Search This Blog

Showing posts with label Payload. Show all posts

New Malware NetDooka Deployes Payload: Trend Micro Report

Experts found an advanced malware framework and it has named it as NetDooka because of a few components. The framework is deployed via a pay-per-install (PPI) service and includes various parts, which include a loader, a dropper, a full-featured remote access Trojan (RAT), and a protection driver that deploys its own network communication protocol. "Upon execution, the loader will deobfuscate strings, such as the command-and-control (C&C) server address, and check for the command-line arguments that were passed. The malware accepts multiple arguments that indicate what action should be taken," says TrendMicro report. 

NetDooka is distributed via the PrivateLoader malware which after installing, starts the exploitation chain. The report emphasizes the components and infection chain of the NetDooka framework. The scope varies from the issue of the first payload, which drops a loader that makes a new virtual desktop to deploy an antivirus software uninstaller and communicate with it by emulating the mouse and pointer position- an essential step to complete the uninstallation process and make an environment for executing other components- until the launch of the final RAT that is guarded by a kernel driver. 

The infection starts after a user unknowingly downloads PrivateLoader, generally via pirated software sites, after that, NetDooka malware gets installed, a dropper component that results in decrypting and implementing the loader component. The loader starts various checks to make sure that the malware isn't working in a virtual environment, following that it installs another malware through a remote server. It can also download a kernel driver that can be used later. 

The downloaded malware is another dropper component that a loader executes, it is responsible for decryption and execution of the final payload, a RAT has multiple features like executing a remote shell, getting browser data, capturing screenshots, and accessing system information. TrendMicro says "If no parameter is passed to the loader, it executes a function called “DetectAV()” that queries the registry to automatically identify the antivirus products available in order to uninstall them."

Microweber Creators Patched XSS Flaw in CMS Software

 

Microweber, an open-source website builder and content management system, has a stored cross-site scripting (XSS) vulnerability, according to security researchers. 

The security flaw, identified as CVE-2022-0930 by researchers James Yeung and Bozhidar Slaveykov, was patched in Microweber version 1.2.12. The issue developed as a result of flaws in older versions of Microweber's content filtering protections. 

Because of these flaws, attackers could upload an XSS payload as long as it contained a file ending in 'html' — a category that encompasses far more than simply plain.html files. Once this payload is uploaded, a URL with malicious HTML can be viewed and malicious JavaScript performed. 

An attacker could steal cookies before impersonating a victim, potentially the administrator of a compromised system, by controlling a script that runs in the victim's browser. A technical blog article by Yeung and Slaveykov, which includes a proof-of-concept exploit, gives additional detail about the assault. Microweber was asked to comment on the researchers' findings via a message sent through a webform on The Daily Swig's website. Microweber responded by confirming that the "issue is already fixed." 

When asked how they found Microweber as a target, Yeung told The Daily Swig, “I came across huntr.dev and found other researchers had found vulnerabilities on Microweber and that's why I joined that mania!” 

The vulnerabilities discovered in Microweber are similar to those found in other comparable enterprise software packages. The researcher explained, “I have found similar vulnerabilities in multiple CMS like Microweber, and I found that most of them are lacking user input sanitization from HTTP requests (some of which are not intended to be submitted from client).” 

To avoid issues in this area, Yeung determined that developers should gradually shift toward allow-lists and away from utilising block-lists.