{"id":2947,"date":"2024-11-17T14:06:57","date_gmt":"2024-11-17T14:06:57","guid":{"rendered":"https:\/\/aegislens.com\/home\/?p=2947"},"modified":"2024-11-17T14:06:57","modified_gmt":"2024-11-17T14:06:57","slug":"russian-hackers-unleash-rat-malware-through-new-ntlm-vulnerability-via-phishing-emails","status":"publish","type":"post","link":"https:\/\/aegislens.com\/home\/russian-hackers-unleash-rat-malware-through-new-ntlm-vulnerability-via-phishing-emails\/","title":{"rendered":"Russian Hackers Unleash RAT Malware Through New NTLM Vulnerability via Phishing Emails"},"content":{"rendered":"

week.<\/p>\n

Attack Details<\/strong><\/p>\n

The threat group, dubbed ‘Fancy Bear’ by cybersecurity researchers, exploited the NTLM vulnerability by initiating a man-in-the-middle (MitM) attack to impersonate a legitimate domain controller.<\/p>\n

The actor then induced victims’ systems to send an NTLM authentication request over a network connection, eventually capturing an NTLM hash without the need for physical access to the machine.<\/p>\n

The captured hash was then used for malicious purposes, mainly deploying a Remote Access Trojan (RAT) via phishing emails, giving the attackers covert, remote access to the victims’ computers.<\/p>\n

Majorly, Le Chiffre RAT known for its keylogging and spyware capabilities was being distributed.<\/p>\n

Technical Breakdown<\/strong><\/p>\n

The attack follows a sequenced pattern.<\/p>\n

An initial email is sent to the victim, carrying a malicious link or attachment, which when accessed, exploits the NTLM flaw.<\/p>\n

The unsuspecting victim, assuming it to be legitimate, sends an NTLM authenticate message which is intercepted, and the hash value is extracted.<\/p>\n

Once the attackers are in possession of the NTLM hash, they can use a technique called Pass-the-Hash to authenticate themselves on the network, impersonating the victim’s identity.<\/p>\n

The Le Chiffe RAT is then masked in an email, seemingly from a trusted source, and sent to the user to establish a backdoor for persistent, remote access.<\/p>\n

Mitigation Measures<\/strong><\/p>\n

Given the concerning nature of this attack, it is crucial for businesses and individuals to ensure they have installed the recent Microsoft patches that address this NTLM security vulnerability.<\/p>\n

Furthermore, they should adopt best practices in cybersecurity hygiene.<\/p>\n

Employing reliable cybersecurity solutions, providing extensive staff training, and maintaining a healthy skepticism towards unexpected emails will contribute significantly towards safeguarding systems against such sophisticated threats.<\/p>\n

It is also recommended to disable NTLM where not needed and instead, rely on Kerberos, a more secure authentication protocol.<\/p>\n

Limiting inbound NTLM traffic to an essential minimum and adopting network-level authentication can further help mitigate the risk.<\/p>\n

Follow-Up Reading<\/i><\/p>\n