Foxit PDF Reader and PDF Editor before 11.2.2 have a Type Confusion issue that causes a crash because of Unsigned32 mishandling during JavaScript execution.

CVE-2022-30557: Security Bulletins | Foxit Software

Delivering hotfixes and system updates separately will allow manual patching without requiring elevated permissions, Microsoft said.

In a move to ease the process of applying security updates to Exchange Server and help ensure the servers get patched, Microsoft has kicked off new security update packaging for the software.

Previously, elevated admin permissions were required to both update the application as well as install the most urgent "hotfix." The result, according to a new Microsoft Exchange security team blog post, have been servers being left unpatched. 

Moving forward, Exchange server updates will be sent in two packages — one Windows installer patch file (.msp) for automated updates and another (.exe) installer for manual updates. 

"The EXE package is a wrapper for the .msp file that ensures the installation runs with the required permissions," the Exchange security team added. "To install the update, simply double-click the .exe file and follow the instructions. The installation process checks permission prerequisites and if the check fails, it will try to elevate the permissions to the required admin level." 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Microsoft Simplifies Security Patching Process for Exchange Server

NYC-area cybersecurity expert shares the anatomy of a Quantum Ransomware attack and how to prevent, detect and recover from a ransomware attack, in a new article from eMazzanti Technologies.

HOBOKEN, N.J., May 11, 2022 /PRNewswire-PRWeb/ -- A NYC area cyber security consultant breaks down the recent cyber security threat, quantum ransomware, in a new article on the eMazzanti Technologies website. The informative article first relates how the threat first surfaced two years ago as MountLocker.

The author then explains the anatomy of a typical Quantum ransomware attack. He offers four strategies for preventing and detecting attacks followed by ransomware recovery tips, including having a well-documented incident response plan in place.

"In one of the fastest ransomware attacks yet reported, attackers moved from initial attack to ransomware deployment in under four hours," stated Almi Dumi, CISO, eMazzanti Technologies.

"Understanding attack patterns can help organizations mount more effective cyber defenses."

Below are a few excerpts from the article, "Quantum Ransomware Strikes Quickly, How to Prepare and Recover."

**Familiar Ransomware Rebranded...With a Twist**

"While Quantum has made headlines in recent days, the ransomware actually surfaced two years ago. Known initially as MountLocker, it was rebranded as Quantum in August 2021 when the encryptor began adding .quantum file extensions. Like other ransomware operations, it takes over networks, compromising servers, encrypting files, and bringing work to a halt."

**Anatomy of a Typical Quantum Ransomware Attack**

"While Quantum attacks leave scant time to react, knowing how typical attacks occur helps organizations with both prevention and mitigation. For instance, in recent Quantum ransomware attacks, infection occurred through a phishing email. While seemingly from a legitimate source, the email included IcedID malware embedded into an attached ISO file."

**Strategies for Preventing and Detecting Attacks**

"Implement 24/7 security monitoring - Successful defense depends on catching suspicious activity immediately. Implement continuous, automated monitoring to identify anomalies and take appropriate action."

**Quantum Ransomware Recovery Tips**

"Another critical component of a recovery plan involves data backups. Without solid backups, organizations may have to choose between losing critical data and cooperating with threat actors. Implement automated backups, test them regularly and store a copy offline to keep it safe from attack."

**Ransomware Experts**

To successfully recover from ransomware, business leaders must involve the right players. Partner with security personnel who are well-versed in ransomware recovery and have the right tools at hand. They may also need to involve the FBI, cyber breach lawyers, communications personnel, and insurance providers.

The cyber security experts at eMazzanti provide the tools and experience needed to implement a comprehensive security strategy. From monitoring to email filtering and end user training, they help business leaders stop malware earlier and recover quickly in the event of infection.

**Have you read?**

Useful Microsoft Teams Features You Need to Know

Are Cyber Insurance Policies Part of our new Normal?

**About eMazzanti Technologies**

eMazzanti's team of trained, certified IT experts rapidly deliver increased revenue growth, data security and productivity for clients ranging from law firms to high-end global retailers, expertly providing advanced retail and payment technology, digital marketing services, cloud and mobile solutions, multi site implementations, 24×7 outsourced network management, remote monitoring, and support.

eMazzanti has made the Inc. 5000 list 9X, is a 4X Microsoft Partner of the Year, the #1 ranked NYC area MSP, NJ Business of the Year and 5X WatchGuard Partner of the Year! Contact: 1-866-362-9926, \[email protected\] or http://www.emazzanti.net Twitter: @emazzanti Facebook: Facebook.com/emazzantitechnologies.

Quantum Ransomware Strikes Quickly, How to Prepare and Recover

Check Point ZoneAlarm before version 15.8.200.19118 allows a local actor to escalate privileges during the upgrade process. In addition, weak permissions in the ProgramData\CheckPoint\ZoneAlarm\Data\Updates directory allow a local attacker the ability to execute an arbitrary file write, leading to execution of code as local system, in ZoneAlarm versions before v15.8.211.192119

CVE-2022-23743: ZoneAlarm Extreme Security release history official page

Check Point ZoneAlarm before version 15.8.200.19118 allows a local actor to escalate privileges during the upgrade process.

Founders Fund leads $100 million Series-C financing, gaining the email security startup unicorn status two years after its launch.

Redwood City, Calif., May 11, 2022 – Material Security, a company that can protect email accounts even after they have been compromised, today announced it has secured $100 million in Series-C funding at a valuation of $1.1 billion. The round is led by Founders Fund, with participation from previous backers Andreesen Horowitz, Silicon Valley solo capitalist Elad Gil and other high-profile individual tech investors, gaining the company unicorn status just two years after the official launch of its product suite. Material Security is also announcing new referenceable customers including Chubb, Compass, Roblox and Brex, to add to leading brands like Lyft, Mars, Databricks and DoorDash.

Founded by former Dropbox technologists in the wake of the 2016 Election Hack, Material Security is a pioneer of using “zero trust” security techniques to protect email. Its patented security technology is trusted by government agencies, media and manufacturing conglomerates, leading financial institutions, the most targeted companies in Silicon Valley, and high-profile personalities including billionaires and celebrities.

“The fundamental idea behind ‘zero trust’ is that it assumes a bad actor is going to find a way past the perimeter into your systems. But historically, email security has just focused on blocking suspicious messages,” said Ryan Noon, co-founder and CEO of Material Security. “Whether it’s a large global organization like News Corp. or a local health care provider, we are still seeing an overwhelming number of email and data security breaches occur on a regular basis. At Material, we begin with the assumption that a hacker is already in your email and limit the damage they can do.”

Material’s Leak Prevention feature, for example, automatically redacts sensitive content in email, keeping it safe in the event of a breach. Users can still access original messages via identity-protection apps that their company already uses. “Not all emails are created equal,” said Abhishek Agrawal, co-founder and CTO of Material Security. "Some messages are so critical that they deserve an extra layer of verification. But the way email works today is that it treats every message identically."

Bringing Material Security’s total investment to $166 million since its founding, this latest round of funding will be used to scale the company’s sales and marketing teams, extend the product into new areas (including a larger footprint in government) and expand internationally.

“As the U.S. government doubles down on ‘zero trust’ and organizations are increasingly vulnerable to cyber threats given geopolitical crises, Material Security is poised to minimize the risks associated with email hacks,” said Trae Stephens, partner at Founders Fund. “We are excited to partner with this innovative team at such a critical point in their growth trajectory.”

###

**About Material Security**

Material Security is taking a fresh approach to solving one of the most fundamental problems in security: protecting the data sitting in email. Material Security protects accounts even after they're compromised or harmful messages get through. It is entirely cloud-based, deploys in 30 minutes, and can be exclusively managed by the customer. Material Security was founded in 2017 and is headquartered in Redwood City. For more information visit www.material.security.

**About Founders Fund**

Founders Fund invests in the world’s most important and valuable companies across all geographies, sectors and stages. The firm’s partners have been founders and early funders of companies including PayPal, SpaceX, Palantir, Anduril, Airbnb, Stripe and Facebook. Founders Fund pursues a founder-friendly investment strategy, providing maximum support with minimum interference. More information is available at www.foundersfund.com.

Material Security Reaches $1.1 Billion Valuation for ‘Zero Trust’ Security on Microsoft and Google Email

Europe’s proposed child protection laws could undermine end-to-end encryption for billions of people.

All of your WhatsApp photos, iMessage texts, and Snapchat videos could be scanned to check for child sexual abuse images and videos under newly proposed European rules. The plans, experts warn, may undermine the end-to-end encryption that protects billions of messages sent every day and hamper people’s online privacy.

The European Commission today revealed long-awaited proposals aimed at tackling the huge volumes of child sexual abuse material, also known as CSAM, uploaded to the web each year. The proposed law creates a new EU Centre to deal with child abuse content and introduces obligations for tech companies to “detect, report, block and remove” CSAM from their platforms. The law, announced by Europe’s commissioner for home affairs, Ylva Johansson, says tech companies have failed to voluntarily remove abuse content, and it has been welcomed by child protection and safety groups.

Under the plans, tech companies—ranging from web hosting services to messaging platforms—can be ordered to “detect” both new and previously discovered CSAM, as well as potential instances of “grooming.” The detection could take place in chat messages, files uploaded to online services, or on websites that host abusive material. The plans echo an effort by Apple last year to scan photos on people’s iPhones for abusive content before it was uploaded to iCloud. Apple paused its efforts after a widespread backlash.

If passed, the European legislation would require tech companies to conduct risk assessments for their services to assess the levels of CSAM on their platforms and their existing prevention measures. If necessary, regulators or courts may then issue “detection orders” that say tech companies must start “installing and operating technologies” to detect CSAM. These detection orders would be issued for specific periods of time. The draft legislation doesn’t specify what technologies must be installed or how they will operate—these will be vetted by the new EU Centre—but says they should be used even when end-to-end encryption is in place.

The European proposal to scan people’s messages has been met with frustration from civil rights groups and security experts, who say it’s likely to undermine the end-to-end encryption that’s become the default on messaging apps such as iMessage, WhatsApp, and Signal. “Incredibly disappointing to see a proposed EU regulation on the internet fail to protect end-to-end encryption,” WhatsApp head Will Cathcart tweeted. “This proposal would force companies to scan every person's messages and put EU citizens' privacy and security at serious risk.” Any system that weakens end-to-end encryption could be abused or expanded to look for other types of content, researchers say.

“You either have E2EE or you don’t,” says Alan Woodward, a cybersecurity professor from the University of Surrey. End-to-end encryption protects people’s privacy and security by ensuring that only the sender and receiver of messages can see their content. For example, Meta, the owner of WhatsApp, doesn’t have any way to read your messages or mine their contents for data. The EU’s draft regulation says solutions shouldn’t weaken encryption and says it includes safeguards to ensure this doesn’t happen; however, it doesn’t give specifics for how this would work.

“That being so, there is only one logical solution: client-side scanning where the content is examined when it is decrypted on the user's device for them to view/read,” Woodward says. Last year, Apple announced it would introduce client-side scanning—scanning done on people’s iPhones rather than Apple’s servers—to check photos for known CSAM being uploaded to iCloud. The move sparked protests from civil rights groups and even Edward Snowden about the potential for surveillance, leading Apple to pause its plans a month after initially announcing them. (Apple declined to comment for this story.)

For tech companies, detecting CSAM on their platforms and scanning some communications is not new. Companies operating in the United States are required to report any CSAM they find or that is reported to them by users to the National Center for Missing and Exploited Children (NCMEC), a US-based nonprofit. More than 29 million reports, containing 39 million images and 44 million videos, were made to NCMEC last year alone. Under the new EU rules, the EU Centre will receive CSAM reports from tech companies.

“A lot of companies are not doing the detection today,” Johansson said in a press conference introducing the legislation. “This is not a proposal on encryption, this is a proposal on child sexual abuse material,” Johansson said, adding that the law is “not about reading communication” but detecting illegal abuse content.

At the moment, tech companies find CSAM online in different ways. And the amount of CSAM found is increasing as tech companies get better at detecting and reporting abuse—although some are much better than others. In some cases, AI is being used to hunt down previously unseen CSAM. Duplicates of existing abuse photos and videos can be detected using “hashing systems,” where abuse content is assigned a fingerprint that can be spotted when it’s uploaded to the web again. More than 200 companies, from Google to Apple, use Microsoft's PhotoDNA hashing system to scan millions of files shared online. However, to do this, systems need to have access to the messages and files people are sending, which is not possible when end-to-end encryption is in place.

“In addition to detecting CSAM, obligations will exist to detect the solicitation of children (‘grooming’), which can only mean that conversations will need to be read 24/7,” says Diego Naranjo, head of policy at the civil liberties group European Digital Rights. “This is a disaster for confidentiality of communications. Companies will be asked (via detection orders) or incentivized (via risk mitigation measures) to offer less secure services for everyone if they want to comply with these obligations.”

Discussions about protecting children online and how this can be done with end-to-end encryption are hugely complex, technical, and combined with the horrors of the crimes against vulnerable young people. Research from Unicef, the UN’s children’s fund, published in 2020 says encryption is needed to protect people’s privacy—including children—but adds that it “impedes” efforts to remove content and identify the people sharing it. For years, law enforcement agencies around the world have pushed to create ways to bypass or weaken encryption. “I’m not saying privacy at any cost, and I think we can all agree child abuse is abhorrent,” Woodward says, “but there needs to be a proper, public, dispassionate debate about whether the risks of what might emerge are worth the true effectiveness in fighting child abuse.”

Increasingly, researchers and tech companies have been focusing on safety tools that can exist alongside end-to-encryption. Proposals include using metadata from encrypted messages—the who, how, what, and why of messages, not their content—to analyze people’s behavior and potentially spot criminality. One recent report by the nonprofit Business for Social Responsibility, which was commissioned by Meta, found that end-to-end encryption is an overwhelmingly positive force for upholding people's human rights. It suggested 45 recommendations for how encryption and safety can go together and not involve access to people’s communications. When the report was published in April, Lindsey Andersen, BSR's associate director for human rights, told WIRED: “Contrary to popular belief, there actually is a lot that can be done even without access to messages.”

The EU Wants Big Tech to Scan Your Private Chats for Child Abuse

May's Patch Tuesday includes one actively exploited zero-day vulnerability and some other interesting ones.
The post Update now! Microsoft releases patches, including one for actively exploited zero-day appeared first on Malwarebytes Labs.

Posted: May 11, 2022 by

Microsoft has released patches for 74 security problems, including fixes for seven “critical” vulnerabilities, and an actively exploited zero-day vulnerability that affects all supported versions of Windows.

First, we’ll look at the actively exploited zero-day. Then we’ll discuss two zero-days that are publicly disclosed, but so far no in the wild exploits have been reported. And we’ll finish off with a few others that are worth keeping an eye on.

**LSA spoofing zero-day**

Microsoft has addressed an actively exploited Windows LSA spoofing zero-day that allows unauthenticated attackers to remotely force domain controllers to authenticate them via the Windows NT LAN Manager (NTLM) security protocol.

CVE-2022-26925: An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM. The security update detects anonymous connection attempts in LSARPC and disallows it.

LSA (short for Local Security Authority) is a protected Windows subsystem that enforces local security policies and validates users for local and remote sign-ins. LSARPC is a protocol that enables a set of remote procedure calls (RPCs) to the LSA. Microsoft warns that the CVSS score would be 9.8 out of 10 when this vulnerability is chained with the noted NTLM Relay Attacks on Active Directory Certificate Services (AD CS).

The attack vector is closely related to the PetitPotam attacks we saw last year. If you are looking which patches to prioritize, this vulnerability affects all servers but domain controllers should be prioritized in terms of applying security updates.

**Windows Hyper-V vulnerability**

CVE-2022-22713: A denial of service (DoS) vulnerability in Windows Hyper V. Successful exploitation of this vulnerability requires an attacker to win a race condition. A race condition occurs when two or more threads can access shared data and they try to change it at the same time.

Hyper V is a native hypervisor, which means it can create virtual machines on x86-64 systems running Windows. The vulnerability only affects Windows Server (version 20H2) and Windows 10 x-64 based systems (versions 20H2 , 21H1, 21H2).

**Redshift driver**

CVE-2022-29972: A vulnerability that affects the Amazon Redshift ODBC and JDBC drivers and Amazon Athena ODBC and JDBC drivers due to improper validation of authentication tokens which may allow for unintended program invocation.

Microsoft products Azure Synapse Pipelines and Azure Data Factory are affected by a vulnerability in the Magnitude Simba Amazon Redshift ODBC Driver. An ODBC driver uses the Open Database Connectivity (ODBC) interface by Microsoft that allows applications to access data in database management systems (DBMS) using SQL (Structured Query Language) as a standard for accessing the data.

The vulnerability was dubbed SynLapse by the researchers that discovered it. They believe the tenant separation in the Microsoft Azure Synapse service is insufficiently robust to protect secrets against other tenants.

**Windows Network File System**

Next is a Remote Code Execution (RCE) vulnerability affecting Windows Network File System (NFS) listed under CVE-2022-26937. This vulnerability could be exploited over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger a Remote Code Execution (RCE). Microsoft considers it likely to be exploited and it is one of the highest-rated vulnerabilities of the month with a CVSS score of 9.8 out of 10.

**Point-to-Point Tunneling Protocol**

CVE-2022-21972: a Point-to-Point Tunneling Protocol Remote Code Execution vulnerability. An unauthenticated attacker could send a specially crafted connection request to a RAS server, which could lead to remote code execution (RCE) on the RAS server machine. A remote access server (RAS) is a type of server that provides a suite of services to remotely connected users over a network or the Internet.

CVE-2022-23270: another Point-to-Point Tunneling Protocol Remote Code Execution vulnerability. An unauthenticated attacker could send a specially crafted connection request to a RAS server, which could lead to remote code execution (RCE) on the RAS server machine.

Successful exploitation of these two vulnerabilities requires an attacker to win a race condition.

**Other updates**

Microsoft is not the only vendor to issue patches. Here are some other that may deserve your attention.

*   Adobe
*   Google Chrome
*   Cisco
*   F5 BIG-IP
*   Opera

Stay safe, everyone!

**RELATED ARTICLES**

February 21, 2022 - The most important and interesting security stories from the last seven days.

February 14, 2022 - Users of Adobe Commerce and Magento are vulnerable to a zero-day with a CVSS score of 9.8 out of 10.

November 10, 2021 - Another Patch Tuesday has come around, and while it may seem as a calm one for a change, there is enough to patch and update.

July 19, 2021 - A roundup of all the most interesting cybersecurity news stories, articles, and happenings of the previous seven days.

June 9, 2021 - A great many patches from different vendors have been released in the June security updates for Microsoft, Android, SAP, Cisco, and Adobe.

Update now! Microsoft releases patches, including one for actively exploited zero-day

IceApple's 18 separate modules include those for data exfiltration, credential harvesting, and file and directory deletion, CrowdStrike warns.

A likely China-based, state-sponsored threat actor has been deploying a sophisticated post-exploitation malware framework on Microsoft Exchange servers at organizations in the technology, academic, and government sectors across multiple regions since at least last fall.

The goal of the campaign appears to be intelligence gathering and is tied to a targeted state-sponsored campaign, according to researchers at CrowdStrike. The security vendor is tracking the framework as "IceApple" and described it in a report this week as made up of 18 separate modules with a range of functions that include credential harvesting, file and directory deletion, and data exfiltration.

CrowdStrike's analysis shows the modules are designed to run only in-memory to reduce the malware's footprint on an infected system — a tactic that adversaries often employ in long-running campaigns. The framework also has several other detection-evasion techniques that suggest the adversary has deep knowledge of Internet Information Services (IIS) Web applications. For instance, CrowdStrike observed one of the modules leveraging undocumented fields in IIS software that are not intended to be used by third-party developers.

Over the course of their investigation of the threat, CrowdStrike researchers saw evidence of the adversaries repeatedly returning to compromised systems and using IceApple to execute post-exploitation activities.

Param Singh, vice president of CrowdStrike's Falcon OverWatch threat-hunting services, says IceApple is different from other post-exploitation toolkits in that it is under constant ongoing development even as it is being actively deployed and used. "While IceApple has been observed being deployed on Microsoft Exchange Server instances, it is actually capable of running under any IIS Web application," Singh says.

**Microsoft .NET Link  
**CrowdStrike discovered IceApple while developing detections for malicious activity involving so-called reflective .NET assembly loads. MITRE defines reflective code loading as a technique that threat actors use to conceal malicious payloads. It involves allocating and executing payloads directly in the memory of a running process. Reflectively loaded payloads can include complied binaries, anonymous files, or just bits of fileless executables, according to MITRE. Reflective code loading is like process injection except that code is loaded into a process's own memory rather than that of another process, MITRE has noted.

**".**NET assemblies form the cornerstone of Microsoft’s .NET framework," Singh says. "An assembly can function as either a stand-alone application in the form of an EXE file or as a library for use in other applications as a DLL."

CrowdStrike discovered IceApple in late 2021 when a detection mechanism it was developing for reflective .NET assembly loads triggered on an Exchange Server at a customer location. The company's investigation of the alert showed anomalies in several .NET assembly files, which in turn led to the discovery of the IceApple framework on the system.

**Active Cyberattack Campaign  
**IceApple's modular design gave the adversary a way to build each piece of functionality into its own .NET assembly and then reflectively load each function only as needed. "If not caught, this technique can leave security defenders completely blind to such attacks," Singh says. "For example, defenders will see a legitimate application like a Web server connecting out to a suspicious IP; however, they have no means of knowing what code is triggering that connection."

Singh says CrowdStrike found IceApple to be using a couple of unique tactics to evade detection. One of them is to use undocumented fields in IIS. The other is to blend into the environment by using assembly file names that appear to be normal IIS temporary files. "At closer inspection, the file names are not randomly generated, as would be expected, and the way the assemblies are loaded falls outside of what is normal for Microsoft Exchange and IIS," Singh says.

The IceApple framework is designed to exfiltrate data in several ways. For instance, one of the modules, known as the File Exfiltrator module, allows for a single file to be pilfered from the target host. Another module, called the multifile exfiltrator, allows for multiple files to be encrypted, compressed, and exfiltrated, according to Singh.

"This campaign is currently active and effective," he warns. "But it is unknown at the moment how many organizations may have been impacted by this campaign beyond where CrowdStrike has visibility and those that might have been indirectly impacted via supply chain or other methods."

Cyber-Espionage Attack Drops Post-Exploit Malware Framework on Microsoft Exchange Servers

An espionage-focused threat actor known for targeting China, Pakistan, and Saudi Arabia has expanded to set its sights on Bangladeshi government organizations as part of an ongoing campaign that commenced in August 2021.
Cybersecurity firm Cisco Talos attributed the activity with moderate confidence to a hacking group dubbed the Bitter APT based on overlaps in the command-and-control (C2)

An espionage-focused threat actor known for targeting China, Pakistan, and Saudi Arabia has expanded to set its sights on Bangladeshi government organizations as part of an ongoing campaign that commenced in August 2021.

Cybersecurity firm Cisco Talos attributed the activity with moderate confidence to a hacking group dubbed the Bitter APT based on overlaps in the command-and-control (C2) infrastructure with that of prior campaigns mounted by the same actor.

"Bangladesh fits the profile we have defined for this threat actor, previously targeting Southeast Asian countries including China, Pakistan, and Saudi Arabia," Vitor Ventura, lead security researcher at Cisco Talos, told The Hacker News.

"And now, in this latest campaign, they have widened their reach to Bangladesh. Any new country in southeast Asia being targeted by Bitter APT shouldn't be of surprise."

Bitter (aka APT-C-08 or T-APT-17) is suspected to be a South Asian hacking group motivated primarily by intelligence gathering, an operation that's facilitated by means of malware such as BitterRAT, ArtraDownloader, and AndroRAT. Prominent targets include the energy, engineering, and government sectors.

The earliest attacks were distributing the mobile version of BitterRAT date back to September 2014, with the actor having a history of leveraging zero-day flaws — CVE-2021-1732 and CVE-2021-28310 — to its advantage and accomplish its adversarial objectives.

The latest campaign, targeting an elite entity of the Bangladesh government, involves sending spear-phishing emails to high-ranking officers of the Rapid Action Battalion Unit of the Bangladesh police (RAB).

As is typically observed in other social engineering attacks of this kind, the missives are designed to lure the recipients into opening a weaponized RTF document or a Microsoft Excel spreadsheet that exploits previously known flaws in the software to deploy a new trojan; dubbed "ZxxZ."

ZxxZ, named so after a separator used by the malware when sending information back to the C2 server, is a 32-bit Windows executable compiled in Visual C++.

"The trojan masquerades as a Windows Security update service and allows the

malicious actor to perform remote code execution, allowing the attacker to perform any other activities by installing other tools," the researchers explained.

While the malicious RTF document exploits a memory corruption vulnerability in Microsoft Office's Equation Editor (CVE-2017-11882), the Excel file abuses two remote code execution flaws, CVE-2018-0798 and CVE-2018-0802, to activate the infection sequence.

"Actors often change their tools to avoid detection or attribution, this is part of the lifecycle of a threat actor showing its capability and determination," Ventura said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#microsoft