Windows VCF Zero-Day Exploit Allows Remote Code Execution

A new unpatched vulnerability in Windows has been disclosed along with proof-of-concept exploit code. It could allow hackers to more easily install malware on computers, but it requires user interaction.

The vulnerability was discovered by a security researcher named John Page, aka hyp3rlinx, who reported it to Microsoft in August through Trend Micro’s Zero Day Initiative (ZDI) program. According to ZDI, Microsoft initially planned to fix the flaw during this month’s Patch Tuesday, but then changed its mind and pushed the fix back to the next Windows feature update, expected in April.

AWS Builder Community Hub

“The vendor wrote to ZDI to advise that ‘engineering team had decided to pursue the fix as v.Next’ and ‘Microsoft has decided that it will not be fixing this vulnerability and we are closing this case’,” ZDI said in its advisory.

As the 90-day standard disclosure deadline has passed, both ZDI and Page decided to make the vulnerability public and released advisories.

The flaw is located in the code that processes VCF (vCard) files, which are used to store electronic business cards. Microsoft Outlook supports the vCard and vCalendar standards and will automatically process such files when opened by users.

Attackers can insert a maliciously crafted hyperlink in the VCF file in a way that will actually cause a local file to be executed when the VCF file is opened and the URL is clicked by the user. Page’s proof-of-concept exploit involves creating a rogue CPL (Control Panel applet) file that gets executed by the VCF exploit.

“User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file,” the researcher said in his advisory.

This doesn’t mean the exploit isn’t useful for attackers. In fact, a lot of malware is distributed via rogue email attachments, and while most users are thought not to open files with dangerous extensions, there was no reason to consider VCF potentially malicious until now.

Since the vulnerability will not be patched for a couple more months, there is plenty of time for hackers to start integrating it in their attacks. In the meantime, companies should train their employees to be wary of VCF files received from untrusted sources.

Malware Infection on Chilean Interbank Network Linked to Lazarus Group

Security researchers found evidence that a recent computer intrusion at Redbanc, an interbank network that links ATMs and banks in Chile, involved PowerRatankba, a malware toolkit with ties to North Korea’s Lazarus group.

Over the past several years, Lazarus has compromised multiple financial institutions from around the world, including cryprocurrency exchanges. Researchers believe that the group is controlled by North Korea’s Reconnaissance General Bureau (RGB) and that one of its goals is illegally obtaining funds for the government.

The Redbanc attack occurred in December and involved sophisticated social engineering, wherein a Redbanc IT staffer was tricked into installing the malware after applying to a job offer on social media. The attackers went as far as to hold a short interview with their victim in Spanish over Skype, which helped them establish their legitimacy and avoid raising suspicions when they sent the malicious file.

“Redbanc confirmed that the malware was installed on the company’s corporate network without triggering antivirus detection, however the threat has since been mitigated and did not impact company operations, services, or infrastructure,” researchers from security firm Flashpoint said in a report.

The malicious dropper was designed to act as a job application form, but in the background downloaded PowerRatankba, a tool used by the Lazarus group to perform reconnaissance and install additional implants on compromised machines.

“Lazarus attacks appear to reportedly rely on social media and trusted relationships, which may elevate their abilities to execute and install their payloads,” the Flashpoint researchers warned. “As such, security awareness training—especially that which pertains to social media and social engineering—is also recommended.”

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin