Impact: Steals sensitive data, including login credentials and financial information.
🚨 Vulnerability of the Week
CrushFTP CVE-2023-43177
CVE-2023-43177 is a critical vulnerability identified in CrushFTP, a popular file transfer server. This vulnerability allows unauthenticated attackers with network access to potentially write files in the local file system and execute arbitrary system commands. The issue arises from a default behavior in CrushFTP that issues an anonymous authenticated session cookie, blurring the line between authenticated and unauthenticated users.
Technical Details
Vulnerability Origin: The vulnerability stems from the application’s handling of the as2-to header, which leads to the use of user-supplied input in the user_info session object.
Exploitation Mechanism: Attackers can control the location or the log file itself by manipulating specific request headers due to the as2-to header.
Key Headers for Exploitation:
user_log_path: Directory for moving files.
user_log_file: Filename to be moved.
user_log_path_custom: New location for writing logs.
dont_log: Prevents logging if not set to “true”.
Target File for Exploitation: The sessions.obj file in the application directory, which contains details about active sessions, is a prime target for exploitation.
Nuclei Templates for Detection
Detection on CrushFTP 10.5
Template ID: CVE-2023-43177
Description: Detects unauthenticated remote code execution vulnerability in CrushFTP versions prior to 10.5.1.
Severity: Critical
Flow: Consists of three HTTP requests to validate the vulnerability.
Detection on CrushFTP <= 10.4
Template ID: CVE-2023-43177
Description: Detects the same vulnerability in CrushFTP versions prior to 10.5.1, with a different exploitation mechanism.
Severity: Critical
Flow: Involves creating a specified directory or file and logging the request into it, rather than copying a file.
The Gh0st RAT (Remote Access Trojan), known for its stealth and efficacy, has recently been observed with zlib compression, adding a new layer to its already sophisticated capabilities. This report delves into the continuation of the story previously discussed in various online sources, focusing on the latest developments and technical details of this evolving threat.
Recent Developments
Continuation of Previous Reports:
The current situation is a follow-up to earlier reports available at:
The incorporation of zlib compression in Gh0st RAT signifies an advancement in its evasion techniques. This compression method can make the RAT’s network traffic more difficult to detect and analyze, enhancing its stealth.
Capabilities:
Gh0st RAT is known for its ability to provide attackers with extensive control over infected systems, including keylogging, screen capturing, and file manipulation.
Threat Level:
The use of multiple C2 servers indicates a well-organized and resilient infrastructure, suggesting a high threat level and the potential for widespread impact.
A recent cybersecurity alert has been raised concerning the domain anydesk[.]cyou, which is reportedly involved in distributing a malicious executable (EXE) file. This file has been linked to the BlackMoon banking trojan, also known as KrBanker. The situation presents a complex and potentially significant threat to cybersecurity.
Details of the Threat
Suspicious Domain:
The domain in question, anydesk[.]cyou, has been identified as a source of distributing a potentially harmful EXE file.
Malicious EXE File:
The specific executable file distributed by this domain has been analyzed on VirusTotal, with the following link providing detailed insights: VirusTotal Analysis.
Connection to BlackMoon:
The executable is tagged as BlackMoon (or KrBanker), a known banking trojan. Further behavioral analysis can be found at Triage Analysis.
Potential Relation to PepperMalware:
There is a speculated connection to PepperMalware, as indicated by a YARA rule from 2019, detailed in an analysis on PepperMalware’s Website.
Uncertainty in Identification:
Despite these connections, there is some uncertainty regarding the definitive identification of the malware as BlackMoon. This is echoed in a recent Twitter Post expressing doubt about the exact nature of the threat.
📱 Mobile Malware
X #Malvertising#FakeWallet A malicious ad appears on my timeline🤣 im-token[.]us -> hxxps://im-token[.]us/down/imtoken.apk -> 738d0e0def50ddf40df81ed4ed2faf50e8a8db196360826e39e69de8981ed8aa Collect and send mnemonic to remote server C2: api.bvip[.]dev@malwrhunterteampic.twitter.com/vVmSLvj9UP
A recent malvertising campaign, identified as “X Malvertising,” involves a fake wallet application that targets cryptocurrency users. The campaign was spotted through a malicious advertisement leading to a counterfeit website and a fraudulent mobile application. This report details the campaign’s mechanism, the nature of the threat, and the associated risks.
Campaign Overview
Malicious Advertisement: The campaign was initially identified through a malicious ad appearing on social media timelines.
Fake Website: Users are directed to a counterfeit website, im-token[.]us, which mimics a legitimate cryptocurrency wallet service.
Malicious Application: The website prompts users to download a fraudulent APK file (imtoken.apk) directly linked to the campaign.
Technical Analysis
APK File Analysis: The APK file in question (738d0e0def50ddf40df81ed4ed2faf50e8a8db196360826e39e69de8981ed8aa) is designed to mimic a legitimate cryptocurrency wallet application.
Functionality: Upon installation and execution, the app is programmed to collect and transmit the user’s mnemonic (a secret phrase or seed used in cryptocurrency wallets) to a remote server.
Command and Control (C2) Server: The identified C2 server for this campaign is api.bvip[.]dev. This server receives the stolen data from the infected devices.
🐙 Proxylife
Potential new #DuckTail PHP #stealer campaign spotted. hxxps://videocallgirl[.]top/alb/ -> Auto Download .zip file -> .exe posing as images with DLL sideloading -> downloading real images and payloads, then stealing data. #IoC:https://t.co/E636L4nBHC
A new cybersecurity threat has emerged in the form of a potential DuckTail PHP stealer campaign, raising significant concerns in the digital security community. This campaign is initiated through a deceptive website, identified as hxxps://videocallgirl[.]top/alb/, which automatically triggers the download of a .zip file upon visitation. The insidious nature of this campaign lies in its use of a .exe file, cleverly disguised as an image, which is embedded within the downloaded .zip file. This executable file employs a technique known as DLL sideloading, a method where a legitimate DLL is replaced or modified with a malicious one, effectively bypassing standard security measures.
Once activated, this executable not only displays real images to maintain its deceptive appearance but also proceeds to download additional malicious payloads onto the victim’s device. The primary objective of these payloads is the theft of sensitive data, a hallmark of the DuckTail PHP stealer campaigns. This sophisticated attack vector highlights the evolving nature of cyber threats, where attackers continually devise new methods to exploit system vulnerabilities and deceive users. The campaign underscores the importance of heightened vigilance and robust cybersecurity practices, especially in regard to downloading files from unverified sources and the necessity of employing advanced security solutions to detect and prevent such stealthy malware attacks.
The Sandman Advanced Persistent Threat (APT), as analyzed by Aleksandar Milenkoski, Bendik Hagen (PwC), and Microsoft Threat Intelligence, is likely linked to China-based threat clusters known for using the KEYPLUG backdoor. This association was highlighted in a joint presentation by PwC and Microsoft at Labscon 2023, focusing on the cluster STORM-0866/Red Dev 40. Key findings include the coexistence of Sandman’s Lua-based malware LuaDream and the KEYPLUG backdoor in victim environments, shared infrastructure control, and management practices, as well as overlapping development techniques and functionalities. This suggests a broader adoption of Lua in cyberespionage, historically associated with Western actors, by a wider range of adversaries, including those linked to China.
Overview
SentinelLabs, Microsoft, and PwC provide attribution-relevant information on the Sandman APT, positioning it within the broader threat landscape. The report highlights connections between Sandman and a suspected China-based threat actor using the KEYPLUG backdoor – STORM-0866/Red Dev 40. This includes overlaps in victimology, shared C2 infrastructure control, and management practices. STORM-0866/Red Dev 40, primarily targeting entities in the Middle East and South Asia, including telecom and government sectors, is known for its use of the modular backdoor KEYPLUG, first reported by Mandiant in U.S. government entity intrusions by APT41. Microsoft and PwC have identified at least three other clusters involving KEYPLUG, including STORM-0866/Red Dev 40, characterized by unique encryption keys for KEYPLUG C2 communication and high operational security, such as using cloud-based reverse proxy infrastructure.
Sandman and STORM-0866/Red Dev 40 Infrastructure
The SSL certificate of the LuaDream C2 domain and its association with various hosting providers in Estonia, Romania, and Bulgaria indicate a connection between Sandman and STORM-0866/Red Dev 40. The use of specific domains and certificates, attributed with high confidence to STORM-0866/Red Dev 40, further solidifies this link.
LuaDream and KEYPLUG
LuaDream and KEYPLUG, while distinct in their implementation (LuaDream in LuaJIT and KEYPLUG in C++), show indicators of shared development practices and functionalities. A notable observation is a Chinese code comment in LuaDream, suggesting a potential Chinese origin, despite most string artifacts being in English.
C2 Protocols
Both LuaDream and KEYPLUG are highly modular, supporting multiple protocols for C2 communication, including HTTP, TCP, WebSocket, and QUIC. Their similar protocol handling and internal structures for client data storage indicate shared functional requirements by their operators.
Execution Flow and C2 Data Management
LuaDream and KEYPLUG exhibit similar high-level execution flows, gathering and exfiltrating system information, managing plugins, and using global data buffers for C2 data. Their execution patterns and data management strategies further suggest shared development practices.
👹 Scam Contract
there appear to be 515 tokens affected on the Mainnet, 3 of which have been exploited👀. the attackers made about $218k in profit. https://t.co/gY2uZtSLnG
— Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) December 7, 2023
A recent update in Thirdweb’s smart contracts has introduced a significant change in the form of _disableInitializers being added to most contract constructors. This update, identified in the commit ef6a0723ffa049c27ed5a455a3c8a45d1dd660be, has had notable repercussions in the cryptocurrency space, particularly affecting tokens on the Ethereum Mainnet.
Key Update in Thirdweb’s Contracts
Commit Overview: The specific commit in Thirdweb’s GitHub repository (View Commit) shows the addition of _disableInitializers to the constructors of most contracts.
Purpose of Update: The _disableInitializers function is typically used to enhance security by preventing the re-initialization of a contract, which can be a vector for attacks.
Impact on the Ethereum Mainnet
Affected Tokens: The update has impacted 515 tokens on the Ethereum Mainnet.
Exploitation Incidents: Out of these, 3 tokens have been exploited following this update.
Financial Impact: The attackers have reportedly made a profit of approximately $218,000 through these exploits.
Analysis of the Exploits
Exploit Mechanism: While the specific details of the exploits are not provided, the addition of _disableInitializers suggests that the vulnerabilities might be related to the re-initialization process of contracts.
Security Implications: The fact that only a small fraction of the affected tokens were exploited suggests that the attackers targeted specific vulnerabilities, possibly related to the implementation of the new feature or existing contract weaknesses.
Response and Remediation: The response from Thirdweb and the broader developer community will be crucial in addressing these vulnerabilities. This may include further updates to the contracts, best practices for implementation, and heightened security audits.
🟥 NDay
#Trigona exploited CVE-2021-40539 for initial access, and once it took hold of a victim’s system and data, it provided an authorization key for victims to register to the negotiation portal.
Trigona ransomware, first identified by Trend Micro as Water Ungaw, emerged in October 2022, with binaries dating back to June 2022. This ransomware group, known for its global attacks and lucrative schemes, has been linked to the CryLock group due to similarities in tactics, techniques, and procedures (TTPs). In 2023, Trigona expanded its attack vectors to include compromised Microsoft SQL Servers and developed a Linux version of its malware. This report delves into the operational aspects of Trigona, its impact, and the targeted regions and industries.
Background and Affiliations
Initial Emergence: October 2022 (binaries from June 2022).
Affiliation: Linked to CryLock and possibly collaborated with BlackCat ransomware actors.
Exploitation of Vulnerabilities: Notably exploited CVE-2021-40539 for initial access.
Operational Tactics and Techniques
Targeting MSSQL Servers: In April 2023, Trigona began brute-force attacks on compromised MSSQL Servers.
Linux Version: A month later, a Linux variant of Trigona was discovered, sharing similarities with the Windows version.
Ransomware Features: Trigona uses AES encryption, targets specific file types, and appends a “._locked” extension to encrypted files.
Global Impact and Targeted Industries
Top Affected Countries: Turkey, the Philippines, Brazil, Germany, and Thailand.
Victim Organization Size: Predominantly small- and medium-sized businesses.
Infection Chain and Techniques
Initial Access: Leveraged CVE-2021-40539 and obtained access via network access brokers.
Defense Evasion and Discovery: Used tools like Network Scanner and Advanced Port Scanner, along with scripts to terminate antivirus processes.
Credential Access: Employed Mimikatz for credential dumping.
Lateral Movement: Utilized legitimate remote access tools and Cobalt Strike for further infiltration.
Privilege Escalation: Used CLR shell on MSSQL servers for privilege escalation.
Ransomware Mechanics
Encryption Method: Encrypts the first 512 KB of files by default, with an option to encrypt entire files.
Command-Line Arguments: Supports various arguments for customization of the ransomware behavior.
Linux Variant: Similar command-line arguments as the Windows version, with some differences in functionality.
Leak Site and Victim Data
Leak Site: Featured bidding options for stolen data and a countdown timer to pressure victims.
Data Leaked: Included critical documents and contracts from victim organizations.
🌶️ Trending Exploit
Per @DecipherSec's reporting on Lazarus using Log4J, here are some of the recent novel Log4J variations we've detected with Sift over the past few weeks, as well as links to view the raw payloads. As a reminder, this was all collected by @GreyNoiseIO sensors but surfaced by AI https://t.co/QiG3Uv2w2jpic.twitter.com/dopMLQyQsQ
The North Korean threat group Lazarus has been actively exploiting the Log4j vulnerability in VMware Horizon servers. This campaign, known as “Operation Blacksmith” and tracked by Cisco Talos, involves the deployment of Dlang-based malware for credential theft and system fingerprinting. The shift to Dlang indicates a strategic change in Lazarus’s approach to malware development, utilizing non-traditional technologies and frameworks.
Campaign Details
Time Frame: The malicious activity was observed between March and September.
Malware Used: The campaign leverages three Dlang-based malware families: NineRAT, DLRAT, and a custom downloader for deploying additional payloads.
Targets: Attacks were executed against entities in South America, Europe, and the U.S., including an agricultural organization, a manufacturing entity, and a physical security firm.
Malware Analysis
NineRAT:
Written in DLang, indicating a shift in Lazarus’s tactics.
Capable of gathering system information and self-uninstallation.
Uses a Telegram-based C2 channel for communication.
DLRAT:
Focuses on reconnaissance by collecting preliminary system data.
Downloader:
Deploys additional payloads, including a proxy tool called “Hazyload.”
Aids in maintaining persistent access and facilitates command issuance and data exfiltration.
Lazarus Group Background
Active Since: 2010.
Known For: Espionage, data theft, and financially motivated attacks.
Recent Activities: Targeting the Log4j vulnerability and a flaw in ManageEngine ServiceDesk, deploying new malware families.
Novel Log4J Variations Detected
Recent novel Log4J variations have been detected by Sift and surfaced by AI, with data collected by GreyNoise sensors. These variations are crucial for understanding the evolving tactics of threat groups like Lazarus. The links to the raw payloads provide valuable insights into the nature of these attacks:
This image has been going around reddit for the last few hours (very explicit, blurred for obvious reasons). People were saying it's fake, but it isn't.
Apparently, there is a security exploit with Steam names inside CS2, which allows… pic.twitter.com/lcQqsAB5Ba
A significant security exploit has been identified in CS2 (Counter-Strike 2), related to the use of HTML in Steam player names. This vulnerability allows for Cross-Site Scripting (XSS) attacks, enabling malicious actors to execute various harmful actions, including IP address harvesting and potentially more severe exploits. This issue has raised serious concerns within the gaming community and calls for immediate attention from Valve, the game’s developer.
Description of the Exploit
Exploit Mechanism: The exploit is triggered when a player sets their Steam name using HTML code. This code is then executed within the CS2 game environment.
IP Address Harvesting: One demonstrated use of this exploit is setting a Steam name to an IP grabber, which captures the IP addresses of all players on the server.
Potential for Further Exploitation: While the confirmed exploit involves changing in-game images and IP address harvesting, there is speculation about more severe risks. These include the potential for running arbitrary code on players’ computers or gaining access to their Steam accounts. However, these more severe exploits have not been confirmed and remain speculative.
Community Response and Speculation
Warnings to Players: Players are being advised not to play CS2 until the issue is resolved, due to the risk of IP address harvesting and potential for other exploits.