Cloud Atlas seen using a new tool in its attacks

Introduction Known since 2014, Cloud Atlas targets Eastern Europe and Central Asia. We're shedding light on a previously undocumented toolset, which the group used heavily in 2024. Victims get infected via phishing emails containing a malicious document that exploits a vulnerability in the formul...

CERT-UA Uncovers Gamaredon's Rapid Data Exfiltration Tactics Following Initial Compromise

The Russia-linked threat actor known as Gamaredon has been observed conducting data exfiltration activities within an hour of the initial compromise. "As a vector of primary compromise, for the most part, emails and messages in messengers Telegram, WhatsApp, Signal are used, in most cases, using...

YoroTrooper Stealing Credentials and Information from Government and Energy Organizations

A previously undocumented threat actor dubbed YoroTrooper has been targeting government, energy, and international organizations across Europe as part of a cyber espionage campaign that has been active since at least June 2022. "Information stolen from successful compromises include credentials...

Real Player v.20.0.8.310 G2 Control - DoGoToURL() Remote Code Execution Exploit

Exploit Title: Real Player v.20.0.8.310 G2 Control - 'DoGoToURL' Remote Code Execution RCE Exploit Author: Eduardo Braun Prado Vendor Homepage: http://real.com/ Software Link: http://real.com/ Version: v.20.0.8.310 Tested on: Windows 7, 8.1, 10 CVE : N/A Full PoC:...

Real Player v.20.0.8.310 G2 Control - 'DoGoToURL()' Remote Code Execution (RCE)

Exploit Title: Real Player v.20.0.8.310 G2 Control - 'DoGoToURL' Remote Code Execution RCE Google Dork: n/a Date: May 31, 2022 Exploit Author: Eduardo Braun Prado Vendor Homepage: http://real.com/ Software Link: http://real.com/ Version: v.20.0.8.310 Tested on: Windows 7, 8.1, 10 CVE : N/A Full...

Lazarus APT Hackers are now using BMP images to hide RAT malware

A spear-phishing attack operated by a North Korean threat actor targeting its southern counterpart has been found to conceal its malicious code within a bitmap .BMP image file to drop a remote access trojan RAT capable of stealing sensitive information. Attributing the attack to the Lazarus Group...

CVE-2020-7841

Improper input validation vulnerability exists in TOBESOFT XPLATFORM which could cause arbitrary .hta file execution when the command string is begun with http://, https://, mailto://...

Microsoft Windows mshta.exe 2019 - XML External Entity Injection

Exploit Title: Microsoft Windows mshta.exe 2019 - XML External Entity Injection Date: 2020-07-07 Exploit Author: hyp3rlinx Vendor homepage: https://www.microsofft.com/ CVE: N/A + Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source:...

Microsoft Windows MSHTA.EXE .HTA File XML Injection Vulnerability

Microsoft Windows MSHTA.EXE .HTA File XML Injection Vulnerability Vendor www.microsoft.com Product Windows MSHTA.EXE .HTA File An HTML Application HTA is a Microsoft Windows program whose source code consists of HTML, Dynamic HTML, and one or more scripting languages supported by Internet Explore...

Microsoft Windows MSHTA.EXE .HTA File XML Injection

Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-MSHTA-HTA-FILE-XML-EXTERNAL-ENTITY-INJECTION.txt + twitter.com/hyp3rlinx + ISR: ApparitionSec Vendor www.microsoft.com Product Windows MSHTA.EXE .HTA File An...

CB Threat Analysis Unit Technical Breakdown: GermanWiper Ransomware

Editor's Note: The TAU-TIN related to this write up can be located here. GermanWiper Ransomware was found distributed via spam email campaign in Germany. It’s a data-wiping malware and the ransom note was written in German language. The malware pretends to be ransomware but is actually a wiper th...

Olympic Destroyer Wiper Changes Up Infection Routine

Olympic Destroyer, the wiper malware that briefly disrupted the Winter Olympic Games in South Korea earlier this year, appears to be back with a new first-stage dropper variant. It contains a few significant changes that indicate an evolution for the APT group behind it, according to researchers...

Word-based Malware Attack Doesn’t Use Macros

Typically, inbox-based attacks that include malicious Microsoft Office attachments require adversaries to trick users into enabling macros. But researchers say they have identified a new malicious email campaign that uses booby-trapped Office attachments that are macro-free. The attacks do not...

CVE-2017-0199: Microsoft Office RTF vulnerability using the PoC-vulnerability warning-the black bar safety net

0x01 description From FireFye detect and publish CVE-2017-0199 since, I have been researching this vulnerability in Microsoft officially released the patch, I decided to release this PoC. I use way possible with other researchers using different methods, the use of the method may be little bit...

Microsoft Office / WordPad Remote Code Execution Vulnerability

Exploit for windows platform in category remote exploits CVE-2017-0199 Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API =================================================== Vulnerability description =================================================== A remote code executi...

Spread banking Trojan the Office 0day Vulnerability(CVE-2017-0199)technical analysis-vulnerability warning-the black bar safety net

Vulnerability overview Microsoft in 4 months of routine patch of 4 on 12, the A Office remote command execution vulnerability, CVE-2017-0199 for the repair, but in fact in the patch before the release there has been more use of this vulnerability in the wild is found, which contains the...

CVE-2017-0199: analysis Microsoft Office RTF vulnerability-vulnerability warning-the black bar safety net

FireEye recently detected using CVE-2017-0199 security vulnerabilities malicious Microsoft Office RTF document, be aware of CVE-2017-0199, but had not been disclosed vulnerability. When the user opens that contains the exploit Code of the document, the malicious code will download and execute the...

CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler

FireEye recently detected malicious Microsoft Office RTF documents that leverage CVE-2017-0199, a previously undisclosed vulnerability. This vulnerability allows a malicious actor to download and execute a Visual Basic script containing PowerShell commands when a user opens a document containing ...

The Word exposed 0day vulnerabilities: no need to enable the macros, open the document it automatically install a malicious program-vulnerability warning-the black bar safety net

! In fact, the use of Word macros as the distribution of malicious programs is the way today's conventional via, so many people choose to disable macros, but if you say disable the macros are useless, such a malicious Word document danger is quite different. Recently, McAfee and FireEye security...

OpenText FirstClass Client 11.005 - Code Execution

OpenText FirstClass Client 11.005 - Code Execution Exploit Title: OpenText FirstClass Client Delayed Code Executiion Date: Discovered 11/16/2010, Contacted OpenText 2/1/11 and 2/7/11, Released 4/11/2011 Author: Kyle Ossinger www.k0ss.net Email: [email protected] Software Link:...