TA505, aka Evil Corp, uses fake software updates in its attacks.
Microsoft has warned users that the Russian cybercriminal group TA505 is exploiting the Zerologon vulnerability in its attacks.
The attacks recorded by experts use fake software updates that connect to the C&C infrastructure, which information security experts associate with the TA505 grouping (CHIMBORAZO in the Microsoft classification). Fake updates are capable of bypassing User Account Control (UAC) and executing malicious scripts using the legitimate Windows Script Host tool (wscript.exe). During exploitation of the vulnerability, attackers use MSBuild.exe to add Zerologon functionality to Mimikatz.
The TA505 group, also known as Evil Corp, has been active for almost a decade and is known primarily for its attacks using banking Trojans and ransomware. Recently, cyber security experts presented evidence of TA505 cooperation with the North Korean cybercriminal group Lazarus.
Zerologon ( CVE-2020-1472 ) is a privilege escalation vulnerability in Windows Server. The problem is related to the use of an unreliable encryption algorithm in the Netlogon authentication mechanism. Zerologon allows you to simulate any computer on the network while authenticating to a domain controller, disable Netlogon security features, and change the password in the domain controller's Active Directory database.
Microsoft recently urged users to install its August security updates that partially fix the vulnerability, as Zerologon is already actively exploited by hackers, including Iranian ones . The August patch is only the first stage of the vulnerability fix - the second should be expected in February 2021.