Eun the attacks, criminosos utilizaram a famosa vulnerabilidade WinRAR que ganhou popularidade dentro de grupos criminosos nos últimos meses. Os hackers se armaram imediatamente após a publicação pela empresa Check Point, em fevereiro 20. That time researchers demonstrated how through this vulnerability code with the help of a file with special configuration (compressed files format) may be applied random code.

New improved WinRAR version was issued month before Check Point publication, but even in March Microsoft still watched attacks with CVE-2018-20250.

In the March campaign, hackers sent fishing letters allegedly from Afghanistan Home Office. Methods of social engineering that they applied were carefully planned to ensure full remote system discredit in the frameworks of WinRAR limited vulnerability.

Fishing letters contained Microsoft Word file with the link on other OneDrive document. It did not contain any malware macro to prevent attack detection. Contudo, OneDrive document contained malware macro and after their activation victim’s system received new hacker’s software.

Document With Malicious Macro
Downloaded document with malicious macro

Document also contained “Next page” button that contained fake notification about absence of necessary file DLD and necessity of computer restart. This trick was necessary as vulnerability enables malware programs to download files in a certain folder but not to start them at once. Considering this, ideal solution was putting program in the “Startup” folder. Files from this folder started at once after restarting computer.

After restart in the infected system started backdoor PowerShell that opens hackers full access to it. Use of this backdoor and other features pointed that cyber-band Água barrenta is responsible for the attacks.

This PowerShell script is similar to a script that has been used in past MuddyWater campaigns”, – confirmed Microsoft experts.

Fonte: https://www.microsoft.com/security/blog/2019/04/10/analysis-of-a-targeted-attack-exploiting-the-winrar-cve-2018-20250-vulnerability

Sobre Trojan Killer

Carry Trojan Killer portátil em seu memory stick. Certifique-se que você é capaz de ajudar o seu PC resistir a quaisquer ameaças cibernéticas onde quer que vá.

Além disso, verifique

MageCart na Cloud Platform Heroku

Os investigadores encontraram vários MageCart Web Skimmers Em Heroku Cloud Platform

Pesquisadores da Malwarebytes informou sobre encontrar vários skimmers MageCart web na plataforma Heroku nuvem …

Android Spyware CallerSpy

máscaras spyware CallerSpy como uma aplicação de chat Android

Trend Micro especialistas descobriram a CallerSpy malwares, que mascara como uma aplicação de chat Android, …

Deixe uma resposta