Check Point Research Archives

Winsage

April 17, 2025

Windows NTLM hash leak flaw exploited in phishing attacks on governments

A vulnerability in Windows, identified as CVE-2025-24054, is being actively exploited in phishing campaigns targeting government and private sectors. Initially addressed in Microsoft's March 2025 Patch Tuesday, it was not considered actively exploited at that time. Researchers from Check Point reported increased exploitation activities shortly after the patches were released, particularly between March 20 and 25, 2025. Some attacks were linked to the Russian state-sponsored group APT28, but definitive attribution is lacking. The vulnerability allows attackers to capture NTLM hashes through phishing emails containing manipulated .library-ms files that trigger the flaw when interacted with. Check Point noted that subsequent attacks involved .library-ms files sent directly, requiring minimal user interaction to exploit. The malicious files also included additional components that exploit older vulnerabilities related to NTLM hash leaks. The attacker-controlled SMB servers were traced to specific IP addresses. Although rated as medium severity, the potential for authentication bypass and privilege escalation makes it a significant concern, prompting recommendations for organizations to install updates and disable NTLM authentication if not necessary.

Winsage

April 17, 2025

Hackers Exploiting NTLM Spoofing Vulnerability in Wild to Compromise Systems

Cybercriminals are exploiting a vulnerability in Windows systems known as CVE-2025-24054, which involves NTLM hash disclosure through spoofing techniques. This flaw allows attackers to leak NTLM hashes, leading to privilege escalation and lateral movement within networks. It is triggered when a user extracts a ZIP archive containing a malicious .library-ms file, causing Windows Explorer to initiate SMB authentication requests that expose NTLMv2-SSP hashes. Exploitation of this vulnerability began shortly after a security patch was released on March 11, 2025, with campaigns targeting government and private institutions in Poland and Romania. These campaigns utilized spear-phishing emails containing malicious ZIP archives, which, when interacted with, leaked NTLM hashes. The malicious files included various types designed to initiate SMB connections to attacker-controlled servers, allowing for pass-the-hash attacks and privilege escalation. The stolen hashes were sent to servers in several countries, indicating potential links to state-sponsored groups. One campaign involved Dropbox links that exploited the vulnerability upon user interaction. Microsoft has recommended immediate patching, enhancing network defenses, user education, network segmentation, and regular security audits to mitigate risks associated with this vulnerability.

Tech Optimizer

April 15, 2025

New ‘Waiting Thread Hijacking’ Malware Technique Evades Modern Security Measures

Security researchers have developed a new malware process injection technique called "Waiting Thread Hijacking" (WTH), which executes harmful code within legitimate processes while avoiding detection by security measures. This method improves upon traditional Thread Execution Hijacking by using a different sequence of operations that bypasses commonly monitored API calls. WTH involves allocating memory and injecting malicious payloads using standard functions, identifying dormant threads within the target process, acquiring thread context with less suspicious permissions, and overwriting the return address on the stack with the injected shellcode. The technique ensures stability by preserving the original state of the thread and allows it to resume normal operations after executing the malicious code. Additionally, WTH employs an obfuscation technique that distributes its steps across multiple child processes to evade behavioral detection systems. While WTH can avoid many conventional detection triggers, it is not completely immune, as some Endpoint Detection and Response (EDR) solutions can block unauthorized memory writes. Check Point Research has observed that WTH is effective against certain EDRs while others can block it but not older methods, illustrating the variability in EDR capabilities.

AppWizard

October 3, 2024

Google bans popular Android app now you must delete it from your phone today

Security experts at Check Point Research have warned Android users to examine their smartphones and recently installed applications due to a malicious app that stole approximately £54,000 from users. The fraudulent application, disguised as WalletConnect, was available on the official Google Play Store for over five months and was downloaded around 10,000 times. It drained digital currencies, including NFTs, by exploiting the trusted WalletConnect service and using fake reviews to appear legitimate. The attackers employed phishing techniques and smart contracts to deceive users into authorizing fraudulent transactions. Although Google has removed the app, users are advised to delete it if they suspect they have downloaded it. This incident highlights the sophistication of cybercriminal tactics in the decentralized finance sector, emphasizing the need for users to be cautious about the applications they download.

AppWizard

October 1, 2024

Android users, delete this ‘dangerous’ crypto app from your phones – Times of India

A cybersecurity firm identified a malicious application called WalletConnect – Airdrop Wallet in the Google Play Store, designed to steal cryptocurrency from users. The app evaded detection for over five months after its introduction in March 2024, targeting Android users and employing evasion techniques to appear legitimate. It exploited the credibility of the WalletConnect protocol and siphoned approximately ,000 (around 58.6 lakh) in cryptocurrency from victims. The app achieved over 10,000 downloads by using fake positive reviews and advanced crypto drainer toolkits to manipulate search rankings. Users were misled into connecting their wallets and directed to phishing sites, resulting in unauthorized transactions. Despite some negative reviews, the developers countered with fake positive feedback to maintain the app's appearance of legitimacy.

AppWizard

September 29, 2024

Google Play Store App Deletion—New Warning As Bitcoin, Crypto Wallets Empty

Check Point Research has identified the first crypto drainer app on the Play Store, which targeted mobile users and was designed to connect decentralized applications with user wallets. The app, which masqueraded as a tool for the Web3 WalletConnect protocol, evaded detection for five months and was downloaded over 10,000 times before being removed. It resulted in the theft of at least 0,000. Once activated, the app directed users to a fraudulent website to verify their wallets and authorize transactions, allowing it to gather sensitive information and withdraw higher-value tokens first. Despite the limited number of identified victims, the app's presence raised concerns about the sophistication of cybercriminal tactics in the decentralized finance sector. Google’s Play Protect has been enhanced to prepare for future threats, and the Play Store is committed to eliminating low-quality apps as Android 15 approaches its release.

AppWizard

September 27, 2024

App installed from Google Play Store was a major scam ripping off 150 Android users

A fraudulent application named WalletConnect was discovered in the Google Play Store, designed to mislead web3 users by mimicking the legitimate WalletConnect protocol. The app, which gained over 10,000 installations, prompted users to connect their cryptocurrency wallets, leading them to authorize transactions that redirected them to a malicious website. This site collected sensitive information and executed token transfers from victims' wallets, marking the first instance of a "crypto drainer" targeting mobile device users. Despite Google Play Protect, the app remained on the Play Store for five months, resulting in approximately ,000 in stolen cryptocurrency before its removal. Users are advised to uninstall the app immediately.

Winsage

September 18, 2024

Windows vulnerability abused braille “spaces” in zero-day attacks

A vulnerability in Windows, tracked as CVE-2024-43461, has been reclassified as previously exploited after being used in attacks by the Void Banshee APT group to deploy information-stealing malware. Initially disclosed in September 2024, it was confirmed to have been exploited before the fix was issued. The flaw was discovered by Peter Girnus from Trend Micro, who noted that it was used in zero-day attacks alongside another vulnerability, CVE-2024-38112. The attacks involved malicious HTA files disguised as PDFs, utilizing braille whitespace characters to hide the true file extension. Following the security update, Windows now accurately displays the .hta extension, although the presence of whitespace may still mislead users. Microsoft also addressed three other actively exploited zero-days during the September Patch Tuesday.

Winsage

September 18, 2024

‘Void Banshee’ Exploits Second Microsoft Zero-Day

Microsoft has reclassified a bug from its September Patch Tuesday update as a zero-day vulnerability, designated CVE-2024-43461, which has been exploited by the threat group "Void Banshee" since before July. This vulnerability affects all supported versions of Windows and allows remote attackers to execute arbitrary code if a victim visits a malicious webpage or clicks an unsafe link. Initially rated 8.8 on the CVSS scale, Microsoft revised its assessment after discovering active exploitation linked to another vulnerability, CVE-2024-38112, which was patched in July 2024. To protect against CVE-2024-43461, Microsoft recommends applying patches from both the July and September updates. CISA added this flaw to its known exploited vulnerabilities database, setting an implementation deadline of October 7 for federal agencies. The vulnerability enables attackers to manipulate browser interfaces and has been used by Void Banshee to deploy Atlantida malware through deceptive files. The coordinated attack chain involving CVE-2024-43461 and CVE-2024-38112 exploits the legacy MSHTML engine, which remains in Windows for compatibility. A study indicated that over 10% of Windows 10 and 11 systems lack endpoint protection, increasing vulnerability to such exploits.

Winsage

September 18, 2024

Microsoft confirms IE zero-day exploited in sneaky update

Microsoft confirmed that the vulnerability CVE-2024-43461 in Internet Explorer was exploited as a zero-day before it could be patched. This flaw, rated 8.8 on the CVSS severity scale, allows attackers to obscure file-type extensions of downloaded files, potentially executing malicious code on users' systems. The vulnerability was reported by Peter Girnus from Trend Micro's Zero Day Initiative (ZDI) and was exploited by the malware-spreading group Void Banshee in conjunction with another vulnerability, CVE-2024-38112. The exploit chain involved using a specially crafted Windows Internet Shortcut file to trigger CVE-2024-43461, leading to the deployment of the Atlantida malware. Microsoft issued a patch for CVE-2024-38112 in July and confirmed the exploitation of CVE-2024-43461 prior to its patch in September. ZDI disclosed the file-type spoofing flaw on July 19, and Microsoft urged customers to apply both updates for comprehensive protection.