CVE-2024-4978

CVE-2024-4978 affects Justice AV Solutions (JAVS) Viewer v8.3.7 installed via the 8.3.7.250-1 bundle. The advisory documents a malicious binary (fffmpeg.exe) embedded in the installer and signed with an unexpected Vanguard Tech Limited Authenticode certificate. When executed, the binary can estab...

CVE-2024-4978 Malicious Code in Justice AV Solutions (JAVS) Viewer

Justice AV Solutions Viewer Setup 8.3.7.250-1 contains a malicious binary when executed and is signed with an unexpected authenticode signature. A remote, privileged threat actor may exploit this vulnerability to execute of unauthorized PowerShell commands...

Justice AV Solutions Viewer 安全漏洞

Justice AV Solutions Viewer is an audio/video viewing and management tool from Justice AV Solutions designed for the justice system. A security vulnerability exists in Justice AV Solutions Viewer version 8.3.7.250-1, which originates from the use of an unexpected authentication signature for...

GHOSTENGINE Exploits Vulnerable Drivers to Disable EDRs in Cryptojacking Attack

Cybersecurity researchers have discovered a new cryptojacking campaign that employs vulnerable drivers to disable known security solutions EDRs and thwart detection in what's called a Bring Your Own Vulnerable Driver BYOVD attack. Elastic Security Labs is tracking the campaign under the name...

Malware Delivery via Cloud Services Exploits Unicode Trick to Deceive Users

A new attack campaign dubbed CLOUDREVERSER has been observed leveraging legitimate cloud storage services like Google Drive and Dropbox to stage malicious payloads. "The VBScript and PowerShell scripts in the CLOUDREVERSER inherently involves command-and-control-like activities by using Google...

ShellSweep - PowerShell/Python/Lua Tool Designed To Detect Potential Webshell Files In A Specified Directory

ShellSweep ShellSweeping the evil Why ShellSweep "ShellSweep" is a PowerShell/Python/Lua tool designed to detect potential webshell files in a specified directory. ShellSheep and it's suite of tools calculate the entropy of file contents to estimate the likelihood of a file being a webshell. High...

Exploit for Untrusted Pointer Dereference in Microsoft

CVE-2023-21768 - Dotnet Dotnet / c port of AFD-for-WinSock-E...

ThievingFox - Remotely Retrieving Credentials From Password Managers And Windows Utilities

ThievingFox is a collection of post-exploitation tools to gather credentials from various password managers and windows utilities. Each module leverages a specific method of injecting into the target process, and then hooks internals functions to gather crendentials. The accompanying blog post ca...

CoralRaider Malware Campaign Exploits CDN Cache to Spread Info-Stealers

A new ongoing malware campaign has been observed distributing three different stealers, such as CryptBot, LummaC2, and Rhadamanthys hosted on Content Delivery Network CDN cache domains since at least February 2024. Cisco Talos has attributed the activity with moderate confidence to a threat actor...

GitLens Git Local Configuration Execution

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'GitLens Git Local Configuration Exec', 'Description' = %q GitKraken GitLens before v.14.0.0 allows an untrusted workspace to execute git commands...

Citrix cloud - Failed to create AD accounts for an MCS Catalog with PowerShell SDK.

You may be unable to create a computer AD account with PowerShell SDK using a service account. It will fail with error: Command: $adAccounts.FailedAccounts Impersonate user logon failed, Win32 Error Code: 1385 Error Reason: InvalidParamtersForADOperation...

TA547 Phishing Attack Hits German Firms with Rhadamanthys Stealer

A threat actor tracked as TA547 has targeted dozens of German organizations with an information stealer called Rhadamanthys as part of an invoice-themed phishing campaign. "This is the first time researchers observed TA547 use Rhadamanthys, an information stealer that is used by multiple...

Stories from the SOC Part 2: MSIX Installer Utilizes Telegram Bot to Execute IDAT Loader

Rapid7’s Managed Detection and Response MDR team continuously monitors our customers' environments, identifying emerging threats and developing new detections. In August 2023, Rapid7 identified a new malware loader named the IDAT Loader. Malware loaders are a type of malicious software designed t...

Stopping a K-12 cyberattack (SolarMarker) with ThreatDown MDR

In early 2024, a large K-12 school district partnered with ThreatDown MDR to strengthen its cybersecurity posture. Shortly after onboarding, ThreatDown MDR analysts detected unusual patterns of activity subsequently identified as the work of SolarMarker, a sophisticated backdoor. It became eviden...

Agenda Ransomware Propagates to vCenters and ESXi via Custom PowerShell Script

This blog entry discusses the Agenda ransomware group's use of its latest Rust variant to propagate to VMWare vCenter and ESXi servers...

The Evolution of DEEP#GOSU Attack Campaign by Kimsuky Group

Summary: A sophisticated multi-stage attack campaign linked to the North Korean Kimsuky group, dubbed DEEPGOSU. Using PowerShell and VBScript, the attackers leverage remote access trojan RAT software for full control over infected hosts, while employing legitimate services like Dropbox for comman...

The Updated APT Playbook: Tales from the Kimsuky threat actor group

Co-authors are Christiaan Beek and Raj Samani Within Rapid7 Labs we continually track and monitor threat groups. This is one of our key areas of focus as we work to ensure that our ability to protect customers remains constant. As part of this process, we routinely identify evolving tactics from...

New DEEP#GOSU Malware Campaign Targets Windows Users with Advanced Tactics

A new elaborate attack campaign has been observed employing PowerShell and VBScript malware to infect Windows systems and harvest sensitive information. Cybersecurity company Securonix, which dubbed the campaign DEEPGOSU, said it's likely associated with the North Korean state-sponsored group...

Hackers Using Sneaky HTML Smuggling to Deliver Malware via Fake Google Sites

Cybersecurity researchers have discovered a new malware campaign that leverages bogus Google Sites pages and HTML smuggling to distribute a commercial malware called AZORult in order to facilitate information theft. "It uses an unorthodox HTML smuggling technique where the malicious payload is...

PowerShell logging feature is available in Web Studio

This article describes the new feature "PowerShell logging" in Citrix DaaS Web Studio...