As a result, a specific COM object with a unique CLSID is registered in the infected system. During registration, registry keys are imported from the “add.txt” file. The first control is responsible for registering a COM object in Windows.Inside add.txt, we find the registry keys it will try to manipulate.AMD.exe is a visual basic compiled file whose main job is to extract the dll hidden in a blob of data inside pc.txt and execute the ActiveX controls. We found a PE file, some ActiveX control objects, and two text files.Checking we find that it is a CAB SFX file.When we check the script, we see it launches cmd in the minimized state, then goes to the temp folder where WinRAR will extract the files, then tries to find the file, which is present inside the folder and executes it using wmic and then exits.The bat file also has the same name as the benign file outside the folder.When we look inside the folder, we see many files, but the most important file is highlighted, which is a bat file containing a malicious script.Also, note there is a trailing space at the end of the file and folder name (in yellow).This shows that it was weaponized after creating a regular zip by changing the bytes to make the file and folder name the same.This is interesting as Windows doesn’t allow files and folders to have the same name in the same path.We can also see that the threat actor can craft the archive so that folder and file names are the same.The image below shows that the archive is named trading_system, which hints that it is used to target traders.Our intelligence shows that this vulnerability is being exploited as early as April 2023. JPG file) and also a folder that has the same name as the harmless file, and the contents of the folder (which may include executable content) are processed during an attempt to access only the benign file. The issue occurs because a ZIP archive may include a benign file (such as an ordinary. It is related to an RCE vulnerability in WinRAR before version 6.23. On 23 August 2023, NIST disclosed a critical RCE vulnerability CVE-2023-38831.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |