Malware

Security Advisory

Zero-Day Vulnerability in Windows Exposes NTLM Credentials

Summary

OEM

Microsoft

Severity

Critical

Date of Announcement

2024-12-12

CVE

Not yet assigned

Exploited in Wild

No

Patch/Remediation Available

Yes (No official patch)

Advisory Version

1.0

Vulnerability Name

NTLM Zero-Day

Overview

A recently discovered zero-day vulnerability in Windows, enables attackers to steal user credentials through a malicious file viewed in File Explorer. This “clickless” exploit bypasses the need for user interaction, creating significant security risks. While Microsoft investigates, 0patch has released an unofficial micropatch to mitigate the threat. Users are advised to apply the patch or implement mitigations to reduce exposure.

Vulnerability Name

CVE ID

Product Affected

Severity

NTLM zero-day

Not Yet Assigned

Microsoft Windows

Critical

Technical Summary

CVE ID

System Affected

Vulnerability Details

Impact

Not Yet Assigned

Windows 7 to 11 (24H2), Server 2008 R2 to 2022

A zero-day vulnerability that allows NTLM credential theft by viewing a malicious file in File Explorer. The flaw forces an outbound NTLM connection, leaking NTLM hashes. Exploitation requires no user interaction beyond viewing a malicious file, which can be delivered through shared folders, USB drives, or malicious downloads in the browser's default folder.

Enables attackers to steal NTLM credentials and  gain unauthorized access of the affected systems.

Remediations

  • Apply the 0patch Micropatch:
    • Register for a free account at 0patch Central.
    • Install the 0patch agent to automatically receive the micropatch.
  • Disable NTLM Authentication:
    • Navigate to Security Settings > Local Policies > Security Options in Group Policy.
    • Configure “Network security: Restrict NTLM” policies to limit NTLM usage. 

General Recommendations

  • Only enable patches or configurations after testing them on non-critical devices to ensure minimal impact.
  • Stay updated on Microsoft’s response and the availability of an official patch through trusted news sources or Microsoft’s advisories.
  • Inform users about the risks of handling unfamiliar files and downloading content from untrusted sources.
  • Monitor systems for suspicious NTLM-related activity.

References

Security Advisory

Advisory on MUT-8694: Threat Actors Exploiting Developer Trust in Open-Source Libraries

MUT-8694: Threat Actors Exploiting Developer Trust in Open-Source Libraries

Overview

In November 2024, a supply chain attack designated as MUT-8694 was identified, targeting developers relying on npm and PyPI package repositories. This campaign exploits trust in open-source ecosystems, utilizing typosquatting to distribute malicious packages. The malware predominantly affects Windows users, delivering advanced infostealer payloads.

MUT-8694 Campaign Details

The threat actors behind MUT-8694 use malicious packages that mimic legitimate libraries to infiltrate developer environments. The campaign employs techniques such as:

  • Typosquatting: Using package names that closely resemble popular or legitimate libraries.
  • Payload Delivery: Embedded scripts download malware such as Blank Grabber and Skuld Stealer hosted on GitHub and repl.it.
  • Targeted Ecosystems: npm and PyPI, critical platforms for developers.

             Source: Datadog

Key Findings

One identified package, larpexodus (version 0.1), executed a PowerShell command to download and run a Windows PE32 binary from github[.]com/holdthaw/main/CBLines.exe. Analysis revealed the binary was an infostealer malware, Blank Grabber, compiled from an open-source project hosted on GitHub. Further inspection of the repository exposed another stealer, Skuld Stealer, indicating the involvement of multiple commodity malware samples.

Capabilities of Malware

The deployed malware variants include advanced features that allow:

  • Credential Harvesting: Exfiltrating usernames, passwords, and sensitive data.
  • Cryptocurrency Wallet Theft: Targeting and compromising crypto assets.
  • Application Data Exfiltration: Stealing configuration files from popular applications

Affected Packages

Some known malicious packages include:

  • larpexodus (PyPI): Executes a PowerShell script to download malware.
  • Impersonations of npm libraries: Host binaries leading to infostealer deployment.

Remediation:

To mitigate the risks associated with this attack, users should:

  • Audit Installed Packages: Use tools like npm audit or pip audit to identify vulnerabilities.
  • Validate Package Sources: Verify package publishers and cross-check names carefully before installation.
  • Monitor Network Activity: Look for unusual connections to GitHub or repl.it domains.
  • Use Security Tools: Implement solutions that detect malicious dependencies.

General Recommendations:

  • Avoid downloading software from unofficial or unverified sources.
  • Regularly update packages and dependencies to the latest versions.
  • Conduct periodic security awareness training for developers and IT teams.

References:

Cybersecurity News

Godot Hijacked with Malware to infect Thousands of PC’s

Godot is a platform that host open source game development, where new Malware loader installed in its programming language

At least 17,000 devices were infected with infostealers and cryptojackers so far.

As per researchers cyber criminals have been building malicious code written in GDScript (Godot’s Python-like scripting language) calling on some 200 GitHub repositories and more than 220 Stargazer Ghost accounts.

Earlier hackers targeted the open sources gaming platform targeting users of the Godot Gaming Engine and researcher’s spotted that GodLoader would drop different malware to the infected devices mostly in RedLine stealer, and XMRig, a popular cryptojacker.

GodLoader, the researchers further explained, was downloaded at least 17,000 times, which is a rough estimate on the number of infected devices. However, the attack surface is much, much larger.

Check Point argues that in theory, crooks could hide malware in cheats, cracks, or modes, for different Godot-built games. Check Point detected four separate attack waves against developers and gamers between September 12 and October 3, enticing them to download infected tools and games.

Looking at the number of popular games developed with Godot, that would put the attack surface at approximately 1.2 million people.

Hackers delivered the GodLoader malware through the Stargazers Ghost Network, a malware Distribution-as-a-Service (DaaS) that masks its activities using seemingly legitimate GitHub repositories.

Technical Details

Godot does not register a file handler for “.pck” files. This means that a malicious actor always has to ship the Godot runtime together with a .pck file. The user will always have to unpack the runtime together with the .pck to the same location and then execute the runtime.

There is no way for a malicious actor to create a “one click exploit”, barring other OS-level vulnerabilities. If such an OS-level vulnerability were used then Godot would not be a particularly attractive option due to the size of the runtime.

News Security Advisory

Analysis of WezRat Malware; Check point Findings

New CheckPoint research discovered a new remote access trojan and information stealer used by Iranian state-sponsored actors to conduct reconnaissance of compromised endpoints and execute malicious commands.

Continue Reading
Scroll to top