VBA Rat relies on template injection to drop a full-featured Remote Access Trojan. This suspicious document name is (“Manifest.docx”) that executes two templates: one is macro-enabled and another one is HTML object. The Internet Explorer exploit (CVE-2021-26411) earlier used by Lazarus APT is an unusual discovery. Attackers are using social engineering techniques to infect targets.
VBA Rat that performs the following actions.
Collects victim’s info
Identifies the AV product running on a victim’s machine
Uploads and downloads files
Reads disk and file systems information
CVE-2021-26411 – Internet Explorer Memory Corruption Vulnerability
Microsoft Internet Explorer could allow a remote attacker to execute arbitrary code on the system, caused by improper handling of objects in memory. By persuading a victim to open specially-crafted content, an attacker could exploit this vulnerability to execute arbitrary code on the system with the privileges of the victim.
Block all threat indicators at your respective controls.
Search for IOCs in your environment.
Use Microsoft Automatic Update to apply the appropriate patch for your system, or the Microsoft Security Update Guide
to search for available patches.