![]() Investigators have identified a host of IP addresses under the control of Knotweed. ![]() Once in, the malware lurks in memory and can capture screenshots, perform keylogging, exfiltrate files, run a remote shell and download plug-ins from Knotweed's C2 server. ![]() One deployment was traced to an Excel file masquerading as a real estate document containing a malicious Excel 4.0 macro (obfuscated with large chunks of text from the Kama Sutra.) Other attacks were tracked in 2021, utilizing vulnerabilities patched that year. "Then, when the system process next spawned, the attribute in the malicious activation context was used, the malicious DLL was loaded from the given path, and system-level code execution was achieved." Reminder: if it looks like it came from a real estate agent. The CVE-2022-22047 exploit was then used to target a system process by providing an application manifest with an undocumented attribute that specified the path of the malicious DLL. "The exploit chain starts," explained Microsoft, "with writing a malicious DLL to disk from the sandboxed Adobe Reader renderer process.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |