Cybercriminals Exploit Weaponized ZIP Files to Acquire NTLM Hashes

Cyber adversaries utilize ZIP files as a means to weaponize them, leveraging the ease of concealing malicious payloads within compressed archives. This tactic poses a challenge for security systems, as detecting and analyzing the contents of such files becomes increasingly complex.

These files can serve as conduits for delivering multiple payloads to target users, enabling attackers to exploit vulnerabilities or execute various malicious operations once the files are extracted.

Cybercriminals Exploit Weaponized ZIP

Recently, cybersecurity analysts at ANY.RUN uncovered active exploitation by hackers utilizing weaponized ZIP files to pilfer NTLM hashes.

The ingenious aspect lies in the intricate crafting of a 450-byte template for this HTML page. This page facilitates encrypted HTTP traffic redirection through multiple nodes. Facilitating this process is Google App Script (GAS), which receives requests from compromised systems.

Furthermore, the attackers employ the SMB protocol for implementation, utilizing the impacket-smbserver tool on their servers. This integration adds complexity and sophistication, indicative of a meticulously planned cyber strategy.

When the HTML content is opened, the attackers obtain the following user data:

• IP address
• NTLM challenge data
• Username
• Victim’s computer name

MITRE

• Phishing (T1566)
• User and PC name enumeration (T1589)
• NTLM compromise (T1187)

Recommendation

To block these exploits effectively, consider implementing the following recommendations:

1. Security Awareness Training: Educate users about the risks associated with opening attachments or clicking on links from unknown or suspicious sources.
2. Email Filtering: Utilize advanced email filtering solutions to detect and block malicious attachments and links before they reach users’ inboxes.
3. Web Filtering: Employ web filtering tools to block access to known malicious websites and prevent users from inadvertently downloading malicious files.
4. Network Segmentation: Segment your network to limit the spread of malware in case of a successful breach. This can prevent attackers from easily moving laterally within your network.
5. Patch Management: Keep all software, including operating systems, web browsers, and plugins, up to date with the latest security patches to mitigate known vulnerabilities.
6. Antivirus and Anti-Malware Software: Deploy robust antivirus and anti-malware solutions across all endpoints to detect and remove malicious files and activities.
7. Behavioral Analysis: Implement security solutions that use behavioral analysis techniques to identify and block suspicious activities, such as abnormal file behavior or network traffic patterns.
8. Disable SMBv1: Consider disabling the outdated SMBv1 protocol, which is commonly exploited by attackers, and encourage the use of more secure versions like SMBv2 or SMBv3.
9. Network Monitoring: Monitor network traffic and system logs for signs of unusual or suspicious activity, which could indicate a potential exploit attempt.
10. Incident Response Plan: Develop and regularly update an incident response plan to ensure a prompt and coordinated response to security incidents, including the mitigation of exploits and the restoration of affected systems.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!