Threat Report

Tuesday June 5, 2018

In this week’s report we are covering two vulnerabilities. One being a recent Microsoft Windows Jscript vulnerability that has yet to be patched and the other being NavRAT with themes around the upcoming US & North Korean Summit.

Malware: Zero-Day Remote Code Execution Vulnerability Discovered in Microsoft Windows JScript

New Zero-day Remote code execution vulnerability has been discovered in Microsoft Windows JScript that allows an attacker to run the arbitrary code on vulnerable installations of Microsoft Windows. “This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.” To exploit the vulnerability, the attacker has to trick victims into accessing a malicious web page or download and open a malicious JS file on the system. As of June 1st, there has not been a patch released so up to date security content is key for detection until a patch is released.

Links:

Threat Post
Security Boulevard

Some Mitigation Strategies:
- File Integrity Management Solutions for file creation and modification
- Intrusion detection systems (IDS) to monitor for malicious communication and downloads
- 24x7 Security Monitoring with Focused Security Content for solid threat detection
- Web Filtration Technologies to screen incoming web sites
- Mail Filtration to capture potential files attached to phishing emails

Malware: NavRAT Malware Uncovered by Security Researchers

Security researchers at Talos Intelligence have recently uncovered NavRAT, a remote access trojan that has reportedly been quietly active since 2016. NavRAT is distributed through a malicious, decoy Hangul Word Processor (HWP) document named “미북 정상회담 전망 및 대비.hwp”, which translates to “Prospects for US-North Korea Summit.hwp”. The decoy document appears to be referring to the US-North Korea Summit scheduled for June 12, 2018. Known targets reside in South Korea. Researchers note that NavRAT is unique in that it uses Naver, an email platform popular in South Korea, as its command and control (C&C) server. NavRAT can reportedly download, upload, and execute commands, perform keylogging, and avoid detection through process injection, copying itself into an active Internet Explorer process. Researchers assess with a medium degree of confidence that North Korean APT Group 123 threat actor is behind the operation due to the techniques and procedures being of similar nature to those used in previous campaigns.

Links:

Dark Reading
Talos Intelligence

Some Mitigation Strategies:

Stephen Coty

Stephen Coty
Contractor
LinkedIn