Threat Intel Roundup: SharePoint, WS_FTP, Exim, Gotham Stealer

  • Home
  • Report
  • Threat Intel Roundup: SharePoint, WS_FTP, Exim, Gotham Stealer

Week in Overview(26 Sep-3 Oct)

Technical Summary

  • Exim Mail Server Vulnerabilities (CVE-2023-42115 to CVE-2023-42119)
    • A series of vulnerabilities affecting the Exim mail server.
    • Varying degrees of severity, specific exploitation requirements.
    • Patching and configuration review recommended for mitigation.
  • RedLineStealer Malware Campaign
    • Ongoing malware campaign known as RedLineStealer.
    • Targets sensitive user data and credentials.
    • Cybersecurity experts are monitoring and analyzing this threat.
  • Gotham Stealer Incidents
    • Discovery of Gotham Stealer, a multifaceted malware.
    • It includes Discord Injection, Startup Injection, Wallets Stealer, and more.
    • Active tracking of Command and Control (C2) servers by security researchers.
  • Beware of Network Name Masking Scam in Cryptocurrency Transactions
    • Alert about a scam involving masking network names in crypto transactions.
    • Scammers deceive users into sending valuable assets while thinking they are sending worthless tokens.
    • Cautionary advice to verify network additions on crypto wallets.

5. Threat Actors Utilizing Malicious PowerShell-Backed Steganography

  • Threat actors using PowerShell-based steganography techniques.
  • Concealing malicious code within image files to evade detection.
  • Increased focus on detection and prevention of steganography-based attacks.

6. DIAN Phishing Campaign Targeting Taxpayers

  • A phishing campaign impersonating DIAN (Colombia’s tax authority).
  • Targets taxpayers with malicious emails.
  • Awareness and email security practices recommended for protection.

7. Using Silent SMS to Localize LTE Users – Proof of Concept Implementation

  • Proof of concept for using Silent SMS to locate LTE users.
  • Potential privacy concerns and implications.
  • Raises awareness about possible misuse of Silent SMS technology.

8. Critical Vulnerabilities in WS_FTP Server Exploited by Attackers (CVE-2023-40044 and CVE-2023-42657)

  • Discovery of critical vulnerabilities (CVE-2023-40044 and CVE-2023-42657) in WS_FTP Server.
  • Attackers exploiting these vulnerabilities to compromise systems.
  • Urgent patching and security measures advised for affected systems.

9. CVE-2023-29357 and CVE-2023-24955 Exploit Chain for Microsoft SharePoint Server

  • Detection of an exploit chain targeting Microsoft SharePoint Server.
  • Exploits vulnerabilities (CVE-2023-29357 and CVE-2023-24955).
  • Highlights the importance of timely patching and security updates.

Key Findings

it is crucial for organizations and individuals to prioritize remediation and patching efforts to safeguard their systems and data. The following key findings highlight the importance of proactive measures to mitigate risks associated with various vulnerabilities and threats:

  • Exim Mail Server Vulnerabilities (CVE-2023-42115 to CVE-2023-42119)
  • RedLineStealer Malware Campaign
  • Gotham Stealer
  • Incidents Beware of Network Name Masking Scam in Cryptocurrency Transactions
  • Threat Actors Utilizing Malicious PowerShell-Backed Steganography
  • DIAN Phishing Campaign Targeting Taxpayers
  • Using Silent SMS to Localize LTE Users – Proof of Concept Implementation
  • Critical Vulnerabilities in WS_FTP Server Exploited by Attackers (CVE-2023-40044 and CVE-2023-42657) CVE-2023-29357 and CVE-2023-24955 Exploit Chain for Microsoft SharePoint Server

🚨 Vulnerability of the Week

This advisory report addresses a recent disclosure of vulnerabilities in the widely used mail server, Exim. The vulnerabilities range from potentially critical to less severe, with specific conditions required for exploitation. While concerns have arisen due to the disclosed vulnerabilities, a thorough analysis suggests that the overall risk may be lower than initially perceived. This report provides detailed information on the vulnerabilities, their requirements, and potential mitigations.

Vulnerabilities Overview

The vulnerabilities, identified as CVE-2023-42115 to CVE-2023-42119, have varying degrees of severity and specific requirements for exploitation:

  • CVE-2023-42115: This vulnerability has a CVSS score of 9.8 and requires the presence of an “External” authentication scheme configured and available in Exim.
  • CVE-2023-42116: With a CVSS score of 8.1, this vulnerability pertains to the “SPA” module, used for NTLM authentication, and requires its configuration and availability.
  • CVE-2023-42117: Receiving a CVSS score of 8.1, this vulnerability depends on the usage of Exim Proxy (distinct from SOCKS or HTTP proxy) with an untrusted proxy server.
  • CVE-2023-42118: This vulnerability has a CVSS score of 7.5 and involves the use of an “SPF” condition in an ACL.
  • CVE-2023-42114: With a CVSS score of 3.7, this vulnerability relates to the “SPA” module used for NTLM authentication and its configuration to authenticate the Exim server to an upstream server.
  • CVE-2023-42119: This vulnerability has a CVSS score of 3.1 and is linked to the use of an untrusted DNS resolver.

Exploitation and Requirements

These vulnerabilities exhibit varying degrees of complexity and specific conditions that must be met for exploitation. For example, CVE-2023-42115 requires the presence of an “External” authentication scheme, while CVE-2023-42117 necessitates the use of Exim Proxy with an untrusted proxy server.

⛳︎ Leakage Insight

Huntress, a cybersecurity firm specializing in threat detection and response, recently concluded its beta phase of Managed Detection and Response (MDR) for Microsoft 365. During this phase, Huntress identified several incidents related to business email compromise (BEC) attacks across different industries. This report provides an overview of these incidents, the common theme of inbox rule manipulation, and the significance of proactive threat detection.

Targeted Industries

During the beta phase, Huntress observed a series of three BEC attacks within a remarkably short period of 72 hours. The incidents targeted clients from various industries, demonstrating the widespread nature of Microsoft 365 compromises. The affected industries included:

  • Law Firm
  • Building Contractor
  • Retail Store and Distributor

These back-to-back incidents underscore the urgency of addressing Microsoft 365 compromises and the need for robust threat detection and response mechanisms.

Common Theme: Inbox Rule Manipulation

In each of the observed incidents, a common tactic employed by adversaries was inbox rule manipulation. Adversaries exploited email inbox rules to divert sensitive information away from victims, effectively controlling what victims could access and respond to. By forwarding emails to seemingly unused folders such as RSS Feeds, Deleted Items, and Conversation History, attackers minimized the chances of victims detecting the compromise until actual damage occurred.

The consequences of inbox rule manipulation can be severe, including facilitating invoice scams, banking fraud, phishing campaigns against other employees, data theft, and more.

Incident Details

The Law Firm Incident

  • Date of Attack: June 21, 2023
  • Victim: Employee of a law firm specializing in automobile-related cases
  • Attack Details:
    • Creation of a malicious inbox rule named … to redirect emails from a specific employee of a national auto insurance company to the RSS Feeds folder.
    • Suspicious activity included logins from Michigan and New York in quick succession, indicating multiple authentications from different devices.
    • Contextual evidence led to the identification of the inbox rule manipulation as malicious.
    • The law firm employee’s user account was locked, and the partner was notified of the compromise.

The Building Contractor Incident

  • Date of Attack: June 22, 2023
  • Victim: User account of a contracting firm
  • Attack Details:
    • Manipulation of inbox rules, similar to the previous case, with the forwarding rule named xx.
    • All emails were automatically sent to the RSS Feeds folder.
    • Consistent logins from the same locations, with an anomalous login from Virginia.
    • Correlation of the anomalous location with the RSS Feed forwarding rule led to the identification of the compromise.
    • The account was locked, and the threat actor was removed from the Microsoft 365 instance.

🥵 Malware or Ransomware

Gotham Stealer is a versatile and stealthy malware strain designed to steal sensitive information and maintain a low detection profile. Its features include:

  • Discord Injection: Gotham Stealer is capable of injecting malicious code into Discord sessions, allowing attackers to access and potentially manipulate Discord data.
  • Startup Injection: The malware can inject itself into the system startup process, ensuring that it runs automatically each time the infected system boots up.
  • Wallets Stealer: Gotham Stealer targets cryptocurrency wallets, aiming to steal digital assets stored in them.
  • Browser Stealer: It is capable of harvesting sensitive data from web browsers, including login credentials, cookies, and browsing history.
  • System Info Stealer: The malware collects detailed information about the victim’s system, potentially aiding attackers in tailoring their attacks.
  • Auto-Parsed Cookies: Gotham Stealer can automatically parse and collect cookies, which may contain valuable session data.
  • Roblox Session Stealer: It targets Roblox sessions, potentially allowing attackers to compromise users’ gaming accounts.
  • Steam Stealer: The malware focuses on Steam accounts and assets, posing a significant threat to gamers.
  • Minecraft Stealer: Gotham Stealer targets Minecraft accounts, potentially leading to unauthorized access and asset theft.
  • Process Hider: It has the capability to hide its presence from system processes and security software.
  • Full Undetectability (FUD): Gotham Stealer prides itself on being fully undetectable by antivirus and security software.
  • Screen Monitoring: The malware can watch the victim’s screen, providing attackers with insights into the victim’s activities.
  • Screen Clicking: It offers screen clicking functionality, allowing attackers to control the victim’s screen remotely.

Command and Control (C2) Infrastructure

Gotham Stealer’s C2 infrastructure serves as a critical component of its operation. The C2 servers identified so far include:

  • Primary C2: hxxp://
  • Secondary C2: hxxps://
  • Additional C2: hxxps://

The C2 infrastructure enables attackers to remotely manage and extract stolen data, making it a crucial element of the malware’s functionality.

Tracking Gotham Stealer

Security researchers and professionals are actively tracking Gotham Stealer and monitoring its activities. The malware has been observed in the wild, posing a significant risk to potential victims.

To detect Gotham Stealer-related activity, Shodan searches have been conducted using specific indicators. Researchers are also using tools like the C2 Tracker to monitor and record Gotham Stealer-related IP addresses and other relevant information.

💦 Malware Distribution Sites

This advisory report addresses a recent resurgence of the RedLineStealer malware campaign. The campaign’s primary focus is on targeting users through a phishing technique related to booking and Google Drive. The threat actor behind this campaign is actively distributing malicious samples, posing a significant risk to individuals and organizations.

Campaign Overview

Malware Identifier: RedLineStealer

RedLineStealer is a type of malware known for its data-stealing capabilities, including the theft of sensitive information such as login credentials, financial data, and personal information. It has been actively used in various cybercriminal campaigns to compromise victims’ systems.

Phishing Technique: Booking and Google Drive

The RedLineStealer campaign employs a phishing technique that leverages the concept of booking-related activities, likely to entice victims into clicking on malicious links or downloading infected files. Additionally, the threat actor utilizes Google Drive to host and distribute malicious content, making it appear legitimate and increasing the chances of successful infection.

Indicators of Compromise (IoCs)

Samples Collection

The following URLs provide access to samples associated with the RedLineStealer campaign, enabling security professionals and researchers to analyze and better understand the malware:

Malicious URLs

The threat actor uses various URLs to distribute RedLineStealer and lure potential victims. Monitoring these URLs and taking necessary precautions is essential to mitigating the threat:

🐙 Proxylife

A phishing campaign impersonating the Colombian tax authority, DIAN, has been detected, targeting individuals who file income tax returns. This advisory provides a brief overview of the attack chain and the associated threat indicators to help individuals and organizations recognize and respond to this threat effectively.

Attack Chain

The attack chain involves multiple stages:

  • Phishing Link: The campaign initiates with a phishing link hosted on Dropbox (hxxps://www.dropbox[.]com/scl/fi/6lwijxzwhszjfssgqqr5h/DIAN_Renta_ciudadana_rad921521DF15401df.bz2?rlkey=z2whvfl0yfn0jnl12h6ole6cx&dl=1). This link is designed to lure victims into downloading malicious content by impersonating DIAN.
  • VBS Script: Once a victim clicks on the phishing link, a Visual Basic Script (VBS) is executed. VBS is used to initiate the attack and download additional payloads.
  • PowerShell: The VBS script invokes PowerShell, a powerful scripting language, to execute further malicious actions. PowerShell is used to download and execute additional components of the attack.
  • Stego Hidden Payload: A steganography technique is employed to hide a payload within an image (hxxps://uploaddeimagens[.]com[.]br/images/004/616/609/original/rump_vbs.jpg?1695408937%27). This payload likely contains malicious code or instructions for the victim’s system.
  • Downloader DLL: The stego payload likely contains instructions to download a DLL (Dynamic Link Library) that is used to perform various tasks, potentially compromising the victim’s system.
  • LimeRAT: LimeRAT is a Remote Access Trojan (RAT) that is likely the final payload of this attack. Once executed, it provides the attacker with unauthorized access and control over the victim’s system.

7. Command and Control (C2): The RAT communicates with a Command and Control server hosted at hxxp://91[.]213[.]50[.]74/new/mofers/njz.txt, using the domain njnjnjs[.]duckdns[.]org:35888. This enables the attacker to manage the compromised systems and steal sensitive information.

Threat Indicators

Phishing Link: hxxps://www.dropbox[.]com/scl/fi/6lwijxzwhszjfssgqqr5h/DIAN_Renta_ciudadana_rad921521DF15401df.bz2?rlkey=z2whvfl0yfn0jnl12h6ole6cx&dl=1

Stego Payload: hxxps://uploaddeimagens[.]com[.]br/images/004/616/609/original/rump_vbs.jpg?1695408937%27

Final Stage: hxxp://91[.]213[.]50[.]74/new/mofers/njz.txt

LimeRAT C2: njnjnjs[.]duckdns[.]org:35888

🥷 TTP Analysis

Threat Actors (TAs) have evolved their attack tactics by leveraging malicious PowerShell content as part of sophisticated campaigns with compelling motives. This approach enables them to operate covertly, evade traditional security defenses, and exploit existing tools on compromised systems. PowerShell’s versatility, ease of use, and scripting capabilities make it an attractive choice for attackers seeking agility and customization.

During recent threat hunting activities on VirusTotal (VT), we encountered a spam campaign employing PowerShell-Backed Steganography. This novel technique serves as a vehicle for distributing various Remote Access Trojan (RAT) malware, including LimeRAT, AgentTesla, and Remcos. This campaign was initially identified by researcher Ankit Anubhav.

The attack begins with a spam email containing an Excel attachment. Upon opening the Excel document, it exploits a vulnerability in the equation editor to initiate the download of a VB script payload. This VB script, when executed, triggers a PowerShell script, which retrieves a JPG image containing concealed data via steganography.

After decoding the hidden content from the JPG image, a .NET assembly is obtained and executed. This assembly ultimately downloads and injects the RAT malware payload into the victim system, as depicted in the infection chain.

Infection Chain

The infection chain involves the following stages:

  • Initial Infection: The campaign starts with spam emails containing Excel attachments with names like “entregar_confirmacion_de_direccion.xlsx” and “Swift ACC Reference A2300078.xls.” Users must enable editing to access the content.
  • CVE-2017-11882 Exploitation: When the Excel file is opened, it exploits the Equation Editor Vulnerability (CVE-2017-11882) to download a VB script payload.
  • VB Script Payload: The VB script payload is downloaded from a malicious URL, often in a reversed string format, such as “hxxp://195[.]178[.]120[.]24/uchetuesdayyyyy[.]vbs.”
  • Steganography Technique: The VB script drops a heavily obfuscated VBS file in the %appdata% folder. This VBS file de-obfuscates in memory, revealing PowerShell code that retrieves a JPG image from another URL.
  • JPG Image: The JPG image contains Base64-encoded malware data hidden between specific markers. The PowerShell script decodes this hidden content.
  • .NET Assembly: The decoded content is a .NET assembly, and the PowerShell script loads it, invoking a specific method with a final payload URL.
  • Final Payload: The RAT malware payload (Remcos, AgentTesla, or LimeRAT) is downloaded from a URL, often in reversed string format, and injected into the victim system.

👹 Scam Contract

In recent reports, a sneaky trick employed by scammers to steal cryptocurrency assets has come to light. This scheme involves the manipulation of a network’s name to deceive users into sending valuable assets while believing they are transferring an inconsequential token. This advisory aims to raise awareness about this scam and provide guidance on how to protect your cryptocurrency holdings.

Scammers’ Deceptive Tactic

Scammers are employing a tactic that revolves around “masking” a network’s name to make it appear harmless and benign while disguising its true identity. Typically, users encounter pop-up prompts on websites, urging them to switch their wallet to a specific network for various purposes, such as transactions or interactions with decentralized applications (DApps). In this particular scam, users are prompted to add a network named “Totally Not A Scam,” accompanied by the symbol “SCAM.” What makes this deceptive is that the network shares the same Chain ID as Binance Smart Chain (BNB Chain).

This deceit is possible because the name and symbol of a network are not specified on the blockchain itself, allowing scammers to manipulate these aspects to create a false sense of security. As a result, users who unknowingly add this network may believe they are sending worthless “SCAM” tokens, while, in reality, they are transferring their valuable BNB assets to the scammers.

🟥 1Day

Progress Software, the company responsible for WS_FTP Server, has recently patched two critical vulnerabilities, CVE-2023-40044 and CVE-2023-42657, in their popular secure file transfer solution. The exploitation of these vulnerabilities has been observed in the wild, potentially leading to serious security risks. This advisory report aims to provide an overview of the vulnerabilities, their impact, and recommendations for mitigation.

Vulnerability Details

  • CVE-2023-40044
    • Vulnerability Type: .NET Deserialization Vulnerability
    • Description: This vulnerability allows unauthenticated threat actors to execute remote commands on the underlying WS_FTP Server operating system via an HTTPS POST request. It poses a severe risk to affected systems.
    • Affected Versions: Versions prior to 8.7.4 and 8.8.2
    • Severity: Critical
  • CVE-2023-42657
    • Vulnerability Type: Directory Traversal
    • Description: This vulnerability enables threat actors to perform unauthorized file operations (e.g., delete, rename, rmdir, mkdir) on files and folders outside of their authorized WS_FTP folder path.
    • Affected Versions: Versions prior to 8.7.4 and 8.8.2
    • Severity: Critical

Exploitation and Observations

Proof-of-concept code for CVE-2023-40044 has been made available publicly. Rapid7 researchers have observed multiple instances of WS_FTP exploitation in the wild, employing different attack chains. This suggests active and widespread exploitation of the vulnerabilities.

Additionally, a PowerShell-based attack utilizing certutil stagers has been noted. These attacks involve downloading malicious executables into the Windows TEMP directory. Furthermore, threat actors have been observed opening port 3389 for Remote Desktop Protocol (RDP) access, potentially indicating an attempt at persistence.


To protect your organization from the risks associated with CVE-2023-40044 and CVE-2023-42657, follow these recommended mitigation steps:

  • Apply Patches: Upgrade WS_FTP Server to the fixed versions 8.7.4 or 8.8.2. The patches released by Progress Software address these vulnerabilities and are crucial for mitigating the risks associated with exploitation.
  • Consider Temporary Measures: If immediate patching is not possible, consider removing or disabling the WS_FTP Server Ad Hoc Transfer Module to reduce the attack surface.
  • Vulnerability Scanning: Conduct regular vulnerability scans to identify and remediate potential security issues in your environment.
  • Monitoring and Detection: Implement robust monitoring and detection systems to identify suspicious activities and potential exploitation attempts. This includes monitoring network traffic, system logs, and file integrity.
  • Security Awareness: Educate your staff and users about the risks of opening suspicious attachments or clicking on unknown links. Encourage a security-conscious culture within your organization.

🌶️ Trending Exploit

A proof-of-concept exploit chain has been released for two critical vulnerabilities in Microsoft SharePoint Server, namely CVE-2023-29357 and CVE-2023-24955. These vulnerabilities can be exploited to achieve unauthenticated remote code execution (RCE). This advisory report provides an overview of the vulnerabilities, their potential impact, and recommendations for mitigation.


On September 25, 2023, STAR Labs researcher Nguyễn Tiến Giang (Jang) published a blog post detailing the successful chaining of CVE-2023-29357 and CVE-2023-24955 to achieve remote code execution (RCE) against Microsoft SharePoint Server. This exploit chain was initially demonstrated at the Zero Day Initiative’s (ZDI) Pwn2Own contest held in Vancouver in March 2023.

Subsequently, on September 26, a proof-of-concept (PoC) for the exploit chain was released on GitHub. The authors of the PoC clarified that RCE is not achieved with the current PoC to maintain ethical standards. However, it is essential to recognize that malicious actors often leverage public PoC code, modifying it for malicious purposes. As a result, it is imperative to apply the necessary patches promptly.


  • CVE-2023-29357
    • Vulnerability Type: Elevation of Privilege (EoP)
    • CVSSv3 Score: 9.8 (Critical)
    • Description: This vulnerability allows remote, unauthenticated attackers to exploit Microsoft SharePoint Server by sending a spoofed JSON Web Token (JWT) authentication token to a vulnerable server. This provides them with the privileges of an authenticated user on the target system. No user interaction is required to exploit this flaw. It was patched during Microsoft’s June 2023 Patch Tuesday release.
  • CVE-2023-24955
    • Vulnerability Type: Remote Code Execution (RCE)
    • CVSSv3 Score: 7.2
    • Description: This vulnerability affects Microsoft SharePoint Server and allows an authenticated Site Owner to execute arbitrary code on an affected SharePoint Server. This RCE vulnerability was patched as part of the May 2023 Patch Tuesday release.

Both vulnerabilities are credited to Jang and were responsibly reported to Microsoft by ZDI in collaboration with the researcher.

We would like to extend our gratitude to Jang for responsibly disclosing these vulnerabilities and to the security community for their collaborative efforts in addressing these issues. Stay vigilant and proactive in maintaining the security of your SharePoint Server installations.

For further technical details and assistance, please refer to Jang’s blog post on the subject: Link to Jang’s Blog Post.

Additionally, YARA rules have been provided for detection, which can be found here.

🕯️ The Topic of the Week


The objective of this research is to demonstrate the potential security risks associated with the use of silent SMS messages in LTE networks. Silent SMS messages are designed to be received silently by a mobile device, without notifying the user. This proof of concept aims to highlight how an attacker could exploit this feature to track the physical location of LTE users.

Silent SMS and LTE Localization

Silent SMS messages, also known as silent or stealthy SMS, are a type of SMS message that does not trigger notifications or sounds on the recipient’s mobile device. These messages are typically used for administrative purposes, such as network testing and diagnostics. However, in this proof of concept, we explore the misuse of silent SMS for tracking purposes.

Tools and Setup

The following tools were used in this proof of concept:

  • OnePlus2 (Rooted) – This device serves as a modem exploited by the attacker to send silent SMS messages.
  • Victim Mobile Phone – Any phone with a valid SIM card can be used. An Android phone may be more convenient for utilizing apps like Network Signal Guru to retrieve crucial information about the eNodeB to which the victim’s phone is connected.
  • USRP B210 – Software-Defined Radio (SDR) used to intercept LTE traffic in the downlink.
  • LTESniffer – An open-source software used in conjunction with the USRP for intercepting LTE traffic.
  • At least two SIM cards – Required for the victim’s phone and the attacker’s modem.
  • Ubuntu 20.04 – The operating system used by the attacker.

Sending Silent SMS Messages

To send silent SMS messages, the attacker leveraged AT commands used for modem functionality management. The OnePlus2 device, with root privileges, was used as the Mobile Equipment (ME) for sending these messages. The following commands were used:

objectivecCopy code

AT+CMGF=0 // Set PDU mode

AT+CMGS=19 // Send message, 19 octets (excluding the two initial zeros)

> 0011000C919333143244650000FF05F4F29C1E02 // Actual message (fake number)


The AT+CMGS command is used to send the message, with the message content following. The message is sent silently, meaning it is received by the victim’s phone but not stored or notified to the user.

Finding the Victim’s Location

To determine the victim’s physical location, the attacker used a Software Defined Radio (SDR) device, specifically the USRP B210, to sniff downlink connections. By sending a series of silent SMS messages to the victim’s phone in a recognizable pattern, the attacker created a unique signature in the LTE traffic.

The attacker then used LTEsniffer to capture LTE downlink traffic from the base station covering the area of interest. Analyzing this traffic, the attacker looked for patterns matching the silent SMS signature. In this simplified proof of concept, the attacker had prior knowledge of the area being monitored.

Leave a Reply

Your email address will not be published. Required fields are marked *