Category Archives: Advisories

Email-Worm.Win32.Pluto.b / Insecure Permissions

Read Time:20 Second

Posted by malvuln on Apr 14

Discovery / credits: Malvuln – malvuln.com (c) 2022
Original source:
https://malvuln.com/advisory/60a7d5e2d446110d84ef65f6a37af0eb.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Email-Worm.Win32.Pluto.b
Vulnerability: Insecure Permissions
Description: The malware writes a dir and PE files with insecure
permissions to c drive granting change (C) permissions to the authenticated
user group. Standard users can rename the…

Read More

Backdoor.Win32.Kilo.016 / Denial of Service (UDP Datagram)

Read Time:21 Second

Posted by malvuln on Apr 14

Discovery / credits: Malvuln – malvuln.com (c) 2022
Original source:
https://malvuln.com/advisory/9ede6951ea527f96a785c5e32b5079e6.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Kilo.016
Vulnerability: Denial of Service (UDP Datagram)
Description: The malware listens on TCP ports 6712, 6713, 6714, 6715, 7722,
15206, 15207, 16712 and UDP 6666. Attackers who can reach an infected host
can send a large payload…

Read More

Backdoor.Win32.NinjaSpy.c / Authentication Bypass

Read Time:20 Second

Posted by malvuln on Apr 14

Discovery / credits: Malvuln – malvuln.com (c) 2022
Original source:
https://malvuln.com/advisory/9f39606d9e19771af5acc6811ccf557f.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.NinjaSpy.c
Vulnerability: Authentication Bypass
Description: The malware listens on TCP ports 2003, 2004 and drops a PE
file named “cmd.dll” under Windows dir. Connecting to port 2003, you will
get back a number…

Read More

Backdoor.Win32.NetSpy.10 / Unauthenticated Remote Command Execution

Read Time:20 Second

Posted by malvuln on Apr 14

Discovery / credits: Malvuln – malvuln.com (c) 2022
Original source:
https://malvuln.com/advisory/45d413b46f1d14a45e8fd36921813d62.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.NetSpy.10
Vulnerability: Unauthenticated Remote Command Execution
Description: The malware listens on TCP port 7306. Attackers who can reach
infected hosts can run commands made available by the backdoor. Sending
commands using Ncat…

Read More

Backdoor.Win32.NetCat32.10 / Unauthenticated Remote Command Execution

Read Time:19 Second

Posted by malvuln on Apr 14

Discovery / credits: Malvuln – malvuln.com (c) 2022
Original source:
https://malvuln.com/advisory/dcf16aed5ad4e0058a6cfcc7593dd9e3.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.NetCat32.10
Vulnerability: Unauthenticated Remote Command Execution
Description: The malware listens on TCP port 6666. Attackers who can reach
infected systems can run commands made available by the backdoor using
TELNET.
Family:…

Read More

HackTool.Win32.IpcScan.c / Local Stack Buffer Overflow

Read Time:19 Second

Posted by malvuln on Apr 14

Discovery / credits: Malvuln – malvuln.com (c) 2022
Original source:
https://malvuln.com/advisory/8f44374d587eb1657d25da9628cb2b87.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: HackTool.Win32.IpcScan.c
Vulnerability: Local Stack Buffer Overflow
Description: Loading a specially crafted PE file will cause a stack buffer
overflow overwriting the ECX and EIP registers.
Family: IpcScan
Type: PE32
MD5:…

Read More

Backdoor.Win32.Psychward.03.a / Weak Hardcoded Password

Read Time:19 Second

Posted by malvuln on Apr 14

Discovery / credits: Malvuln – malvuln.com (c) 2022
Original source:
https://malvuln.com/advisory/d069738f18957117367b8a79195a6a96.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Psychward.03.a
Vulnerability: Weak Hardcoded Password
Description: The malware listens in TCP port 69. The password “tyme” is
weak and stored in plaintext with the executable.
Family: Psychward
Type: PE32
MD5:…

Read More

Backdoor.Win32.Prorat.cwx / Insecure Permissions

Read Time:19 Second

Posted by malvuln on Apr 14

Discovery / credits: Malvuln – malvuln.com (c) 2022
Original source:
https://malvuln.com/advisory/2d81bf2c55c81778533b55fb444d4dc6.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Prorat.cwx
Vulnerability: Insecure Permissions
Description: The malware writes a “.EXE” file with insecure permissions to
c drive granting change (C) permissions to the authenticated user group.
Standard users can rename…

Read More

Backdoor.Win32.MotivFTP.12 / Authentication Bypass

Read Time:19 Second

Posted by malvuln on Apr 14

Discovery / credits: Malvuln – malvuln.com (c) 2022
Original source:
https://malvuln.com/advisory/91b2d216c5d26d9db4289acf68fa1743.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.MotivFTP.12
Vulnerability: Authentication Bypass
Description: The malware listens on TCP port 21. Third-party attackers who
can reach infected systems can logon using any username/password
combination. Intruders may then upload…

Read More

Incomplete Fix for Apache Struts 2 Vulnerability (CVE-2021-31805) Amended

Read Time:2 Minute, 24 Second

FortiGuard Labs is aware that the Apache Software Foundation disclosed and released a fix for a potential remote code execution vulnerability (CVE-2021-31805 OGNL Injection vulnerability ) that affects Apache Struts 2 on April 12th, 2022. Apache has acknowledged in an advisory that the fix was issued because the first patch released in 2020 did not fully remediate the issue. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also released an advisory on April 12th, 2022, warning users and administrators to review the security advisory “S2-062” issued by Apache and upgrade to the latest released version as soon as possible. Why is this Significant?This is significant because Apache Struts is widely used and successfully exploiting CVE-2021-31805 could result in an attacker gaining control of a vulnerable system. Because of the potential impact, CISA released an advisory urging users and administrators to review the security advisory “S2-062” issued by Apache and upgrade to the latest released version as soon as possible.On the side note, an older Struts 2 OGNL Injection vulnerability (CVE-2017-5638) was exploited in the wild that resulted in a massive data breach of credit reporting agency Equifax in 2017.What is Apache Struts 2?Apache Struts 2 is an open-source web application framework for developing Java web applications that extends the Java Servlet API to assist, encourage, and promote developers to adopt a model-view-controller (MVC) architecture.What is CVE-2021-31805?CVE-2021-31805 is an OGNL injection vulnerability in Struts 2 that enables an attacker to perform remote code execution on a vulnerable system. The vulnerability was originally assigned CVE-2020-17530, however CVE-2021-31805 was newly assigned to the vulnerability as some security researchers found a workaround for the original patch released in 2020.The vulnerability is described as “some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{…} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.”What Versions of Apache Struts are Vulnerable to CVE-2021-31805?Struts 2.0.0 – Struts 2.5.29 are vulnerable.Struts 2.0.0 and 2.5.29 were released in 2006 and 2022 respectively. Has the Vendor Released a Patch for CVE-2021-31805?Yes, Apache released a fixed version (2.5.30) of Apache Struts 2 on April 12th, 2022.Users and administrators are advised to upgrade to Struts 2.5.30 or greater as soon as possible.Has the Vendor Released an Advisory?Yes, Apache released an advisory on April 12th, 2022. See the Appendix for a link to “Security Bulletin: S2-062”.What is the Status of Coverage?FortiGuard Labs provides the following IPS coverage for CVE-2020-17530, which applies for CVE-2021-31805:Apache.Struts.OGNL.BeanMap.Remote.Code.Execution

Read More