Sophisticated Windows and Linux malware for stealing data and conducting cyber espionage has flown under the radar, disguised as a cryptominer.

Malware thought to be a mere cryptominer was actually a sophisticated spy platform for both Windows and Linux systems; it already has infected more than 1 million victims.

StripedFly was classified and widely dismissed as a largely ineffective malware for mining crypto when it was first detected in 2017. But since then, it has actually been operating as an intricate piece of modular malware that allows attackers to achieve persistence on networks and comprehensive visibility into their activity, as well as exfiltrate credentials and other data at will, researchers from Kaspersky revealed in a blog post published Oct. 26.

While StripedFly can indeed mine Monero cryptocurrency, that's just the tip of the iceberg for its capabilities — something the researchers discovered last year and investigated thoroughly before releasing their findings publicly.

"What we discovered was completely unexpected; the cryptocurrency miner was just one component of a much larger entity," Kaspersky researchers Sergey Belov, Vilen Kamalov, and Sergey Lozhkin wrote in the post.

Overall, the platform appears to be "a hallmark of APT malware" that includes a built-in Tor network tunnel for communication with command-and-control (C2) servers, along with update and delivery functionality through trusted services such as GitLab, GitHub, and Bitbucket, all using custom encrypted archives, they revealed.

Moreover, StripedFly appears to have already infected more than 1 million systems based on updates the researchers obtained from a Bitbucket repository associated with the malware and created on June 21, 2018, under the account of someone using the name Julie Heilman.

The researchers said the discovery of the breadth of StripedFly is "astonishing," especially given that it has successfully evaded detection for some six years.

**Breaking Down StripedFly**

The core structure of the malware is as a monolithic binary executable code that supports various pluggable modules so attackers can extend or update its functionality. Each module — which either is there to provide a service or extended functionality — is responsible for implementing and managing its own callback function for communication with a C2 server.

The platform first manifests itself on a network as a PowerShell that appears to use as its initial entry mechanism a server message block (SMB) exploit that appears to be a custom version of EternalBlue, which was leaked in April 2017 and continues to threaten unpatched Windows servers.

StripedFly uses various methods for persistence depending on the availability of the PowerShell interpreter and the privileges granted to the process. "Typically, the malware would be running with administrative privileges when installed via the exploit, and with user-level privileges when delivered via the Cygwin SSH server," the researchers wrote.

In terms of its modules, the malware has three to perform specific services related to its functionality, and six that actually execute that functionality. The service modules are for configuration storage, upgrading and uninstalling the malware, and reverse proxy.

The functionality modules are varied and comprehensive to provide attackers with a laundry list of capabilities, allowing them to consistently spy on the activities of a victim's network. In addition to the aforementioned Monero cryptominer, the modules are: a miscellaneous command handler; credential harvester, repeatable tasks that can take screenshots, record microphone input, and perform other tasks on a scheduled basis; a reconnaissance module that compiles extensive system information; SMBv1 and SSH infectors for penetration and worming capabilities.

The researchers also discovered a related ransomware variant called ThunderCrypt that shares the same underlying codebase and communicates with the same C2 server as StripedFly.

**Unsolved Mysteries**

The blog post includes numerous indicators of compromise and other websites and relevant data related to StripedFly to help organizations identify if they've been infected.

In the meantime, numerous questions still hover around StripedFly, including the true motive of its perpetrators — a question further muddled by the existence of a related ransomware component.

"While ThunderCrypt ransomware suggests a commercial motive for its authors, it raises the question of why they didn’t opt for the potentially more lucrative path instead," the researchers wrote.

It's also still unclear if StripedFly is still active, since at the time of writing, the researchers observed only eight updates for Windows systems and four for Linux systems in the Bitbucket repository. This could indicate that "either there are minimal active infections," or that all the victims already infected by StripedFly are still actively communicating with its C2, they noted.

"Only those who crafted this enigmatic malware hold the answer," the researchers acknowledged. "It's difficult to accept the notion that such sophisticated and professionally designed malware would serve such a trivial purpose, given all the evidence to the contrary."

Complex Spy Platform StripedFly Bites 1M Victims

The Iranian threat actor known as Tortoiseshell has been attributed to a new wave of watering hole attacks that are designed to deploy a malware dubbed IMAPLoader.
"IMAPLoader is a .NET malware that has the ability to fingerprint victim systems using native Windows utilities and acts as a downloader for further payloads," the PwC Threat Intelligence said in a Wednesday analysis.
"It uses email

The Iranian threat actor known as **Tortoiseshell** has been attributed to a new wave of watering hole attacks that are designed to deploy a malware dubbed IMAPLoader.

"IMAPLoader is a .NET malware that has the ability to fingerprint victim systems using native Windows utilities and acts as a downloader for further payloads," the PwC Threat Intelligence said in a Wednesday analysis.

"It uses email as a \[command-and-control\] channel and is able to execute payloads extracted from email attachments and is executed via new service deployments."

Active since at least 2018, Tortoiseshell has a history of using strategic website compromises as a ploy to facilitate the distribution of malware. Earlier this May, ClearSky linked the group to the breach of eight websites associated with shipping, logistics, and financial services companies in Israel.

The threat actor is aligned with the Islamic Revolutionary Guard Corps (IRGC) and is also tracked by the broader cybersecurity community under the names Crimson Sandstorm (previously Curium), Imperial Kitten, TA456, and Yellow Liderc.

The latest set of attacks between 2022 and 2023 entails embedding malicious JavaScript in compromised legitimate websites to gather more details about the visitors, including their location, device information, and time of visits.

These intrusions focused primarily on the maritime, shipping and logistics sectors in the Mediterranean, in some cases leading to the deployment of IMAPLoader as a follow-on payload should the victim be deemed a high-value target.

IMAPLoader is said to be a replacement to a Python-based IMAP implant Tortoiseshell previously used in late 2021 and early 2022, owing to the similarities in the functionality.

The malware acts as a downloader for next-stage payloads by querying hard-coded IMAP email accounts, specifically checking a mailbox folder misspelled as "Recive" to retrieve the executables from the message attachments.

In an alternate attack chain, a Microsoft Excel decoy document is used as an initial vector to kick-start a multi-stage process to deliver and execute IMAPLoader, indicating that the threat actor is using a variety of tactics and techniques to realize its strategic goals.

PwC said it also discovered phishing sites created by Tortoiseshell, some of which are aimed at the travel and hospitality sectors within Europe, to conduct credential harvesting using fake Microsoft sign-in pages.

"This threat actor remains an active and persistent threat to many industries and countries, including the maritime, shipping, and logistics sectors within the Mediterranean; nuclear, aerospace, and defense industries in the U.S. and Europe; and IT managed service providers in the Middle East," PwC said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Iranian Group Tortoiseshell Launches New Wave of IMAPLoader Malware Attacks

Potential buffer overflow vulnerability at the following location in the Zephyr STM32 Crypto driver

**Summary**

I spotted a potential buffer overflow vulnerability at the following location in the Zephyr STM32 Crypto driver source code:  
https://github.com/zephyrproject-rtos/zephyr/blob/main/drivers/crypto/crypto\_stm32.c#L58-L61

**Details**

Potential buffer overflow due to ineffective assert check in /drivers/crypto/crypto\_stm32.c:

static void copy\_reverse\_words(uint8\_t \*dst\_buf, int dst\_len,
			       uint8\_t \*src\_buf, int src\_len)
{
	int i;

	\_\_ASSERT\_NO\_MSG(dst\_len >= src\_len); /\* VULN: assert \*/
	\_\_ASSERT\_NO\_MSG((dst\_len % 4) \== 0);

	memcpy(dst\_buf, src\_buf, src\_len); /\* VULN: buffer overflow \*/
	for (i \= 0; i < dst\_len; i += sizeof(uint32\_t)) {
		sys\_mem\_swap(&dst\_buf\[i\], sizeof(uint32\_t));
	}
}

The function copy\_reverse\_words() is called in a few locations that might be problematic, because src_len might be attacker-controlled:

*   crypto\_stm32\_ctr\_encrypt()
*   crypto\_stm32\_ctr\_decrypt()
*   crypto\_stm32\_session\_setup()

**PoC**

I haven't tried to reproduce these potential vulnerabilities against a live install of the Zephyr OS.

**Impact**

If the unchecked length above is confirmed to be attacker-controlled and if input crosses a security boundary, the impact of the buffer overflow vulnerability could range from denial of service to arbitrary code execution.

**Patches**

main: #61839

CVE-2023-5139: Potential buffer overflow vulnerability in the Zephyr STM32 Crypto driver

The Palantir Tiles1 service was  found to be vulnerable to an API wide issue where the service was not performing authentication/authorization on all the endpoints.



CVE-2023-30969: Palantir | Trust and Security Portal

Gotham Orbital-Simulator service prior to 0.692.0 was found to be vulnerable to a Path traversal issue allowing an unauthenticated user to read arbitrary files on the file system. 

CVE-2023-30967: Palantir | Trust and Security Portal

Incorrect access control in writercms v1.1.0 allows attackers to directly obtain backend account passwords via unspecified vectors.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-43905: CVE-paddle-/CVE-2023-43905..md at main · Playful-CR/CVE-paddle-

Xolo CMS v0.11 was discovered to contain a reflected cross-site scripting (XSS) vulnerability.

CVE-2023-43906: CVE-paddle-/CVE-2023-43906 at main · Playful-CR/CVE-paddle-

era-compiler-vyper is the EraVM Vyper compiler for zkSync Era, a layer 2 rollup that uses zero-knowledge proofs to scale Ethereum. Prior to era-compiler-vype version 1.3.10, a bug prevented the initialization of the first immutable variable for Vyper contracts meeting certain criteria. The problem arises when there is a String or Array with more 256-bit words allocated than initialized. It results in the second word’s index unset, that is effectively set to 0, so the first immutable value with the actual 0 index is overwritten in the ImmutableSimulator. Version 1.3.10 fixes this issue by setting all indexes in advance. The problem will go away, but it will get more expensive if the user allocates a lot of uninitialized space, e.g. `String[4096]`. Upgrading and redeploying affected contracts is the only way of working around the issue.


CVE-2023-46232: Release v1.3.10 · matter-labs/era-compiler-vyper@8be305a

SQL Injection vulnerability in PHPGurukul Nipah virus (NiV) " Testing Management System v.1.0 allows a remote attacker to escalate privileges via a crafted request to the new-user-testing.php endpoint.

CVE-2023-46584: sec-research/NiV/CVE-2023-46584.md at main · rumble773/sec-research

Cross-Site Scripting (XSS) vulnerability in PHPGurukul Nipah virus (NiV) " Testing Management System v.1.0 allows attackers to execute arbitrary code via a crafted payload injected into the State field.

Tag

#git